Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report swift copy.exe

Overview

General Information

Sample Name:swift copy.exe
Analysis ID:399719
MD5:513beb90d191b7d4fadedd6c7119bfce
SHA1:bfa4a87bc4c5f7ee6e3d38c1e1f733c665b8941e
SHA256:c4bb3e5a6f33dca9143ede298d37b20c1dd8ab6be22f2544987f53d468e0e815
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • swift copy.exe (PID: 4424 cmdline: 'C:\Users\user\Desktop\swift copy.exe' MD5: 513BEB90D191B7D4FADEDD6C7119BFCE)
    • schtasks.exe (PID: 68 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B10.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • swift copy.exe (PID: 5472 cmdline: {path} MD5: 513BEB90D191B7D4FADEDD6C7119BFCE)
      • schtasks.exe (PID: 3440 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE011.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 2416 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE300.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • swift copy.exe (PID: 3840 cmdline: 'C:\Users\user\Desktop\swift copy.exe' 0 MD5: 513BEB90D191B7D4FADEDD6C7119BFCE)
  • dhcpmon.exe (PID: 3088 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 513BEB90D191B7D4FADEDD6C7119BFCE)
    • schtasks.exe (PID: 6772 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBC97.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6844 cmdline: {path} MD5: 513BEB90D191B7D4FADEDD6C7119BFCE)
    • dhcpmon.exe (PID: 6864 cmdline: {path} MD5: 513BEB90D191B7D4FADEDD6C7119BFCE)
  • dhcpmon.exe (PID: 5032 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 513BEB90D191B7D4FADEDD6C7119BFCE)
    • schtasks.exe (PID: 7088 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmpE934.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 7144 cmdline: {path} MD5: 513BEB90D191B7D4FADEDD6C7119BFCE)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "eec4bb3f-f027-41de-b5f1-dc05041f", "Group": "Default", "Domain1": "celebrity.hopto.org", "Domain2": "127.0.0.1", "Port": 54888, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000004.00000002.482587211.0000000005CA0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x16e3:$x1: NanoCore.ClientPluginHost
    • 0x171c:$x2: IClientNetworkHost
    00000004.00000002.482587211.0000000005CA0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x16e3:$x2: NanoCore.ClientPluginHost
    • 0x1800:$s4: PipeCreated
    • 0x16fd:$s5: IClientLoggingHost
    Click to see the 63 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    32.2.dhcpmon.exe.3a46662.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    32.2.dhcpmon.exe.3a46662.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    4.2.swift copy.exe.6cd0000.15.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2205:$x1: NanoCore.ClientPluginHost
    • 0x223e:$x2: IClientNetworkHost
    4.2.swift copy.exe.6cd0000.15.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2205:$x2: NanoCore.ClientPluginHost
    • 0x2320:$s4: PipeCreated
    • 0x221f:$s5: IClientLoggingHost
    4.2.swift copy.exe.5c30000.11.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x6da5:$x1: NanoCore.ClientPluginHost
    • 0x6dd2:$x2: IClientNetworkHost
    Click to see the 143 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\swift copy.exe, ProcessId: 5472, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B10.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B10.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\swift copy.exe' , ParentImage: C:\Users\user\Desktop\swift copy.exe, ParentProcessId: 4424, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B10.tmp', ProcessId: 68

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "eec4bb3f-f027-41de-b5f1-dc05041f", "Group": "Default", "Domain1": "celebrity.hopto.org", "Domain2": "127.0.0.1", "Port": 54888, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 13%
    Source: C:\Users\user\AppData\Roaming\ucCIRTrm.exeReversingLabs: Detection: 13%
    Multi AV Scanner detection for submitted fileShow sources
    Source: swift copy.exeReversingLabs: Detection: 13%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001D.00000002.340592652.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.354540335.0000000003909000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7144, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: swift copy.exe PID: 4424, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: swift copy.exe PID: 5472, type: MEMORY
    Source: Yara matchFile source: 1.2.swift copy.exe.4a6f510.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.4a6f510.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.4d231b0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.46af9b0.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.47231b0.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.4d231b0.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a52894.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a16662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a46662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.47231b0.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a11836.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43a1836.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.42aa3a0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a22894.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43a6662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a41836.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.49aeef0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43b2894.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.40af9b0.3.raw.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Roaming\ucCIRTrm.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: swift copy.exeJoe Sandbox ML: detected
    Source: 32.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 4.2.swift copy.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 29.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: swift copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: swift copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: mscorlib.pdb source: swift copy.exe, 00000004.00000003.251340601.000000000155B000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: celebrity.hopto.org
    Source: Malware configuration extractorURLs: 127.0.0.1
    Source: global trafficTCP traffic: 192.168.2.3:49725 -> 79.134.225.48:54888
    Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
    Source: unknownDNS traffic detected: queries for: celebrity.hopto.org
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: swift copy.exe, 00000001.00000002.243393317.0000000003154000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.318421778.0000000002E11000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: swift copy.exe, 00000001.00000003.206878582.0000000008468000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: swift copy.exe, 00000001.00000003.207147493.000000000845D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
    Source: swift copy.exe, 00000001.00000003.207090197.000000000845A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
    Source: swift copy.exe, 00000001.00000003.207147493.000000000845D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com6ZSK
    Source: swift copy.exe, 00000001.00000003.207147493.000000000845D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comkfZ
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: swift copy.exe, 00000001.00000003.210474475.000000000848D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers-
    Source: swift copy.exe, 00000001.00000003.208519442.000000000848D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
    Source: dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: swift copy.exe, 00000001.00000003.208812516.0000000008468000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlRMUKl
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: swift copy.exe, 00000001.00000003.209079522.000000000848D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersA
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: swift copy.exe, 00000001.00000003.208519442.000000000848D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersL
    Source: swift copy.exe, 00000001.00000003.242307559.0000000008455000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comP
    Source: swift copy.exe, 00000001.00000003.242307559.0000000008455000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
    Source: swift copy.exe, 00000001.00000003.242307559.0000000008455000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: swift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: swift copy.exe, 00000001.00000003.206600530.0000000008467000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: swift copy.exe, 00000001.00000003.206308547.0000000008463000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnION$
    Source: swift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnX
    Source: swift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnj
    Source: swift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn~
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: swift copy.exe, 00000001.00000003.205712617.000000000846B000.00000004.00000001.sdmp, swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: swift copy.exe, 00000001.00000003.204518445.0000000008474000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comno
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: swift copy.exe, 00000001.00000003.206675743.0000000008455000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comi75K
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: swift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: swift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnkfZ
    Source: swift copy.exe, 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001D.00000002.340592652.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.354540335.0000000003909000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7144, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: swift copy.exe PID: 4424, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: swift copy.exe PID: 5472, type: MEMORY
    Source: Yara matchFile source: 1.2.swift copy.exe.4a6f510.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.4a6f510.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.4d231b0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.46af9b0.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.47231b0.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.4d231b0.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a52894.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a16662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a46662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.47231b0.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a11836.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43a1836.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.42aa3a0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a22894.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43a6662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a41836.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.49aeef0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43b2894.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.40af9b0.3.raw.unpack, type: UNPACKEDPE

    Operating System Destruction:

    barindex
    Protects its processes via BreakOnTermination flagShow sources
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: 01 00 00 00 Jump to behavior

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000002.482587211.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.482338202.0000000005B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.483111554.0000000006CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000002.483198841.0000000006D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000002.482362753.0000000005B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000002.483085818.0000000006CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000002.482502454.0000000005C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001D.00000002.340592652.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000002.483135029.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000020.00000002.354540335.0000000003909000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 7144, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 7144, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: swift copy.exe PID: 4424, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: swift copy.exe PID: 4424, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: swift copy.exe PID: 5472, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: swift copy.exe PID: 5472, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 32.2.dhcpmon.exe.3a46662.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.6cd0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.5c30000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.294b9ec.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.32918cc.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.swift copy.exe.4a6f510.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.swift copy.exe.4a6f510.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.43b2894.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.swift copy.exe.4a6f510.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.swift copy.exe.4a6f510.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 32.2.dhcpmon.exe.294b9ec.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.294b9ec.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.6d00000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.3a52894.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.5b40000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.6ce0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.29132a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.29132a0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.6cd0000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.4d231b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.4d231b0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.6d00000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.46af9b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.46af9b0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.dhcpmon.exe.47231b0.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.dhcpmon.exe.47231b0.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.328c9d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.328c9d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.5c30000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.4d231b0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.4d231b0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.5ca0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.291f56c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.291f56c.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.329db14.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.329db14.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 32.2.dhcpmon.exe.3a52894.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.6cc0000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.3a22894.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.5b50000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.293f720.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.3a16662.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.293a6e4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.293a6e4.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.6cc0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.3a52894.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 29.2.dhcpmon.exe.3a16662.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 32.2.dhcpmon.exe.3a46662.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.3a46662.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.5b50000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.dhcpmon.exe.47231b0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.dhcpmon.exe.47231b0.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 29.2.dhcpmon.exe.3a16662.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.29132a0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.43a6662.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.291f56c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.329db14.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.3a11836.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.3a11836.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 32.2.dhcpmon.exe.293f720.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.293f720.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.43a1836.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.43a1836.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.32918cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.32918cc.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.swift copy.exe.42aa3a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.swift copy.exe.42aa3a0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 29.2.dhcpmon.exe.3a22894.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.3a22894.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 29.2.dhcpmon.exe.290e264.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 29.2.dhcpmon.exe.290e264.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.43a6662.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.43a6662.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 32.2.dhcpmon.exe.3a41836.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 32.2.dhcpmon.exe.3a41836.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.swift copy.exe.49aeef0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.swift copy.exe.49aeef0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.2.swift copy.exe.43b2894.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.2.swift copy.exe.43b2894.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.dhcpmon.exe.40af9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.dhcpmon.exe.40af9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016821821_2_01682182
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016830781_2_01683078
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016804721_2_01680472
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016817781_2_01681778
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01680FE81_2_01680FE8
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016850A11_2_016850A1
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016850B01_2_016850B0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016852E11_2_016852E1
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016852F01_2_016852F0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016855A01_2_016855A0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016855911_2_01685591
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016897C01_2_016897C0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_016897B01_2_016897B0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01684A201_2_01684A20
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01684A101_2_01684A10
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01684D311_2_01684D31
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01689DE01_2_01689DE0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01689D981_2_01689D98
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01680F401_2_01680F40
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01680F1B1_2_01680F1B
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01682FC11_2_01682FC1
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01683E881_2_01683E88
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_01683E981_2_01683E98
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_0569B1781_2_0569B178
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_0569B1DD1_2_0569B1DD
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_0569B2311_2_0569B231
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_0569B1681_2_0569B168
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_0569530A1_2_0569530A
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_056953181_2_05695318
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_0569C2081_2_0569C208
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_0569B20F1_2_0569B20F
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_0569295C1_2_0569295C
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 4_2_0313E4714_2_0313E471
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 4_2_0313E4804_2_0313E480
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 4_2_0313BBD44_2_0313BBD4
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B219011_2_014B2190
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B307811_2_014B3078
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B048011_2_014B0480
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B178811_2_014B1788
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B0FE811_2_014B0FE8
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B218211_2_014B2182
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B50A111_2_014B50A1
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B50B011_2_014B50B0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B52E111_2_014B52E1
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B52F011_2_014B52F0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B559111_2_014B5591
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B55A011_2_014B55A0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B047211_2_014B0472
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B177811_2_014B1778
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B97C011_2_014B97C0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B97B011_2_014B97B0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B4A1011_2_014B4A10
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B4A2011_2_014B4A20
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B4D4011_2_014B4D40
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B4D3111_2_014B4D31
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B9DE011_2_014B9DE0
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B9D9811_2_014B9D98
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B0F4011_2_014B0F40
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B0F1B11_2_014B0F1B
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B2FC111_2_014B2FC1
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B3E8811_2_014B3E88
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_014B3E9811_2_014B3E98
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0108218212_2_01082182
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0108307812_2_01083078
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0108047212_2_01080472
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0108177812_2_01081778
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_01080FE812_2_01080FE8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0108302912_2_01083029
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_010850A112_2_010850A1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_010850B012_2_010850B0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_010852E112_2_010852E1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_010852F012_2_010852F0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0108559112_2_01085591
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_010855A012_2_010855A0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_010897B012_2_010897B0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_010897C012_2_010897C0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_01084A1012_2_01084A10
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_01084A2012_2_01084A20
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_01084D3112_2_01084D31
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_01089D9812_2_01089D98
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_01089DE012_2_01089DE0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_01080F1B12_2_01080F1B
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_01080F4012_2_01080F40
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_01083E8812_2_01083E88
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_01083E9812_2_01083E98
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C34A6812_2_02C34A68
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3044812_2_02C30448
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C30AF812_2_02C30AF8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3304012_2_02C33040
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3D95312_2_02C3D953
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3D95812_2_02C3D958
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6F8A812_2_02C6F8A8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C67E9112_2_02C67E91
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C69C8012_2_02C69C80
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C67DF112_2_02C67DF1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6854012_2_02C68540
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6957412_2_02C69574
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6E3A012_2_02C6E3A0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C67EFA12_2_02C67EFA
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6F7EF12_2_02C6F7EF
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6D76812_2_02C6D768
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6F77912_2_02C6F779
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6EC8312_2_02C6EC83
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6346112_2_02C63461
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6347012_2_02C63470
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C6853012_2_02C68530
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0542044814_2_05420448
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05424A6814_2_05424A68
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0542043814_2_05420438
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0542D94814_2_0542D948
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0542D95814_2_0542D958
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054585E014_2_054585E0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05459C8014_2_05459C80
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05457F3114_2_05457F31
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05457E9014_2_05457E90
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0545F8A814_2_0545F8A8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054585D014_2_054585D0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0545346214_2_05453462
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0545347014_2_05453470
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0545EC8114_2_0545EC81
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0545D76814_2_0545D768
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05457F9A14_2_05457F9A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0545F83114_2_0545F831
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0545E3A014_2_0545E3A0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A644814_2_054A6448
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A017814_2_054A0178
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A190214_2_054A1902
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A513414_2_054A5134
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A91D814_2_054A91D8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A504814_2_054A5048
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054AA82814_2_054AA828
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A68A814_2_054A68A8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A0B3814_2_054A0B38
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054ACAC914_2_054ACAC9
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054AAAB814_2_054AAAB8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054AAD5014_2_054AAD50
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A556814_2_054A5568
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054AA57214_2_054AA572
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A6DDA14_2_054A6DDA
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A6DE814_2_054A6DE8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A559814_2_054A5598
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A3C4814_2_054A3C48
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A945914_2_054A9459
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A946814_2_054A9468
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A3C3814_2_054A3C38
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A643814_2_054A6438
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054AACE214_2_054AACE2
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A5C9314_2_054A5C93
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A9F0114_2_054A9F01
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A9F1014_2_054A9F10
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A6E8A14_2_054A6E8A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A368814_2_054A3688
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A3E9814_2_054A3E98
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A3EA814_2_054A3EA8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A016814_2_054A0168
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A91C814_2_054A91C8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A51AB14_2_054A51AB
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A804714_2_054A8047
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A805814_2_054A8058
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A407014_2_054A4070
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A280114_2_054A2801
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A281014_2_054A2810
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A503A14_2_054A503A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A40C014_2_054A40C0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A40B014_2_054A40B0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A70B614_2_054A70B6
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A0B2914_2_054A0B29
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A53C614_2_054A53C6
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A5BE814_2_054A5BE8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054ACBE414_2_054ACBE4
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A33A014_2_054A33A0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A5BA114_2_054A5BA1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A3A4014_2_054A3A40
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054A3A3014_2_054A3A30
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054AAAA814_2_054AAAA8
    Source: swift copy.exe, 00000001.00000002.243178998.0000000001700000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs swift copy.exe
    Source: swift copy.exe, 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs swift copy.exe
    Source: swift copy.exe, 00000001.00000000.202440573.0000000000D3C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewDGoauV.exeH vs swift copy.exe
    Source: swift copy.exe, 00000001.00000002.254089702.0000000006340000.00000002.00000001.sdmpBinary or memory string: originalfilename vs swift copy.exe
    Source: swift copy.exe, 00000001.00000002.254089702.0000000006340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs swift copy.exe
    Source: swift copy.exe, 00000001.00000002.253267709.0000000006240000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs swift copy.exe
    Source: swift copy.exe, 00000004.00000000.241345707.0000000000EBC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewDGoauV.exeH vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.482804706.0000000006830000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs swift copy.exe
    Source: swift copy.exe, 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs swift copy.exe
    Source: swift copy.exe, 0000000B.00000002.317938129.0000000003117000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs swift copy.exe
    Source: swift copy.exe, 0000000B.00000000.253215853.0000000000DAC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewDGoauV.exeH vs swift copy.exe
    Source: swift copy.exe, 0000000B.00000002.317698213.00000000030C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs swift copy.exe
    Source: swift copy.exeBinary or memory string: OriginalFilenamewDGoauV.exeH vs swift copy.exe
    Source: swift copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000002.482587211.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.482587211.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000004.00000002.482338202.0000000005B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.482338202.0000000005B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000004.00000002.483111554.0000000006CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.483111554.0000000006CD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000002.483198841.0000000006D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.483198841.0000000006D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000002.482362753.0000000005B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.482362753.0000000005B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000002.483085818.0000000006CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.483085818.0000000006CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000004.00000002.482502454.0000000005C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.482502454.0000000005C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001D.00000002.340592652.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000002.483135029.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000002.483135029.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000020.00000002.354540335.0000000003909000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 7144, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 7144, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: swift copy.exe PID: 4424, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: swift copy.exe PID: 4424, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: swift copy.exe PID: 5472, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: swift copy.exe PID: 5472, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 32.2.dhcpmon.exe.3a46662.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.3a46662.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.swift copy.exe.6cd0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.6cd0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.swift copy.exe.5c30000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.5c30000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 32.2.dhcpmon.exe.294b9ec.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.294b9ec.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.swift copy.exe.32918cc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.32918cc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.swift copy.exe.4a6f510.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.swift copy.exe.4a6f510.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.swift copy.exe.4a6f510.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.43b2894.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.43b2894.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.swift copy.exe.4a6f510.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.swift copy.exe.4a6f510.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 32.2.dhcpmon.exe.294b9ec.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.294b9ec.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 32.2.dhcpmon.exe.294b9ec.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.6d00000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.6d00000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 32.2.dhcpmon.exe.3a52894.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.3a52894.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.swift copy.exe.5b40000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.5b40000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.swift copy.exe.6ce0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.6ce0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.29132a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 29.2.dhcpmon.exe.29132a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.29132a0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.6cd0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.6cd0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.4d231b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.4d231b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.4d231b0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.6d00000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.6d00000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.46af9b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.46af9b0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.dhcpmon.exe.47231b0.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.dhcpmon.exe.47231b0.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.dhcpmon.exe.47231b0.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.328c9d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.328c9d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.5c30000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.5c30000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.4d231b0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.4d231b0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.4d231b0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.5ca0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.5ca0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.291f56c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 29.2.dhcpmon.exe.291f56c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.291f56c.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.329db14.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.329db14.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 32.2.dhcpmon.exe.3a52894.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.6cc0000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.6cc0000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.3a22894.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.5b50000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.5b50000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 32.2.dhcpmon.exe.293f720.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.293f720.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.3a16662.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.293a6e4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.293a6e4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 32.2.dhcpmon.exe.293a6e4.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.6cc0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.6cc0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 32.2.dhcpmon.exe.3a52894.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 29.2.dhcpmon.exe.3a22894.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.3a16662.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 32.2.dhcpmon.exe.3a46662.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.3a46662.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.5b50000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.5b50000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.dhcpmon.exe.47231b0.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.dhcpmon.exe.47231b0.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.dhcpmon.exe.47231b0.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 29.2.dhcpmon.exe.3a16662.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 29.2.dhcpmon.exe.3a16662.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.29132a0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 29.2.dhcpmon.exe.29132a0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.swift copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.swift copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.43a6662.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.43a6662.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.291f56c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 29.2.dhcpmon.exe.291f56c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 4.2.swift copy.exe.329db14.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.329db14.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.3a11836.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 29.2.dhcpmon.exe.3a11836.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 32.2.dhcpmon.exe.293f720.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.293f720.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 32.2.dhcpmon.exe.293f720.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.43a1836.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.43a1836.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.32918cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.32918cc.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.swift copy.exe.42aa3a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.swift copy.exe.42aa3a0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 29.2.dhcpmon.exe.3a22894.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 29.2.dhcpmon.exe.3a22894.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 29.2.dhcpmon.exe.290e264.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 29.2.dhcpmon.exe.290e264.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 29.2.dhcpmon.exe.290e264.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.43a6662.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.43a6662.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 32.2.dhcpmon.exe.3a41836.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 32.2.dhcpmon.exe.3a41836.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.swift copy.exe.49aeef0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.swift copy.exe.49aeef0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.2.swift copy.exe.43b2894.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.2.swift copy.exe.43b2894.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.dhcpmon.exe.40af9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.dhcpmon.exe.40af9b0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: swift copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: ucCIRTrm.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: dhcpmon.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.evad.winEXE@27/12@6/3
    Source: C:\Users\user\Desktop\swift copy.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeFile created: C:\Users\user\AppData\Roaming\ucCIRTrm.exeJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\NeoLCJVwxiifrJByWFfuONgQP
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1056:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_01
    Source: C:\Users\user\Desktop\swift copy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{eec4bb3f-f027-41de-b5f1-dc05041f6e18}
    Source: C:\Users\user\Desktop\swift copy.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4B10.tmpJump to behavior
    Source: swift copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\swift copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\swift copy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: swift copy.exeReversingLabs: Detection: 13%
    Source: C:\Users\user\Desktop\swift copy.exeFile read: C:\Users\user\Desktop\swift copy.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\swift copy.exe 'C:\Users\user\Desktop\swift copy.exe'
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B10.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Users\user\Desktop\swift copy.exe {path}
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE011.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE300.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\swift copy.exe 'C:\Users\user\Desktop\swift copy.exe' 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBC97.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmpE934.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B10.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Users\user\Desktop\swift copy.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE011.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE300.tmp'Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBC97.tmp'Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmpE934.tmp'
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Users\user\Desktop\swift copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\swift copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: swift copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: swift copy.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: swift copy.exeStatic file information: File size 1477632 > 1048576
    Source: swift copy.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x168200
    Source: swift copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: mscorlib.pdb source: swift copy.exe, 00000004.00000003.251340601.000000000155B000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp
    Source: swift copy.exeStatic PE information: 0xCAF16634 [Mon Nov 22 14:46:12 2077 UTC]
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_00BD6B01 push esi; retf 1_2_00BD6B17
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_0569BC31 push ecx; ret 1_2_0569BC45
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 1_2_0569CBBF push E807AA4Ch; ret 1_2_0569CBCD
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 4_2_00D56B01 push esi; retf 4_2_00D56B17
    Source: C:\Users\user\Desktop\swift copy.exeCode function: 11_2_00C46B01 push esi; retf 11_2_00C46B17
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00816B01 push esi; retf 12_2_00816B17
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C37874 push eax; retn 0002h12_2_02C3CED2
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C37250 push cs; retn 0002h12_2_02C37252
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C37271 push cs; retn 0002h12_2_02C37272
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3EB78 pushad ; retn 0002h12_2_02C3EB7A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3D319 push esp; retn 0002h12_2_02C3D31A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C37318 push cs; retn 0002h12_2_02C3731A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3A888 push esp; retn 0002h12_2_02C3A889
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C328A9 push dword ptr [esp+edx-75h]; iretd 12_2_02C3283E
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C371F9 push cs; retn 0002h12_2_02C371FA
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3D170 push ecx; retn 0002h12_2_02C3D172
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C386D7 push ds; retn 0002h12_2_02C386DA
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C366F0 push es; retn 0002h12_2_02C366F2
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3D4A0 push ebp; retn 0002h12_2_02C3D4A2
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3D460 push ebp; retn 0002h12_2_02C3D462
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3D409 push ebp; retn 0002h12_2_02C3D40A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C3D517 push esi; retn 0002h12_2_02C3D51A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02C68C70 push eax; mov dword ptr [esp], ecx12_2_02C68C81
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00F96B01 push esi; retf 14_2_00F96B17
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05458D10 push eax; mov dword ptr [esp], ecx14_2_05458D21
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05458D81 push eax; mov dword ptr [esp], ecx14_2_05458D21
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_054AFC7D push FFFFFF8Bh; iretd 14_2_054AFC7F
    Source: initial sampleStatic PE information: section name: .text entropy: 7.68349490064
    Source: initial sampleStatic PE information: section name: .text entropy: 7.68349490064
    Source: initial sampleStatic PE information: section name: .text entropy: 7.68349490064
    Source: C:\Users\user\Desktop\swift copy.exeFile created: C:\Users\user\AppData\Roaming\ucCIRTrm.exeJump to dropped file
    Source: C:\Users\user\Desktop\swift copy.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B10.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\swift copy.exeFile opened: C:\Users\user\Desktop\swift copy.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM3Show sources
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3088, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: swift copy.exe PID: 3840, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: swift copy.exe PID: 4424, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5032, type: MEMORY
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: swift copy.exe, 00000001.00000002.243393317.0000000003154000.00000004.00000001.sdmp, swift copy.exe, 0000000B.00000002.317873734.000000000310E000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.318421778.0000000002E11000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: swift copy.exe, 00000001.00000002.243393317.0000000003154000.00000004.00000001.sdmp, swift copy.exe, 0000000B.00000002.317873734.000000000310E000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.318421778.0000000002E11000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\swift copy.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\swift copy.exeWindow / User API: threadDelayed 7909Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeWindow / User API: threadDelayed 955Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeWindow / User API: foregroundWindowGot 584Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeWindow / User API: foregroundWindowGot 709Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exe TID: 4168Thread sleep time: -31500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exe TID: 5032Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exe TID: 5916Thread sleep time: -9223372036854770s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exe TID: 5248Thread sleep time: -31500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exe TID: 1112Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5656Thread sleep time: -31500s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1056Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6148Thread sleep time: -31500s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6212Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7016Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6156Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\swift copy.exeThread delayed: delay time: 31500Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeThread delayed: delay time: 31500Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 31500Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 31500
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
    Source: dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
    Source: dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: VMWARE
    Source: dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
    Source: dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: swift copy.exe, 00000004.00000002.475443088.00000000015A9000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\swift copy.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\swift copy.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\swift copy.exeMemory written: C:\Users\user\Desktop\swift copy.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B10.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Users\user\Desktop\swift copy.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE011.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE300.tmp'Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBC97.tmp'Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmpE934.tmp'
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: swift copy.exe, 00000004.00000002.478751163.0000000003407000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: swift copy.exe, 00000004.00000002.475931713.0000000001C70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: swift copy.exe, 00000004.00000002.475931713.0000000001C70000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: swift copy.exe, 00000004.00000002.478751163.0000000003407000.00000004.00000001.sdmpBinary or memory string: Program Manager0
    Source: swift copy.exe, 00000004.00000002.478751163.0000000003407000.00000004.00000001.sdmpBinary or memory string: Program ManagerD2
    Source: swift copy.exe, 00000004.00000002.475782016.00000000017DE000.00000004.00000001.sdmpBinary or memory string: Program Managerp
    Source: swift copy.exe, 00000004.00000002.475931713.0000000001C70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: swift copy.exe, 00000004.00000002.482987749.0000000006BAC000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: swift copy.exe, 00000004.00000002.478440657.0000000003345000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Users\user\Desktop\swift copy.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Users\user\Desktop\swift copy.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Users\user\Desktop\swift copy.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\swift copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\swift copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001D.00000002.340592652.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.354540335.0000000003909000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7144, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: swift copy.exe PID: 4424, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: swift copy.exe PID: 5472, type: MEMORY
    Source: Yara matchFile source: 1.2.swift copy.exe.4a6f510.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.4a6f510.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.4d231b0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.46af9b0.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.47231b0.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.4d231b0.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a52894.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a16662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a46662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.47231b0.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a11836.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43a1836.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.42aa3a0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a22894.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43a6662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a41836.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.49aeef0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43b2894.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.40af9b0.3.raw.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: swift copy.exe, 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: swift copy.exe, 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: dhcpmon.exe, 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: dhcpmon.exe, 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: dhcpmon.exe, 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001D.00000002.340592652.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000020.00000002.354540335.0000000003909000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7144, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: swift copy.exe PID: 4424, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: swift copy.exe PID: 5472, type: MEMORY
    Source: Yara matchFile source: 1.2.swift copy.exe.4a6f510.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.4a6f510.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.4d231b0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.46af9b0.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.47231b0.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.4d231b0.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a52894.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a16662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a46662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.47231b0.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a11836.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43a1836.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.42aa3a0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 29.2.dhcpmon.exe.3a22894.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43a6662.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 32.2.dhcpmon.exe.3a41836.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.swift copy.exe.49aeef0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.2.swift copy.exe.43b2894.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.dhcpmon.exe.40af9b0.3.raw.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture11Security Software Discovery211Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 399719 Sample: swift copy.exe Startdate: 29/04/2021 Architecture: WINDOWS Score: 100 62 celebrity.hopto.org 2->62 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 11 other signatures 2->76 9 swift copy.exe 6 2->9         started        13 dhcpmon.exe 5 2->13         started        15 dhcpmon.exe 2->15         started        17 swift copy.exe 2 2->17         started        signatures3 process4 file5 56 C:\Users\user\AppData\Roaming\ucCIRTrm.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Local\...\tmp4B10.tmp, XML 9->58 dropped 60 C:\Users\user\AppData\...\swift copy.exe.log, ASCII 9->60 dropped 82 Injects a PE file into a foreign processes 9->82 19 swift copy.exe 1 12 9->19         started        24 schtasks.exe 1 9->24         started        26 schtasks.exe 13->26         started        28 dhcpmon.exe 13->28         started        30 dhcpmon.exe 13->30         started        32 schtasks.exe 15->32         started        34 dhcpmon.exe 15->34         started        signatures6 process7 dnsIp8 64 celebrity.hopto.org 79.134.225.48, 54888 FINK-TELECOM-SERVICESCH Switzerland 19->64 66 127.0.0.1 unknown unknown 19->66 68 192.168.2.1 unknown unknown 19->68 50 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->50 dropped 52 C:\Users\user\AppData\Roaming\...\run.dat, data 19->52 dropped 54 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->54 dropped 78 Protects its processes via BreakOnTermination flag 19->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->80 36 schtasks.exe 1 19->36         started        38 schtasks.exe 1 19->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 32->44         started        file9 signatures10 process11 process12 46 conhost.exe 36->46         started        48 conhost.exe 38->48         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    swift copy.exe14%ReversingLabs
    swift copy.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\ucCIRTrm.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe14%ReversingLabs
    C:\Users\user\AppData\Roaming\ucCIRTrm.exe14%ReversingLabs

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    32.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    4.2.swift copy.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    29.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.zhongyicts.com.cnkfZ0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cnION$0%Avira URL Cloudsafe
    http://www.founder.com.cn/cnX0%Avira URL Cloudsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.comi75K0%Avira URL Cloudsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.carterandcone.com.0%URL Reputationsafe
    http://www.carterandcone.com.0%URL Reputationsafe
    http://www.carterandcone.com.0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.fontbureau.comgrita0%URL Reputationsafe
    http://www.fontbureau.comgrita0%URL Reputationsafe
    http://www.fontbureau.comgrita0%URL Reputationsafe
    http://www.founder.com.cn/cnj0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    127.0.0.10%Avira URL Cloudsafe
    http://www.fontbureau.comP0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn~0%Avira URL Cloudsafe
    http://www.carterandcone.com6ZSK0%Avira URL Cloudsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.founder.com.cn/cn/0%URL Reputationsafe
    http://www.founder.com.cn/cn/0%URL Reputationsafe
    http://www.founder.com.cn/cn/0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.fontbureau.comm0%URL Reputationsafe
    http://www.fontbureau.comm0%URL Reputationsafe
    http://www.fontbureau.comm0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    celebrity.hopto.org0%Avira URL Cloudsafe
    http://www.carterandcone.comkfZ0%Avira URL Cloudsafe
    http://www.sajatypeworks.comno0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    celebrity.hopto.org
    		79.134.225.48
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      127.0.0.1true
      • Avira URL Cloud: safe
      		unknown
      celebrity.hopto.orgtrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.fontbureau.com/designersGswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
        		high
        http://www.zhongyicts.com.cnkfZswift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.fontbureau.com/designers/?dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designersLswift copy.exe, 00000001.00000003.208519442.000000000848D000.00000004.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bTheswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cnION$swift copy.exe, 00000001.00000003.206308547.0000000008463000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designersAswift copy.exe, 00000001.00000003.209079522.000000000848D000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers?swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cnXswift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.tiro.comdhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersdhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                  		high
                  http://www.tiro.comi75Kswift copy.exe, 00000001.00000003.206675743.0000000008455000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.goodfont.co.krswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.comswift copy.exe, 00000001.00000003.207147493.000000000845D000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.com.swift copy.exe, 00000001.00000003.207090197.000000000845A000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comswift copy.exe, 00000001.00000003.205712617.000000000846B000.00000004.00000001.sdmp, swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.typography.netDswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn/cTheswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htmswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://fontfabrik.comswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comgritaswift copy.exe, 00000001.00000003.242307559.0000000008455000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnjswift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.galapagosdesign.com/DPleaseswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fonts.comswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                    		high
                    http://www.sandoll.co.krswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPleaseswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnswift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameswift copy.exe, 00000001.00000002.243393317.0000000003154000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.318421778.0000000002E11000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.334904434.0000000003456000.00000004.00000001.sdmpfalse
                      		high
                      http://www.sakkal.comswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0swift copy.exe, 00000001.00000003.206878582.0000000008468000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comPswift copy.exe, 00000001.00000003.242307559.0000000008455000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cn~swift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.carterandcone.com6ZSKswift copy.exe, 00000001.00000003.207147493.000000000845D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlRMUKlswift copy.exe, 00000001.00000003.208812516.0000000008468000.00000004.00000001.sdmpfalse
                            		high
                            http://www.carterandcone.comlswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/swift copy.exe, 00000001.00000003.206600530.0000000008467000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnswift copy.exe, 00000001.00000003.207039708.000000000845A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers-swift copy.exe, 00000001.00000003.210474475.000000000848D000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/frere-jones.htmlswift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.commswift copy.exe, 00000001.00000003.242307559.0000000008455000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8swift copy.exe, 00000001.00000002.256441921.0000000008540000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.330404272.00000000081B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.349134094.0000000008880000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.carterandcone.comkfZswift copy.exe, 00000001.00000003.207147493.000000000845D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sajatypeworks.comnoswift copy.exe, 00000001.00000003.204518445.0000000008474000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/swift copy.exe, 00000001.00000003.208519442.000000000848D000.00000004.00000001.sdmpfalse
                                      		high

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      79.134.225.48
                                      		celebrity.hopto.orgSwitzerland
                                      		6775FINK-TELECOM-SERVICESCHtrue

                                      Private

                                      IP
                                      192.168.2.1
                                      127.0.0.1

                                      General Information

                                      Joe Sandbox Version:32.0.0 Black Diamond
                                      Analysis ID:399719
                                      Start date:29.04.2021
                                      Start time:04:18:54
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 14m 35s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:swift copy.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:40
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@27/12@6/3
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 1.3% (good quality ratio 0.9%)
                                      • Quality average: 40.5%
                                      • Quality standard deviation: 35%
                                      HCA Information:
                                      • Successful, ratio: 98%
                                      • Number of executed functions: 281
                                      • Number of non-executed functions: 19
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                      • Excluded IPs from analysis (whitelisted): 168.61.161.212, 40.88.32.150, 23.218.208.56, 20.82.209.183, 92.122.213.194, 92.122.213.247, 20.54.26.129
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      04:19:53API Interceptor880x Sleep call for process: swift copy.exe modified
                                      04:20:04Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\swift copy.exe" s>$(Arg0)
                                      04:20:05Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                      04:20:06AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                      04:20:23API Interceptor2x Sleep call for process: dhcpmon.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      79.134.225.48swift copy.exeGet hashmaliciousBrowse
                                        angelx.exeGet hashmaliciousBrowse
                                          Quotation.exeGet hashmaliciousBrowse
                                            Quotation (2).exeGet hashmaliciousBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              celebrity.hopto.orgswift copy.exeGet hashmaliciousBrowse
                                              • 79.134.225.48

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              FINK-TELECOM-SERVICESCHswift copy.exeGet hashmaliciousBrowse
                                              • 79.134.225.48
                                              jk55xlWn7a.exeGet hashmaliciousBrowse
                                              • 79.134.225.26
                                              Qds5xiJaAX.exeGet hashmaliciousBrowse
                                              • 79.134.225.26
                                              INVOICE.xlsxGet hashmaliciousBrowse
                                              • 79.134.225.26
                                              UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.docGet hashmaliciousBrowse
                                              • 79.134.225.91
                                              Payment-Confirmation_Copy.exeGet hashmaliciousBrowse
                                              • 79.134.225.108
                                              owrCPP2YTC.exeGet hashmaliciousBrowse
                                              • 79.134.225.26
                                              Payment Advice-BCS_ECS9522020090915390034_3159_952.jarGet hashmaliciousBrowse
                                              • 79.134.225.59
                                              nciv84yXK1.exeGet hashmaliciousBrowse
                                              • 79.134.225.7
                                              Rechnung.exeGet hashmaliciousBrowse
                                              • 79.134.225.39
                                              ENrYP02wGO.exeGet hashmaliciousBrowse
                                              • 79.134.225.91
                                              863354765-2021 Presentation Details.vbsGet hashmaliciousBrowse
                                              • 79.134.225.53
                                              UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864.docGet hashmaliciousBrowse
                                              • 79.134.225.91
                                              619DBBJxtN.exeGet hashmaliciousBrowse
                                              • 79.134.225.82
                                              UFvnU6nahx.exeGet hashmaliciousBrowse
                                              • 79.134.225.39
                                              d2qQhdFJJ7.exeGet hashmaliciousBrowse
                                              • 79.134.225.14
                                              Scanpdf04232021.exeGet hashmaliciousBrowse
                                              • 79.134.225.70
                                              ORDER210087-21 Quote request 703155872 - 1-2-3-4 .exeGet hashmaliciousBrowse
                                              • 79.134.225.10
                                              PO6431.exeGet hashmaliciousBrowse
                                              • 79.134.225.79
                                              lNJIKPhg1l.exeGet hashmaliciousBrowse
                                              • 79.134.225.50

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                              Process:C:\Users\user\Desktop\swift copy.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):1477632
                                              Entropy (8bit):7.681601891297801
                                              Encrypted:false
                                              SSDEEP:24576:kOnxoLAyV3ETeoCclxvD/Mltnu/bBfQXVmu+3ZtZcQW3Yg3sPSuerYW:kwC3f0/v7X/VIXMu+JLcQWPF
                                              MD5:513BEB90D191B7D4FADEDD6C7119BFCE
                                              SHA1:BFA4A87BC4C5F7EE6E3D38C1E1F733C665B8941E
                                              SHA-256:C4BB3E5A6F33DCA9143EDE298D37B20C1DD8AB6BE22F2544987F53D468E0E815
                                              SHA-512:9B8D510A3617874F79360C6EA57FB5B1E316153C59FD61EE3B69B5D15FDDFF5E908036F0A166A974A0FE5FFD5FC0D728E28E93F046793C3DD3BF46C0FC45E753
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 14%
                                              Reputation:low
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4f................0.............n.... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H.......P^...B......J...X...............................................t..5......-.!.%.9...tV.K]....|..C).u .(..s...sLf._s.m......a.M.Q....&....+...-\.L.#...l.Z..R..h%.+$.J.N..R...r...0#.},.I.l<..G.....Y..t......@.w.p8...Jo..^N@..../......8f..W~..+11...[.>.B....d..7..;.$...9..L.._b...^.............B.......c...k.n.J........D.....g..t....,5..|Wz..-.i2.=h....:..h5...F@u..s.G3..I..;.0yP......9..s.+........l.%?......K...K...-R..^......_9...E..3.g.C~..^...
                                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                              Process:C:\Users\user\Desktop\swift copy.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview: [ZoneTransfer]....ZoneId=0
                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                              Malicious:false
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\swift copy.exe.log
                                              Process:C:\Users\user\Desktop\swift copy.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                              Malicious:true
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              C:\Users\user\AppData\Local\Temp\tmp4B10.tmp
                                              Process:C:\Users\user\Desktop\swift copy.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1641
                                              Entropy (8bit):5.183819824017428
                                              Encrypted:false
                                              SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBKtn:cbh47TlNQ//rydbz9I3YODOLNdq32
                                              MD5:41CB40F5B457333BBE070EFBF327E658
                                              SHA1:0AE6CE2870FB27EB60E12EB674323E26C6AA1BC4
                                              SHA-256:2DDF0E5B2CD717459D0EC54324AB655BA5357DAABF56BCDD52C3947463A67269
                                              SHA-512:76CD08D4AC56DAA0213C7A4610CAF18EC15BB349057A2873265E6A5FEDF522E3A5B988D5F23251100CBC701E6FDF6055513ABE6196D463B81A83E3EE346357F3
                                              Malicious:true
                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                              C:\Users\user\AppData\Local\Temp\tmpBC97.tmp
                                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1641
                                              Entropy (8bit):5.183819824017428
                                              Encrypted:false
                                              SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBKtn:cbh47TlNQ//rydbz9I3YODOLNdq32
                                              MD5:41CB40F5B457333BBE070EFBF327E658
                                              SHA1:0AE6CE2870FB27EB60E12EB674323E26C6AA1BC4
                                              SHA-256:2DDF0E5B2CD717459D0EC54324AB655BA5357DAABF56BCDD52C3947463A67269
                                              SHA-512:76CD08D4AC56DAA0213C7A4610CAF18EC15BB349057A2873265E6A5FEDF522E3A5B988D5F23251100CBC701E6FDF6055513ABE6196D463B81A83E3EE346357F3
                                              Malicious:false
                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                              C:\Users\user\AppData\Local\Temp\tmpE011.tmp
                                              Process:C:\Users\user\Desktop\swift copy.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1300
                                              Entropy (8bit):5.096992428343118
                                              Encrypted:false
                                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0cxtn:cbk4oL600QydbQxIYODOLedq3Xj
                                              MD5:597B99D0A1BE4EB97692AFD8CB6374C2
                                              SHA1:F9599E4F5A15194D89CC331AA5A12B69EA6A2704
                                              SHA-256:D67FFFDD0EF70974E41C4B8ADE2854D32BB08D26304B2B7FBC583E9E4BD8964E
                                              SHA-512:6D2D98FD33C42F718353CD805F9B65CF90C9E1F256A7AC1C2CAD21591984791967AC7A7264C6946BE0EF7EFBAEEBEDE2C6B806522F8B427EB368ABB17A14B2B3
                                              Malicious:false
                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                              C:\Users\user\AppData\Local\Temp\tmpE300.tmp
                                              Process:C:\Users\user\Desktop\swift copy.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1310
                                              Entropy (8bit):5.109425792877704
                                              Encrypted:false
                                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                              Malicious:false
                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                              C:\Users\user\AppData\Local\Temp\tmpE934.tmp
                                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1641
                                              Entropy (8bit):5.183819824017428
                                              Encrypted:false
                                              SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBKtn:cbh47TlNQ//rydbz9I3YODOLNdq32
                                              MD5:41CB40F5B457333BBE070EFBF327E658
                                              SHA1:0AE6CE2870FB27EB60E12EB674323E26C6AA1BC4
                                              SHA-256:2DDF0E5B2CD717459D0EC54324AB655BA5357DAABF56BCDD52C3947463A67269
                                              SHA-512:76CD08D4AC56DAA0213C7A4610CAF18EC15BB349057A2873265E6A5FEDF522E3A5B988D5F23251100CBC701E6FDF6055513ABE6196D463B81A83E3EE346357F3
                                              Malicious:false
                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                              Process:C:\Users\user\Desktop\swift copy.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):8
                                              Entropy (8bit):3.0
                                              Encrypted:false
                                              SSDEEP:3:Pf:Pf
                                              MD5:D75A4EC8FFC1D6DF87F80ADEB7C4ECED
                                              SHA1:48F8738854A82D68551321A66837AE200A6C57A7
                                              SHA-256:0B4EE49FA09E01C517C3D9DB19C6C3780065B9C7A7CAC2B642DCFC5905E06D44
                                              SHA-512:94E6B1B8991166F5AE013B55B694BCDF770C5F976D7B256264E4F51EA066A1131FC8D9EF5E1ED480F33E4B15310321410F56D376278EDBC7D3CB69A95A211F7C
                                              Malicious:true
                                              Preview: .y.....H
                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                              Process:C:\Users\user\Desktop\swift copy.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):37
                                              Entropy (8bit):4.344588500764087
                                              Encrypted:false
                                              SSDEEP:3:oNWXp5vWSCjKAC:oNWXpFWW
                                              MD5:18DA5CC2C6EA5D88F9CC710080E05CEA
                                              SHA1:39C196B3150D100337ACAEAE369C8677F6472596
                                              SHA-256:3CA3A48715FBBF24AF9C188B534AEA9D37E9B3CD8EA345466A540B00F97FA57C
                                              SHA-512:E6D5BDC69C84F797E0CEC60D669112FCB66C70C713DE9B0474BF4B3C5955FB3F1BC66D2DC6F817D32847712A051AB4737492D34002232158F760B129F8C93938
                                              Malicious:false
                                              Preview: C:\Users\user\Desktop\swift copy.exe
                                              C:\Users\user\AppData\Roaming\ucCIRTrm.exe
                                              Process:C:\Users\user\Desktop\swift copy.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):1477632
                                              Entropy (8bit):7.681601891297801
                                              Encrypted:false
                                              SSDEEP:24576:kOnxoLAyV3ETeoCclxvD/Mltnu/bBfQXVmu+3ZtZcQW3Yg3sPSuerYW:kwC3f0/v7X/VIXMu+JLcQWPF
                                              MD5:513BEB90D191B7D4FADEDD6C7119BFCE
                                              SHA1:BFA4A87BC4C5F7EE6E3D38C1E1F733C665B8941E
                                              SHA-256:C4BB3E5A6F33DCA9143EDE298D37B20C1DD8AB6BE22F2544987F53D468E0E815
                                              SHA-512:9B8D510A3617874F79360C6EA57FB5B1E316153C59FD61EE3B69B5D15FDDFF5E908036F0A166A974A0FE5FFD5FC0D728E28E93F046793C3DD3BF46C0FC45E753
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 14%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4f................0.............n.... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H.......P^...B......J...X...............................................t..5......-.!.%.9...tV.K]....|..C).u .(..s...sLf._s.m......a.M.Q....&....+...-\.L.#...l.Z..R..h%.+$.J.N..R...r...0#.},.I.l<..G.....Y..t......@.w.p8...Jo..^N@..../......8f..W~..+11...[.>.B....d..7..;.$...9..L.._b...^.............B.......c...k.n.J........D.....g..t....,5..|Wz..-.i2.=h....:..h5...F@u..s.G3..I..;.0yP......9..s.+........l.%?......K...K...-R..^......_9...E..3.g.C~..^...

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.681601891297801
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:swift copy.exe
                                              File size:1477632
                                              MD5:513beb90d191b7d4fadedd6c7119bfce
                                              SHA1:bfa4a87bc4c5f7ee6e3d38c1e1f733c665b8941e
                                              SHA256:c4bb3e5a6f33dca9143ede298d37b20c1dd8ab6be22f2544987f53d468e0e815
                                              SHA512:9b8d510a3617874f79360c6ea57fb5b1e316153c59fd61ee3b69b5d15fddff5e908036f0a166a974a0fe5ffd5fc0d728e28e93f046793c3dd3bf46c0fc45e753
                                              SSDEEP:24576:kOnxoLAyV3ETeoCclxvD/Mltnu/bBfQXVmu+3ZtZcQW3Yg3sPSuerYW:kwC3f0/v7X/VIXMu+JLcQWPF
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4f................0.............n.... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x56a16e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0xCAF16634 [Mon Nov 22 14:46:12 2077 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x16a1140x57.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x16c0000x5c8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x16e0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x1681740x168200False0.810279091461data7.68349490064IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0x16c0000x5c80x600False0.429036458333data4.16238202361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x16e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x16c0a00x33cdata
                                              RT_MANIFEST0x16c3dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright 2018
                                              Assembly Version1.0.0.0
                                              InternalNamewDGoauV.exe
                                              FileVersion1.0.0.0
                                              CompanyName
                                              LegalTrademarks
                                              Comments
                                              ProductNameWindows_Forms_Books
                                              ProductVersion1.0.0.0
                                              FileDescriptionWindows_Forms_Books
                                              OriginalFilenamewDGoauV.exe

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 29, 2021 04:20:06.031765938 CEST4972554888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:20:09.071465015 CEST4972554888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:20:15.072161913 CEST4972554888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:20:25.483567953 CEST4973254888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:20:28.494906902 CEST4973254888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:20:34.495537043 CEST4973254888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:20:45.072323084 CEST4973454888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:20:48.184130907 CEST4973454888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:20:54.293971062 CEST4973454888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:21:18.785717964 CEST4974454888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:21:21.796509027 CEST4974454888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:21:27.812397003 CEST4974454888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:21:37.089597940 CEST4974754888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:21:40.094609022 CEST4974754888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:21:46.095320940 CEST4974754888192.168.2.379.134.225.48
                                              Apr 29, 2021 04:21:53.709871054 CEST4974854888192.168.2.379.134.225.48

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 29, 2021 04:19:34.251679897 CEST5598453192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:34.302738905 CEST53559848.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:35.165747881 CEST6418553192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:35.217494011 CEST53641858.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:36.071795940 CEST6511053192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:36.122164011 CEST53651108.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:38.427627087 CEST5836153192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:38.478419065 CEST53583618.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:39.363835096 CEST6349253192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:39.414411068 CEST53634928.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:40.596472979 CEST6083153192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:40.663996935 CEST53608318.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:41.562232018 CEST6010053192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:41.614371061 CEST53601008.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:42.619868994 CEST5319553192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:42.685059071 CEST53531958.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:43.467185020 CEST5014153192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:43.519484043 CEST53501418.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:44.360810995 CEST5302353192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:44.425637960 CEST53530238.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:45.412375927 CEST4956353192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:45.464550972 CEST53495638.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:46.601967096 CEST5135253192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:46.655267954 CEST53513528.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:47.559497118 CEST5934953192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:47.608361959 CEST53593498.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:48.473102093 CEST5708453192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:48.521946907 CEST53570848.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:49.465954065 CEST5882353192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:49.530626059 CEST53588238.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:50.633666992 CEST5756853192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:50.682759047 CEST53575688.8.8.8192.168.2.3
                                              Apr 29, 2021 04:19:51.503921986 CEST5054053192.168.2.38.8.8.8
                                              Apr 29, 2021 04:19:51.553980112 CEST53505408.8.8.8192.168.2.3
                                              Apr 29, 2021 04:20:05.846302986 CEST5436653192.168.2.38.8.8.8
                                              Apr 29, 2021 04:20:05.911592960 CEST53543668.8.8.8192.168.2.3
                                              Apr 29, 2021 04:20:11.708481073 CEST5303453192.168.2.38.8.8.8
                                              Apr 29, 2021 04:20:11.814652920 CEST53530348.8.8.8192.168.2.3
                                              Apr 29, 2021 04:20:13.188158989 CEST5776253192.168.2.38.8.8.8
                                              Apr 29, 2021 04:20:13.240537882 CEST53577628.8.8.8192.168.2.3
                                              Apr 29, 2021 04:20:25.325944901 CEST5543553192.168.2.38.8.8.8
                                              Apr 29, 2021 04:20:25.395673037 CEST53554358.8.8.8192.168.2.3
                                              Apr 29, 2021 04:20:41.421696901 CEST5071353192.168.2.38.8.8.8
                                              Apr 29, 2021 04:20:41.490556002 CEST53507138.8.8.8192.168.2.3
                                              Apr 29, 2021 04:20:45.003597975 CEST5613253192.168.2.38.8.8.8
                                              Apr 29, 2021 04:20:45.070620060 CEST53561328.8.8.8192.168.2.3
                                              Apr 29, 2021 04:21:02.293047905 CEST5898753192.168.2.38.8.8.8
                                              Apr 29, 2021 04:21:02.358944893 CEST53589878.8.8.8192.168.2.3
                                              Apr 29, 2021 04:21:06.284914970 CEST5657953192.168.2.38.8.8.8
                                              Apr 29, 2021 04:21:06.362168074 CEST53565798.8.8.8192.168.2.3
                                              Apr 29, 2021 04:21:18.714555979 CEST6063353192.168.2.38.8.8.8
                                              Apr 29, 2021 04:21:18.784266949 CEST53606338.8.8.8192.168.2.3
                                              Apr 29, 2021 04:21:31.917578936 CEST6129253192.168.2.38.8.8.8
                                              Apr 29, 2021 04:21:31.970463991 CEST53612928.8.8.8192.168.2.3
                                              Apr 29, 2021 04:21:33.367108107 CEST6361953192.168.2.38.8.8.8
                                              Apr 29, 2021 04:21:33.434808969 CEST53636198.8.8.8192.168.2.3
                                              Apr 29, 2021 04:21:37.034415007 CEST6493853192.168.2.38.8.8.8
                                              Apr 29, 2021 04:21:37.087502956 CEST53649388.8.8.8192.168.2.3
                                              Apr 29, 2021 04:21:53.643585920 CEST6194653192.168.2.38.8.8.8
                                              Apr 29, 2021 04:21:53.709286928 CEST53619468.8.8.8192.168.2.3

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Apr 29, 2021 04:20:05.846302986 CEST192.168.2.38.8.8.80x3731Standard query (0)celebrity.hopto.orgA (IP address)IN (0x0001)
                                              Apr 29, 2021 04:20:25.325944901 CEST192.168.2.38.8.8.80x5c8dStandard query (0)celebrity.hopto.orgA (IP address)IN (0x0001)
                                              Apr 29, 2021 04:20:45.003597975 CEST192.168.2.38.8.8.80xcbcfStandard query (0)celebrity.hopto.orgA (IP address)IN (0x0001)
                                              Apr 29, 2021 04:21:18.714555979 CEST192.168.2.38.8.8.80x8c68Standard query (0)celebrity.hopto.orgA (IP address)IN (0x0001)
                                              Apr 29, 2021 04:21:37.034415007 CEST192.168.2.38.8.8.80xa75dStandard query (0)celebrity.hopto.orgA (IP address)IN (0x0001)
                                              Apr 29, 2021 04:21:53.643585920 CEST192.168.2.38.8.8.80xdcc3Standard query (0)celebrity.hopto.orgA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Apr 29, 2021 04:20:05.911592960 CEST8.8.8.8192.168.2.30x3731No error (0)celebrity.hopto.org79.134.225.48A (IP address)IN (0x0001)
                                              Apr 29, 2021 04:20:25.395673037 CEST8.8.8.8192.168.2.30x5c8dNo error (0)celebrity.hopto.org79.134.225.48A (IP address)IN (0x0001)
                                              Apr 29, 2021 04:20:45.070620060 CEST8.8.8.8192.168.2.30xcbcfNo error (0)celebrity.hopto.org79.134.225.48A (IP address)IN (0x0001)
                                              Apr 29, 2021 04:21:18.784266949 CEST8.8.8.8192.168.2.30x8c68No error (0)celebrity.hopto.org79.134.225.48A (IP address)IN (0x0001)
                                              Apr 29, 2021 04:21:37.087502956 CEST8.8.8.8192.168.2.30xa75dNo error (0)celebrity.hopto.org79.134.225.48A (IP address)IN (0x0001)
                                              Apr 29, 2021 04:21:53.709286928 CEST8.8.8.8192.168.2.30xdcc3No error (0)celebrity.hopto.org79.134.225.48A (IP address)IN (0x0001)

                                              Code Manipulations

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: swift copy.exe PID: 4424 Parent PID: 5736

                                              General

                                              Start time:04:19:41
                                              Start date:29/04/2021
                                              Path:C:\Users\user\Desktop\swift copy.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\swift copy.exe'
                                              Imagebase:0xbd0000
                                              File size:1477632 bytes
                                              MD5 hash:513BEB90D191B7D4FADEDD6C7119BFCE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.246247391.0000000004111000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.249898670.0000000004919000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: schtasks.exe PID: 68 Parent PID: 4424

                                              General

                                              Start time:04:19:58
                                              Start date:29/04/2021
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B10.tmp'
                                              Imagebase:0x1160000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 1056 Parent PID: 68

                                              General

                                              Start time:04:19:58
                                              Start date:29/04/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6b2800000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: swift copy.exe PID: 5472 Parent PID: 4424

                                              General

                                              Start time:04:19:59
                                              Start date:29/04/2021
                                              Path:C:\Users\user\Desktop\swift copy.exe
                                              Wow64 process (32bit):true
                                              Commandline:{path}
                                              Imagebase:0x7ff6741d0000
                                              File size:1477632 bytes
                                              MD5 hash:513BEB90D191B7D4FADEDD6C7119BFCE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.482587211.0000000005CA0000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.482587211.0000000005CA0000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.482338202.0000000005B40000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.482338202.0000000005B40000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.483111554.0000000006CD0000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.483111554.0000000006CD0000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.477582577.0000000003261000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.480362921.000000000439E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.483198841.0000000006D00000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.483198841.0000000006D00000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.470491145.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.482362753.0000000005B50000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.482362753.0000000005B50000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.483085818.0000000006CC0000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.483085818.0000000006CC0000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.482502454.0000000005C30000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.482502454.0000000005C30000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.483135029.0000000006CE0000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.483135029.0000000006CE0000.00000004.00000001.sdmp, Author: Florian Roth
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: schtasks.exe PID: 3440 Parent PID: 5472

                                              General

                                              Start time:04:20:01
                                              Start date:29/04/2021
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE011.tmp'
                                              Imagebase:0x1160000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 4744 Parent PID: 3440

                                              General

                                              Start time:04:20:02
                                              Start date:29/04/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6b2800000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: schtasks.exe PID: 2416 Parent PID: 5472

                                              General

                                              Start time:04:20:02
                                              Start date:29/04/2021
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE300.tmp'
                                              Imagebase:0x1160000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 1968 Parent PID: 2416

                                              General

                                              Start time:04:20:02
                                              Start date:29/04/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6b2800000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: swift copy.exe PID: 3840 Parent PID: 528

                                              General

                                              Start time:04:20:04
                                              Start date:29/04/2021
                                              Path:C:\Users\user\Desktop\swift copy.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\swift copy.exe' 0
                                              Imagebase:0xc40000
                                              File size:1477632 bytes
                                              MD5 hash:513BEB90D191B7D4FADEDD6C7119BFCE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: dhcpmon.exe PID: 3088 Parent PID: 528

                                              General

                                              Start time:04:20:05
                                              Start date:29/04/2021
                                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                              Imagebase:0x810000
                                              File size:1477632 bytes
                                              MD5 hash:513BEB90D191B7D4FADEDD6C7119BFCE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.320469568.0000000003E11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.324426254.0000000004619000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 14%, ReversingLabs
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: dhcpmon.exe PID: 5032 Parent PID: 3388

                                              General

                                              Start time:04:20:14
                                              Start date:29/04/2021
                                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                              Imagebase:0xf90000
                                              File size:1477632 bytes
                                              MD5 hash:513BEB90D191B7D4FADEDD6C7119BFCE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341991938.0000000004C19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.338588185.0000000004411000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: schtasks.exe PID: 6772 Parent PID: 3088

                                              General

                                              Start time:04:20:27
                                              Start date:29/04/2021
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmpBC97.tmp'
                                              Imagebase:0x970000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 6784 Parent PID: 6772

                                              General

                                              Start time:04:20:27
                                              Start date:29/04/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6b2800000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: dhcpmon.exe PID: 6844 Parent PID: 3088

                                              General

                                              Start time:04:20:28
                                              Start date:29/04/2021
                                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                              Wow64 process (32bit):false
                                              Commandline:{path}
                                              Imagebase:0x3d0000
                                              File size:1477632 bytes
                                              MD5 hash:513BEB90D191B7D4FADEDD6C7119BFCE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: dhcpmon.exe PID: 6864 Parent PID: 3088

                                              General

                                              Start time:04:20:29
                                              Start date:29/04/2021
                                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                              Wow64 process (32bit):true
                                              Commandline:{path}
                                              Imagebase:0x4a0000
                                              File size:1477632 bytes
                                              MD5 hash:513BEB90D191B7D4FADEDD6C7119BFCE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.335972089.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.340068924.00000000028D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.340592652.00000000038D9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.340592652.00000000038D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: schtasks.exe PID: 7088 Parent PID: 5032

                                              General

                                              Start time:04:20:39
                                              Start date:29/04/2021
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ucCIRTrm' /XML 'C:\Users\user\AppData\Local\Temp\tmpE934.tmp'
                                              Imagebase:0x970000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 7096 Parent PID: 7088

                                              General

                                              Start time:04:20:39
                                              Start date:29/04/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6b2800000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: dhcpmon.exe PID: 7144 Parent PID: 5032

                                              General

                                              Start time:04:20:40
                                              Start date:29/04/2021
                                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                              Wow64 process (32bit):true
                                              Commandline:{path}
                                              Imagebase:0x570000
                                              File size:1477632 bytes
                                              MD5 hash:513BEB90D191B7D4FADEDD6C7119BFCE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000020.00000002.351801579.0000000002901000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000020.00000002.348556738.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.354540335.0000000003909000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000020.00000002.354540335.0000000003909000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              Reputation:low

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: swift copy.exe PID: 4424 Parent PID: 5736 swift copy.exeCOMMON

                                                Executed Functions

                                                Function 01680F40, Relevance: 4.0, Strings: 3, Instructions: 253COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: 6>4$T)71$t_I=
                                                • API String ID: 0-636231826
                                                • Opcode ID: c48fd64beb072a171b938940c53d3f417fb1058c865a18f748935658bc42149c
                                                • Instruction ID: f2a3f191d48b17b6c043f9d8bdea25d94a81a89048d8d57bee1fb6ede13387d1
                                                • Opcode Fuzzy Hash: c48fd64beb072a171b938940c53d3f417fb1058c865a18f748935658bc42149c
                                                • Instruction Fuzzy Hash: ABB13BB5E042499FDB18CFA5D844ADEFBF2FF89310F14856AD419AB264EB319846CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01680F1B, Relevance: 4.0, Strings: 3, Instructions: 249COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: 6>4$T)71$t_I=
                                                • API String ID: 0-636231826
                                                • Opcode ID: b48329ee5d40fc83b31fc1f9cce1ea7a5b0f3fa29ef878921b5d1bef8d16ef05
                                                • Instruction ID: 22c464b0ac198a4ab81990bb5cab84ed1bc2a80ea6ac6d4c494ffe93d2d7e7c9
                                                • Opcode Fuzzy Hash: b48329ee5d40fc83b31fc1f9cce1ea7a5b0f3fa29ef878921b5d1bef8d16ef05
                                                • Instruction Fuzzy Hash: 36A129B5E042098FDB18CFA5D844AEEFBF2FF89310F14852AD419AB254EB319946CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01680FE8, Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: 6>4$T)71$t_I=
                                                • API String ID: 0-636231826
                                                • Opcode ID: cc44ee73ba22b8d3db2538fa969a90ddda5cbaab7154ea2a85c92cb01b7266ae
                                                • Instruction ID: 1674db329d5ab8010a99afc0fd06531dd4ac53939fe2d18d1ec2830fa6272487
                                                • Opcode Fuzzy Hash: cc44ee73ba22b8d3db2538fa969a90ddda5cbaab7154ea2a85c92cb01b7266ae
                                                • Instruction Fuzzy Hash: 2C81F574E002098FDB08CFE9D98469EFBF2BF89300F10852AD519AB364DB359906CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01681778, Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: *bJB$Mz$Mz
                                                • API String ID: 0-518884444
                                                • Opcode ID: 781d69535763f8f42dbb24c519f3e770d21e6e6c5059b7bd040d3b36ee4e0a5d
                                                • Instruction ID: ce9a4c588d4ea1f3973df9b257778b79d660fcfb572601dc4ecb5b0786633190
                                                • Opcode Fuzzy Hash: 781d69535763f8f42dbb24c519f3e770d21e6e6c5059b7bd040d3b36ee4e0a5d
                                                • Instruction Fuzzy Hash: 71513774E05209DFCB08DFAAD8416AEFBF2FF89310F14D52AD019AB254D7348A428F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0569B168, Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: J[Q\
                                                • API String ID: 0-1954142174
                                                • Opcode ID: 94ba4538a99ed8a5780914cb762a5745abb0eb6d909db64334ed52cb6209ed43
                                                • Instruction ID: 6bc91046a5be933e89f5380b5552ce074731e54eca7aaa34cfb4b6de1c69c847
                                                • Opcode Fuzzy Hash: 94ba4538a99ed8a5780914cb762a5745abb0eb6d909db64334ed52cb6209ed43
                                                • Instruction Fuzzy Hash: 39517130E142199FCB08DFA5D8445AEFBB2FF89300F15966AD415A7364EB74AA41CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0569B178, Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: J[Q\
                                                • API String ID: 0-1954142174
                                                • Opcode ID: 18ef083145fd920c5624fe2816de9a8ddf4e92e6b3f95ee7088d0e74374112da
                                                • Instruction ID: 5e14a9cb210cf8cc744fd2bcfd9873a3d1c2a9ca32d4914a5f17a1f4ecac19da
                                                • Opcode Fuzzy Hash: 18ef083145fd920c5624fe2816de9a8ddf4e92e6b3f95ee7088d0e74374112da
                                                • Instruction Fuzzy Hash: 3C516130E14219DFCB08DFA5D8445ADFBB6FF89300F15956AD415A7364EB70AA42CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0569B1DD, Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: J[Q\
                                                • API String ID: 0-1954142174
                                                • Opcode ID: 21633b4fe1778b5cd77eab9e737b8d44d0dfb9f76f3a0773aa0ad5911b937262
                                                • Instruction ID: 73ec2b343d527765adc2cdd6fae482ecea653aa9b5a6e10b71974bbe417ceacf
                                                • Opcode Fuzzy Hash: 21633b4fe1778b5cd77eab9e737b8d44d0dfb9f76f3a0773aa0ad5911b937262
                                                • Instruction Fuzzy Hash: 1E514130E14619DFCB04DFA5D8845ADFBB2FF89300F15966AD415A7364EB74AA42CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0569B231, Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: J[Q\
                                                • API String ID: 0-1954142174
                                                • Opcode ID: 4a18d3fee08123cb6126dd85d69b1f789b7173c49420f2ebf9203db59875f68e
                                                • Instruction ID: 35aeaa7d0aa43f11232bff362c456f0da80b51799b735372ec82c00dd137532d
                                                • Opcode Fuzzy Hash: 4a18d3fee08123cb6126dd85d69b1f789b7173c49420f2ebf9203db59875f68e
                                                • Instruction Fuzzy Hash: 19515330E14619DFCB08DFA5D8845ADFBB2FF89300F159569D415A7324EB74AA41CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0569B20F, Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: J[Q\
                                                • API String ID: 0-1954142174
                                                • Opcode ID: 8bfed60823b393b8c254827d90d7e42734ad2153966f9854f7fcadd70dd3ba41
                                                • Instruction ID: f8b8c7dd265a168df1d2deb20a07db47e67766b2a92277a42ee960cbd4b80a7a
                                                • Opcode Fuzzy Hash: 8bfed60823b393b8c254827d90d7e42734ad2153966f9854f7fcadd70dd3ba41
                                                • Instruction Fuzzy Hash: 88514330E1461ADFCB04DFA5D8845ADFBB2FF89300F15956AD415A7364EB74AA41CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01682FC1, Relevance: .3, Instructions: 346COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 83ce2102e8374e4cfc72c728605e4c73275bf6cf1ee54d582638a2832ba44cf8
                                                • Instruction ID: 2e96a1c83e6fd1d2f0f19467fc021895cac0ca081a311d05d038c2f9fef1ba3c
                                                • Opcode Fuzzy Hash: 83ce2102e8374e4cfc72c728605e4c73275bf6cf1ee54d582638a2832ba44cf8
                                                • Instruction Fuzzy Hash: 08E16B74E0420ADFCB04DFA5C9848AEFBB2FF99300B15866AD415AB354D735EA42CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01683078, Relevance: .3, Instructions: 302COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73ebee299acb4f05aeda79ea63dff7f470c601c3844bdf67b94035fe9faccaa6
                                                • Instruction ID: 0ca0a499aa096e38defdc50da74518437e98d787950fe95bd5165d44a9306afb
                                                • Opcode Fuzzy Hash: 73ebee299acb4f05aeda79ea63dff7f470c601c3844bdf67b94035fe9faccaa6
                                                • Instruction Fuzzy Hash: 76D11774E0520ADFCB14DFA9C9809AEFBB2FF89700B249659D415AB314D734EA42CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01680472, Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c2b188187f4f69b1b15b62ac1c1e0e48b645635571c75a3205c855a17720853
                                                • Instruction ID: cb8f111c8f20a3df4c50c98ad9295d026ee29f5ea9ceec050ed9860950a9976f
                                                • Opcode Fuzzy Hash: 1c2b188187f4f69b1b15b62ac1c1e0e48b645635571c75a3205c855a17720853
                                                • Instruction Fuzzy Hash: BE31EB71E056189FEB58DFABDC4069EBBF3AFC9300F14C5BAD908AA254DB3009568F11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01682182, Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d477930f12e41833227e47ac8110aebefb1b64eaf7e3d7a87551494635b0e162
                                                • Instruction ID: 56e7a6dd79cef07f045c65f969feb10723c28bbfc505f5f2fc3718439d232597
                                                • Opcode Fuzzy Hash: d477930f12e41833227e47ac8110aebefb1b64eaf7e3d7a87551494635b0e162
                                                • Instruction Fuzzy Hash: 57210771E006588BEB18CFAADC506DEBBB3AFC9310F14C16AD509AB258DB74195ACF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05692418, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 05692488
                                                • GetCurrentThread.KERNEL32 ref: 056924C5
                                                • GetCurrentProcess.KERNEL32 ref: 05692502
                                                • GetCurrentThreadId.KERNEL32 ref: 0569255B
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 82781e82c736b0b533846cdd8f2817bf31377b29c5bf0528bfd986a3d8d680d7
                                                • Instruction ID: f1d7e3f5ffd89f6ebebbe7796047a2cbe805c2105e2eaf43408c0beaf0fdc778
                                                • Opcode Fuzzy Hash: 82781e82c736b0b533846cdd8f2817bf31377b29c5bf0528bfd986a3d8d680d7
                                                • Instruction Fuzzy Hash: 545162B49006099FDB14CFAAC988BDEBFF5EB89314F248459E419A3350DB34A984CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05692428, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 05692488
                                                • GetCurrentThread.KERNEL32 ref: 056924C5
                                                • GetCurrentProcess.KERNEL32 ref: 05692502
                                                • GetCurrentThreadId.KERNEL32 ref: 0569255B
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 7ab26c8511f8c0fc065c398f59546ee574c1557c3df1fb2d1d46a7f982eddf4f
                                                • Instruction ID: fe567e86ac08461bd43ca45639cab962f50f7a549301f7cf9c7284b2f9baaf00
                                                • Opcode Fuzzy Hash: 7ab26c8511f8c0fc065c398f59546ee574c1557c3df1fb2d1d46a7f982eddf4f
                                                • Instruction Fuzzy Hash: 0A5162B49002089FDB14CFAAC988B9EBFF5EB89314F208459E419A3350DB34A984CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05690138, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0569037E
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: d669685c08eaea7a4912df58e432caf458f4b55a02c915b2d6b4bcb4e2ebb0ef
                                                • Instruction ID: eb222923fbf9b0d18d868bc295bb96950d82cbcce5c043786a7d7f1383a795fc
                                                • Opcode Fuzzy Hash: d669685c08eaea7a4912df58e432caf458f4b55a02c915b2d6b4bcb4e2ebb0ef
                                                • Instruction Fuzzy Hash: 42714670A00B058FDB68DF6AD44476ABBF6FF88214F008A2DD44ADBB50DB74E845CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05696A8C, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05696BAA
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 90562a9af8591d7b65208445205b27d8ce5ca3aa35562f4ef00b775b4c842ceb
                                                • Instruction ID: 5799b4d9f09b1cdc1a4e1a066fe9d8d3ddf15f8e727e359880ece6ba00b3ac06
                                                • Opcode Fuzzy Hash: 90562a9af8591d7b65208445205b27d8ce5ca3aa35562f4ef00b775b4c842ceb
                                                • Instruction Fuzzy Hash: 8E51D0B1D003099FDF14DFAAD984ADEBBB5FF88314F24812AE419AB210D7749985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05696A98, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05696BAA
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 6ae2a187ceaf69a193f0abe88665287ad1ca5d9200f34ac3aaf0c105c9ebc29e
                                                • Instruction ID: d7a971e1b5b0fc73584de298348bd82f23586daca25dee0a7e35a3f6d72272e0
                                                • Opcode Fuzzy Hash: 6ae2a187ceaf69a193f0abe88665287ad1ca5d9200f34ac3aaf0c105c9ebc29e
                                                • Instruction Fuzzy Hash: 4D41BEB1D003099FDF14CF9AD984ADEBBB5FF88314F24812AE819AB214E7759945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05694884, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05699111
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 04c60287d37f2f0f4b88a8cc00fe7c9aa4c423b35245ed09d5ab74e6bfcdf8ce
                                                • Instruction ID: b1241dbde730475e22dcfee4f7e8f0bf1910ffd343f8264cf93d27f7d4d8ddca
                                                • Opcode Fuzzy Hash: 04c60287d37f2f0f4b88a8cc00fe7c9aa4c423b35245ed09d5ab74e6bfcdf8ce
                                                • Instruction Fuzzy Hash: 9B410BB4A00309DFCB14DF99C888AAABBF9FB89314F25845DE519A7711D774A841CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0168A9B8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 0168BEA9
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 5a6e4455dde0e915c59149ed5524ff88dd388d955f7f11ecd7b636da279a2fb1
                                                • Instruction ID: 2b70634036a609a3643bdb4e0a4c0fefe7ce66c44e8871fb4ee767d0ee5de04d
                                                • Opcode Fuzzy Hash: 5a6e4455dde0e915c59149ed5524ff88dd388d955f7f11ecd7b636da279a2fb1
                                                • Instruction Fuzzy Hash: 1341E371C0461CCFDB24DFA9C884B9EBBB5FF89308F20815AD509AB251DB755945CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05692A52, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05692ADF
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: e0d359248a53a77e7eb1f3b3fac5d018798675178751f8c2eadfab42501100a8
                                                • Instruction ID: 7c4f071bc8380a54ab1f7230bbdad9d649e77b5e6b991968ef6834a79f484278
                                                • Opcode Fuzzy Hash: e0d359248a53a77e7eb1f3b3fac5d018798675178751f8c2eadfab42501100a8
                                                • Instruction Fuzzy Hash: 2821F5B5900208AFDB10CFA9D984ADEBBF8FB48324F14841AE915A3310D778A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05692A58, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05692ADF
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: d648d4488a0fd2f357c7bcf1b6d45c7765549b0326958f99395c0e2b98869769
                                                • Instruction ID: 8f5e1cf278e4b3305c3631839ae2492e75737fc015a427fa4630570170277bf2
                                                • Opcode Fuzzy Hash: d648d4488a0fd2f357c7bcf1b6d45c7765549b0326958f99395c0e2b98869769
                                                • Instruction Fuzzy Hash: F621D5B5900219AFDB10CFA9D984ADEBBF9FB48324F14841AE915A3310D778A944DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05690598, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0569060A
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 860360c357bda9c1db43f73378426773ac5a636fc26e957ec94cd057cc735651
                                                • Instruction ID: 7b4319fc522cb82f54c12601d87c444216d093bfbd2b373bbe9581b2eca81eb4
                                                • Opcode Fuzzy Hash: 860360c357bda9c1db43f73378426773ac5a636fc26e957ec94cd057cc735651
                                                • Instruction Fuzzy Hash: D51114B69042089FDB14DF9AD844ADEFBF8EB89324F14841AE415A7700C374A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 056905A0, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0569060A
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: fe1b274510a1f4be776229e0acb8acce87a352b1291631de245d55c4dfff1317
                                                • Instruction ID: 5940b2843cbd4d288f8e23c37b2f754b19264f4249198d312b1e008f1459158d
                                                • Opcode Fuzzy Hash: fe1b274510a1f4be776229e0acb8acce87a352b1291631de245d55c4dfff1317
                                                • Instruction Fuzzy Hash: A61126B69042088FCB14CF9AD844ADEFBF8EB88324F10841AE415A7700C374A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05690318, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0569037E
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 7e915dd6c01b056d6b623fa016ce4f91b986c453aee2fdf06021c153a70fc9dc
                                                • Instruction ID: 0295cc9d1e82bd08f91d7c4e01c5264af0329bd55709838e1376a9eca66d01c1
                                                • Opcode Fuzzy Hash: 7e915dd6c01b056d6b623fa016ce4f91b986c453aee2fdf06021c153a70fc9dc
                                                • Instruction Fuzzy Hash: 571113B5C002098FCB10CF9AC444BDEFBF8EF88224F11845AD429A7700C378A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015ED3D8, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243048144.00000000015ED000.00000040.00000001.sdmp, Offset: 015ED000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8f65e642c6bc56dbdefbccd990f5d69bb0dfe2305f09278755c753895a12458
                                                • Instruction ID: c0f1f43fed6481f4aeaf0b100c44dffb8c93e40370713af1b205e4db1c8e0022
                                                • Opcode Fuzzy Hash: f8f65e642c6bc56dbdefbccd990f5d69bb0dfe2305f09278755c753895a12458
                                                • Instruction Fuzzy Hash: 432136B1904204DFDB09DF44C9C4B6ABBF5FB98324F248568E9054F206C37AE846CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015FD01C, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243067560.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee607b663bee9b0fc2c8cc835530c82ab1314fcf7b6b2b9bdf2bde887ab0ac3d
                                                • Instruction ID: 8ce347b0c168606ac5e087b9115c0979b3f6cc4d233fa5edf26beb60fa5fae82
                                                • Opcode Fuzzy Hash: ee607b663bee9b0fc2c8cc835530c82ab1314fcf7b6b2b9bdf2bde887ab0ac3d
                                                • Instruction Fuzzy Hash: E92122B1604200DFDB15DF54D8C0B2ABBB9FB88358F24C96DEA094F246D73AD806CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015FD1D4, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243067560.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb3803508ef278270c943399d45e6d97bc7e65044fc3d37cbe6bd2869c0fae1e
                                                • Instruction ID: d4bfd4415e5a418df4d49ad21f63deebd9b57eda00cb5eabcb101e5bf0a3a5bb
                                                • Opcode Fuzzy Hash: eb3803508ef278270c943399d45e6d97bc7e65044fc3d37cbe6bd2869c0fae1e
                                                • Instruction Fuzzy Hash: F321D7B5504240DFDB05DF94D9C0B2ABBB5FB84328F24C96DEA094F246C73AD846CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015FD006, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243067560.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2cb805ff9d0cb24811a20cf764d720bc22dd5ba9759b80fa2a8c154db7caf18a
                                                • Instruction ID: c586e8a23d49ce560cb3614939c75a488724d6c24e83c8b4575ce14a7fda6f9b
                                                • Opcode Fuzzy Hash: 2cb805ff9d0cb24811a20cf764d720bc22dd5ba9759b80fa2a8c154db7caf18a
                                                • Instruction Fuzzy Hash: 23218E755093808FCB03CF24D990B15BF71FB46214F28C5EAD9498F667C33A980ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015ED3D3, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243048144.00000000015ED000.00000040.00000001.sdmp, Offset: 015ED000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
                                                • Instruction ID: d29907311e85073eb530891d08401ad196cb96a90f06de4fd46b1c969126cbe9
                                                • Opcode Fuzzy Hash: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
                                                • Instruction Fuzzy Hash: F511A276804280DFDB16CF54D5C4B5ABFB1FB94324F2486A9D8050B616C37AE456CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015FD1CF, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243067560.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c7476f9ef67022c6f40ab1799bec6ea3099b5a12b22541a18a444746aa0498e5
                                                • Instruction ID: 72bff017ba9e83f15c730eff7da5063df918950534553fdda21ffb4ff97c7ad9
                                                • Opcode Fuzzy Hash: c7476f9ef67022c6f40ab1799bec6ea3099b5a12b22541a18a444746aa0498e5
                                                • Instruction Fuzzy Hash: 13118B79904280DFDB12CF54D5C4B1ABBB1FB84224F28C6AED9494B656C33AD44ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 01683E88, Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: P4|
                                                • API String ID: 0-1786202223
                                                • Opcode ID: eebc99bd56b3d299a7f0d0cb143b7c26041352075a41f095d831843425c12e88
                                                • Instruction ID: e2ffb91d5a2e854a02a8c040ae5083cc9f02f02883e5b706fcb0e001ab393312
                                                • Opcode Fuzzy Hash: eebc99bd56b3d299a7f0d0cb143b7c26041352075a41f095d831843425c12e88
                                                • Instruction Fuzzy Hash: 0E710F34E15209DFCB08CFA9E98499EFBF1BB88310F14856AE415AB361D774AA42CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01683E98, Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: P4|
                                                • API String ID: 0-1786202223
                                                • Opcode ID: ed07c80b6298b2ebea6d4e21d2131f455b7d79f29aa00e71ffefa68d91a233e6
                                                • Instruction ID: d08fa3516c4c217bb5bbe0355f3b044df948d4cc75f8e434d741c5a7cafacd6c
                                                • Opcode Fuzzy Hash: ed07c80b6298b2ebea6d4e21d2131f455b7d79f29aa00e71ffefa68d91a233e6
                                                • Instruction Fuzzy Hash: 3B71F074E15209DFCB44CFA9E98499EFBF1FB88310F14955AE819AB321D734AA42CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016850A1, Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: %:[,
                                                • API String ID: 0-4106422314
                                                • Opcode ID: a03bafd00cbc334e75df1b009717c89015bf155f2d65a4a05385f2267df483ce
                                                • Instruction ID: b133735d86aa91b4b7f336542e2aa59cf90393c2532277d081482c0765cfdcae
                                                • Opcode Fuzzy Hash: a03bafd00cbc334e75df1b009717c89015bf155f2d65a4a05385f2267df483ce
                                                • Instruction Fuzzy Hash: 0C41FCB4E0560A9FCB04DFAAC8805AEFBF2FF89310F14D66AC415A7254D7349652CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016850B0, Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: %:[,
                                                • API String ID: 0-4106422314
                                                • Opcode ID: 9e89cedc3ff73aba39462b1dd6b2a8be2767ca25f128c24ee73e52561570b997
                                                • Instruction ID: c694e3a1987f119f993633f555186c4177df8842f90b6353a9f604826bd41c1e
                                                • Opcode Fuzzy Hash: 9e89cedc3ff73aba39462b1dd6b2a8be2767ca25f128c24ee73e52561570b997
                                                • Instruction Fuzzy Hash: D341DAB4E0420A9FCB44DFAAC9815AEFBF2FF88301F14D56AC416B7254D73496528F94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01689D98, Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: gQ,
                                                • API String ID: 0-4156546085
                                                • Opcode ID: e2b69d12034de4486bebb57d1c86be42c7b1b10c91e1e5e8f4730abbbb095e1e
                                                • Instruction ID: 66d74e87cb5ce40df5959fd1c41418519ee67dff910ca490253ba5fc660bb9db
                                                • Opcode Fuzzy Hash: e2b69d12034de4486bebb57d1c86be42c7b1b10c91e1e5e8f4730abbbb095e1e
                                                • Instruction Fuzzy Hash: E321A1B2E002089FDB19CF6ACC406AEBAF3AFC5310F55C57AE408A7315EB7189418F50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01689DE0, Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: gQ,
                                                • API String ID: 0-4156546085
                                                • Opcode ID: 468bc979b45b40b723a29e07dde2b7b2b783c41dd12102b64bd48ea9759ea2df
                                                • Instruction ID: 834fe4fa2806cdd7eb8f3e4fe87d3c1458de324c732fa428053932ce6d4bdb23
                                                • Opcode Fuzzy Hash: 468bc979b45b40b723a29e07dde2b7b2b783c41dd12102b64bd48ea9759ea2df
                                                • Instruction Fuzzy Hash: 57114771E102188BEB08CFAAD9406EEFBF7EBC8210F14C13AD508A7214DB704A118B50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05695318, Relevance: .3, Instructions: 315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f2c76112fbfd9a28d307a2e85435fbd50e6ad12d2944fc554dd69278e18e4b7c
                                                • Instruction ID: 0f942d2f5db66f08047fcf90dd04a6fb1a74c407b0068f57bae10c1762110599
                                                • Opcode Fuzzy Hash: f2c76112fbfd9a28d307a2e85435fbd50e6ad12d2944fc554dd69278e18e4b7c
                                                • Instruction Fuzzy Hash: A412F7F16137468BD310EF65ED981893BA1F746B2CF984A08D2612FAD9D7BC814ACF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0569295C, Relevance: .3, Instructions: 265COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 40cfcf36f11800c5f07d11c50f46f50085e5e477887a30ed176433a8868ff009
                                                • Instruction ID: bc81dc579b277809765f922e32ccf877ef3a2ea52d328f757af04ee87838bef6
                                                • Opcode Fuzzy Hash: 40cfcf36f11800c5f07d11c50f46f50085e5e477887a30ed176433a8868ff009
                                                • Instruction Fuzzy Hash: FBA16F32E0021A8FCF09DFA5C84459DB7F6FF84301B15856AE905BB225EF75A946CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0569530A, Relevance: .2, Instructions: 220COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d97ffd626b611e003875fba20653e322e2a54730cd907f596977b030b1bf3d9
                                                • Instruction ID: fb70aaa7e65f20970cd570fc185ea8d05a9b08dc837d758a8cf352fa0d8cc9ea
                                                • Opcode Fuzzy Hash: 7d97ffd626b611e003875fba20653e322e2a54730cd907f596977b030b1bf3d9
                                                • Instruction Fuzzy Hash: C1C15FB1A127458BD310EF65ED881897B71FB86B2CF544B09D2612FAD8D7BC904ACF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016852F0, Relevance: .2, Instructions: 179COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e055a35ae9499b57541ad23f1e141a024d21e8c5e714a7acbe7a0b951832e901
                                                • Instruction ID: 340aa6e5bf1e3ae57153c1f12db8a49874a5abbff8e50726a7374fa58927454b
                                                • Opcode Fuzzy Hash: e055a35ae9499b57541ad23f1e141a024d21e8c5e714a7acbe7a0b951832e901
                                                • Instruction Fuzzy Hash: 2771D774E152099BCB04CFA9D9805DEFBF2EF88310F28A52AD416BB254E3749942CB64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016852E1, Relevance: .2, Instructions: 177COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8a39a49b1a48e898ba87bc2296af6a89947e08ff40154897398168f1e7beac9
                                                • Instruction ID: da2d3f3d394ba054e24ee18b40a918b9a817807697a08e9ce99fe8bbef19ed3f
                                                • Opcode Fuzzy Hash: d8a39a49b1a48e898ba87bc2296af6a89947e08ff40154897398168f1e7beac9
                                                • Instruction Fuzzy Hash: BF71F774E05209CFCB04CFA9C9815DEFBF2EF88310F28A56AD416B7254E3749A42CB64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01684A20, Relevance: .2, Instructions: 166COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12933639c435de94b64d15b302d7cdf0eaf2033f5e8994245a239d82aecb9dc3
                                                • Instruction ID: 4366557370c299d766a7fb36b26858c9c81fec92f6baabc3db012a8f61b832d6
                                                • Opcode Fuzzy Hash: 12933639c435de94b64d15b302d7cdf0eaf2033f5e8994245a239d82aecb9dc3
                                                • Instruction Fuzzy Hash: 8871E770E0520ADFCB04DF99C980AAEFBB2FF88310F148619D915AB314D7349A82CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01684A10, Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b83b83d46b94af0903241cdb1007a3ef8e2eca71b0079b4caf5f558e0359c5f
                                                • Instruction ID: 2b63fc43ae6b7074dcdbe86327043e04699ee79a4cbec8ba580217e054a1a1bb
                                                • Opcode Fuzzy Hash: 2b83b83d46b94af0903241cdb1007a3ef8e2eca71b0079b4caf5f558e0359c5f
                                                • Instruction Fuzzy Hash: 8661E774E0520ADFCB04DFA9C980AAEFBB1FF88310F14865AD515AB354D7349A42CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01684D31, Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 567b184fd9dfc159f4f8fa7392601e984ed0a0af44fef52628ed42405d3667f6
                                                • Instruction ID: 6f3ddc5de5d405ae773c03956337cdc083f532d9134d32395ec5495171b24f16
                                                • Opcode Fuzzy Hash: 567b184fd9dfc159f4f8fa7392601e984ed0a0af44fef52628ed42405d3667f6
                                                • Instruction Fuzzy Hash: 116127B1E0421ADFCB04DFA9D8846EEFBB6FF88300F14966AD415E7245D7349A428F90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01685591, Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c36a39fe4f8bf93050796ed5c8279594a352f0f69bf83991f8077e2b6c862a9
                                                • Instruction ID: 5940ae620db68820f8ef2cae64ec3544923733de944c74e58aacd772b9dad2e8
                                                • Opcode Fuzzy Hash: 1c36a39fe4f8bf93050796ed5c8279594a352f0f69bf83991f8077e2b6c862a9
                                                • Instruction Fuzzy Hash: 2341E8B0E0160ADBCB04DFA9C9415AEFBF2FF88300F24C56AC415E7214D7349A528B55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016855A0, Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5a6c471b77228d1dc807eff12e5906138f791c1c618b34be3a3d50eee8a709a6
                                                • Instruction ID: 82d79c526d518130455ab33f6f3c799128c64196e4d5c0e2d58aff08a5276e92
                                                • Opcode Fuzzy Hash: 5a6c471b77228d1dc807eff12e5906138f791c1c618b34be3a3d50eee8a709a6
                                                • Instruction Fuzzy Hash: AA41D4B4E0120ADBCB04DFA9C9415AEFBF2FF88300F24D56AC516E7214D7349A428BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016897C0, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25efd3796d4c27c9e948853591e866e172eb07450a9a60588766c4efd84f57b3
                                                • Instruction ID: 087e83e7fabb08669c980f76cf53a9b830a7e47478ece6ff7956ec5bd6ef8717
                                                • Opcode Fuzzy Hash: 25efd3796d4c27c9e948853591e866e172eb07450a9a60588766c4efd84f57b3
                                                • Instruction Fuzzy Hash: 39212771E116199BDB08CFABE8406EEFAF7BFC8310F14D13AD508A7214DB304A028B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016897B0, Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.243127338.0000000001680000.00000040.00000001.sdmp, Offset: 01680000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc74cbd99b1577bef46b868e7f4b6b9723424d6ac2c0dc041fae2d50af16be3c
                                                • Instruction ID: e50b1b2765bbbf34f5d3b7339a8547484c04a804150dc81ff69e9bbfa95a80ec
                                                • Opcode Fuzzy Hash: dc74cbd99b1577bef46b868e7f4b6b9723424d6ac2c0dc041fae2d50af16be3c
                                                • Instruction Fuzzy Hash: CF215971E116189BDB08CFABD9406EEFAF7AFC8300F14C13AD408A7258EB3449068B55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0569C208, Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.252020385.0000000005690000.00000040.00000001.sdmp, Offset: 05690000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e93f2e9db26a98200d178819a5b263b8e8f7ddbe233925729763de5b4076187
                                                • Instruction ID: edfeae77cf30ac9598c23ea96c03b518154ffd5daf618102a08303116a6643bb
                                                • Opcode Fuzzy Hash: 6e93f2e9db26a98200d178819a5b263b8e8f7ddbe233925729763de5b4076187
                                                • Instruction Fuzzy Hash: B9113771E116189BEB18CFAAD9406DEFBFBAFC9310F14C07AD808A7254DB305A42CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: swift copy.exe PID: 5472 Parent PID: 4424 swift copy.exeCOMMON

                                                Executed Functions

                                                Function 0313B6C0, Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0313B730
                                                • GetCurrentThread.KERNEL32 ref: 0313B76D
                                                • GetCurrentProcess.KERNEL32 ref: 0313B7AA
                                                • GetCurrentThreadId.KERNEL32 ref: 0313B803
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 53045ff37941e83682447eefb6fb295fd5b93db6db91e0cd633cd92347737c98
                                                • Instruction ID: e8b64898bc3277ca573f86d6da385a2b136fca9f7dd8e861465b73d759e75603
                                                • Opcode Fuzzy Hash: 53045ff37941e83682447eefb6fb295fd5b93db6db91e0cd633cd92347737c98
                                                • Instruction Fuzzy Hash: 995175B09052488FDB10CFA9CA48BEEBBF1FF4A314F24C49AE019A7390D7745944CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0313B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0313B730
                                                • GetCurrentThread.KERNEL32 ref: 0313B76D
                                                • GetCurrentProcess.KERNEL32 ref: 0313B7AA
                                                • GetCurrentThreadId.KERNEL32 ref: 0313B803
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 9f5373e46417efbf09157cb942f32688d1cf4f161e273e097afe0cd81eed98e6
                                                • Instruction ID: ea85f9846603efc50879a05a29afb9173f8b6aad6ac02d35bb39469247feb4aa
                                                • Opcode Fuzzy Hash: 9f5373e46417efbf09157cb942f32688d1cf4f161e273e097afe0cd81eed98e6
                                                • Instruction Fuzzy Hash: 6E5164B09052088FDB10CFAADA48BEEBBF1FF89314F24849AE019A3390D7745944CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0313FB00, Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 202b20dcefe62d1023670bf22b6871a5c999842f8bb5f2e93d01d6aa072d33c3
                                                • Instruction ID: 502a7af69b8e81e63b43f868dfb431c239ef8f22693679d7edf29cbdf6c2f858
                                                • Opcode Fuzzy Hash: 202b20dcefe62d1023670bf22b6871a5c999842f8bb5f2e93d01d6aa072d33c3
                                                • Instruction Fuzzy Hash: F8917E71C09389AFCB02CFA5C890ACDBFB1FF4A310F19819AE414AB262C7349846CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 031393E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0313962E
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: b97b7a4d4056b416182db420ba81a95581b3013ad866a0763aceda48d66e1ddd
                                                • Instruction ID: c9d70376a9ef9f10c2a47f1492fc79619e5de21ba469cd87ccc7416b227ece4c
                                                • Opcode Fuzzy Hash: b97b7a4d4056b416182db420ba81a95581b3013ad866a0763aceda48d66e1ddd
                                                • Instruction Fuzzy Hash: CD7137B0A00B058FD724DF2AD54175AB7F5FF89204F14892EE48ADBA50DB74E849CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0313FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0313FD0A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 55a20318ffe5c1579f2ae2d49afd5af9a1ba95baa9afb92e11cac055766ee40f
                                                • Instruction ID: 1c5d583816aac6ec50796871234a7f572519b0cc42914d415dcc1342fb546f42
                                                • Opcode Fuzzy Hash: 55a20318ffe5c1579f2ae2d49afd5af9a1ba95baa9afb92e11cac055766ee40f
                                                • Instruction Fuzzy Hash: BD41B1B1D003099FDB14CF99C984ADEFBB5BF89314F24822AE819AB210D7749985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0313BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0313BD87
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 065645a49d24169bd8cd9db0f6121e1a75320421cd6e3d617957086e5e2b1f41
                                                • Instruction ID: 44f35ef1790d0d531864a16751dc824f92f07282f9f164e6a4303886715d591f
                                                • Opcode Fuzzy Hash: 065645a49d24169bd8cd9db0f6121e1a75320421cd6e3d617957086e5e2b1f41
                                                • Instruction Fuzzy Hash: FF21C4B59052089FDB10CFAAD984ADEBFF8FB49324F14841AE954A3310D378A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0313BCF9, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0313BD87
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 22cda9f4e97448b35564d1b7f7184766333cc851139a0312409ffc790d6d5ba8
                                                • Instruction ID: ae97ac46e01fa56c30d34bc16234b582f1ca32d11e01cfec85faec238f9af6bd
                                                • Opcode Fuzzy Hash: 22cda9f4e97448b35564d1b7f7184766333cc851139a0312409ffc790d6d5ba8
                                                • Instruction Fuzzy Hash: D621E4B59042489FDB10CFA9D984ADEFFF4FB49324F14855AE854A7310C378AA54CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03139849, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,031396A9,00000800,00000000,00000000), ref: 031398BA
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 7a371102a57082d8c1f3462a917d464335a1d6216eb54e50d22d8861edd55d19
                                                • Instruction ID: 2f45cbee063a47d4d678f10844bd9a4d0411980a1faee4852ff150659fa2dbdf
                                                • Opcode Fuzzy Hash: 7a371102a57082d8c1f3462a917d464335a1d6216eb54e50d22d8861edd55d19
                                                • Instruction Fuzzy Hash: 9D21F7B6C002099FDB10CF9AC944BDEBBF4EB99314F14856EE425A7200C374A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03138768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,031396A9,00000800,00000000,00000000), ref: 031398BA
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: e4bb425386e435bb9895fad6e0f02f90811c825560e51fc7d1032ab32e657b71
                                                • Instruction ID: b64f0a58d323f07dc418b13c1bde6ad2411a6007dcd1b08615c1ab7bef3a75e6
                                                • Opcode Fuzzy Hash: e4bb425386e435bb9895fad6e0f02f90811c825560e51fc7d1032ab32e657b71
                                                • Instruction Fuzzy Hash: 7B1103B69042098FCB10DF9AC844BDEFBF4EB89324F14846AE525B7600C3B4A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 031395C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0313962E
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: f833e3a6a28518de0382a9dcf9ad667ee9c8d7ade0c52e6e8f78baef428e7c19
                                                • Instruction ID: 68af9aeb1231666a14018b8b34b5c515e89ea01549971839a835a9269377b09e
                                                • Opcode Fuzzy Hash: f833e3a6a28518de0382a9dcf9ad667ee9c8d7ade0c52e6e8f78baef428e7c19
                                                • Instruction Fuzzy Hash: C211E0B5C016498FCB10CF9AC844BDEFBF4AB89224F14851AD869B7600C3B8A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0313FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowLongW.USER32(?,?,?), ref: 0313FE9D
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: LongWindow
                                                • String ID:
                                                • API String ID: 1378638983-0
                                                • Opcode ID: a0a5ffb593e6195257ce81e521f6789b766c046080a4bd8d153bbec1261fb738
                                                • Instruction ID: 4d47627c6de448e7b3f5103d3c3f1c986742e98acbe1949a0873d91d0b6e059e
                                                • Opcode Fuzzy Hash: a0a5ffb593e6195257ce81e521f6789b766c046080a4bd8d153bbec1261fb738
                                                • Instruction Fuzzy Hash: EF1125B5800249CFDB10DF99C584BDEBBF8EB49324F25845AE854B7301C378A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0313FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowLongW.USER32(?,?,?), ref: 0313FE9D
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.477245593.0000000003130000.00000040.00000001.sdmp, Offset: 03130000, based on PE: false
                                                Similarity
                                                • API ID: LongWindow
                                                • String ID:
                                                • API String ID: 1378638983-0
                                                • Opcode ID: ed247d246d8b60065df6e2e4600b5c451fb315503426a5e35107ca8150471ee5
                                                • Instruction ID: fa7fcc06a96424b756ff6f8348e9c1f4b3512ef2301d8bca80dab0f3746c5c9c
                                                • Opcode Fuzzy Hash: ed247d246d8b60065df6e2e4600b5c451fb315503426a5e35107ca8150471ee5
                                                • Instruction Fuzzy Hash: 8E1103B58002088FDB10DF99D984BDFBBF8EB49324F20851AE814A3300C374A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Analysis Process: swift copy.exe PID: 3840 Parent PID: 528 swift copy.exeCOMMON

                                                Executed Functions

                                                Function 014BA9B8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 014BBEA9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.317105050.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 7cdc4fc63fb552d6bce6fc2076fc13660c0f089de6b28d07c9362a3d6d57c3ad
                                                • Instruction ID: ac541e05fed7b3e373276997958f8b40a1a3f782c45aed2aff34dd89d2ae385e
                                                • Opcode Fuzzy Hash: 7cdc4fc63fb552d6bce6fc2076fc13660c0f089de6b28d07c9362a3d6d57c3ad
                                                • Instruction Fuzzy Hash: 5441C171D0461CCADB24DFA9C884BDEBBB5FF88304F21806AD509AB251DB755946CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Analysis Process: dhcpmon.exe PID: 3088 Parent PID: 528 dhcpmon.exeCOMMON

                                                Executed Functions

                                                Function 02C68540, Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: ^9sV$v".$v".
                                                • API String ID: 0-4269212391
                                                • Opcode ID: 44662a24d3e68f972369db323d6d0db98f576a6db0fd8169ecf96eb8295419de
                                                • Instruction ID: 8761ca54d9a1fc8d26b72a98724fd44c407b2280e0b3598cf0db8552ad6397d1
                                                • Opcode Fuzzy Hash: 44662a24d3e68f972369db323d6d0db98f576a6db0fd8169ecf96eb8295419de
                                                • Instruction Fuzzy Hash: 9D61C0B4E04219DFDF04CFEAD9895EEBBF2BB88300F10852AE515A7254E7349946CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C68530, Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: ^9sV$v".$v".
                                                • API String ID: 0-4269212391
                                                • Opcode ID: 74318aaddb4b6acc0863956ec40cfb57a29608dfc7a43aa1f47de6e658804ff8
                                                • Instruction ID: 4a8205d51df83f41ec7ba0a28b2e227582e149ee75f5660888c6887d84966956
                                                • Opcode Fuzzy Hash: 74318aaddb4b6acc0863956ec40cfb57a29608dfc7a43aa1f47de6e658804ff8
                                                • Instruction Fuzzy Hash: 2F61E2B4E04219DFDF04CFEAD9895EEBBF2BB88300F10852AE515A7254E7389946CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C69C80, Relevance: 3.3, Instructions: 3320COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32b32d120c6cde8a41820b53095ab44a314eeda408103497027795c5a7b63ff9
                                                • Instruction ID: b0c388b29d177d98723afbd67735eb42322839fa15ebd0ff9e3fa0621ed38834
                                                • Opcode Fuzzy Hash: 32b32d120c6cde8a41820b53095ab44a314eeda408103497027795c5a7b63ff9
                                                • Instruction Fuzzy Hash: 06731A74A00219CFCB24DF68C8D8AADB7B2BF89314F158599E509AB365DB31ED81CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6F779, Relevance: .3, Instructions: 274COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 81b06d0714712ea21c684cf75e57a6b46fc40063ec7ed650fb825218de3818b7
                                                • Instruction ID: ca4966e59c72f63083ac88675d3662cc4201d28941bd50144cd045db41343356
                                                • Opcode Fuzzy Hash: 81b06d0714712ea21c684cf75e57a6b46fc40063ec7ed650fb825218de3818b7
                                                • Instruction Fuzzy Hash: C3C19C70D0439ACFDB06CFB9C8946ADFFB2AF9A310F1482AAD455AB395D7344841CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C69574, Relevance: .3, Instructions: 273COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91f818d5adcee25207ac1dce0e8adcced9052c543e206560e8e48c5d1a02a84e
                                                • Instruction ID: b5f984935822138d180e3f077259fcc01a471391faad899e33e37af9b31c826e
                                                • Opcode Fuzzy Hash: 91f818d5adcee25207ac1dce0e8adcced9052c543e206560e8e48c5d1a02a84e
                                                • Instruction Fuzzy Hash: 8AB12831E002199FCF15DFA5C884BEEBBB2FF89304F1089A9E509A7250DB359A45CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6F7EF, Relevance: .3, Instructions: 252COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35c9ad2f8fa46724ecb919b0b3200bda2c8efa95de72f462b04f367f42838e5e
                                                • Instruction ID: 1686c9e5b8ab5fc8e8431b759a63e62ac7fe95316bfc4be3a5f911984d9265be
                                                • Opcode Fuzzy Hash: 35c9ad2f8fa46724ecb919b0b3200bda2c8efa95de72f462b04f367f42838e5e
                                                • Instruction Fuzzy Hash: CEB17B70D0438ACFDB06CFB9C8946ADFFB2AF9A310F1482A9D455AB395D7358841CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C67DF1, Relevance: .2, Instructions: 219COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 64036a39c10fc8831c6fbea457db0323a1d9e4cc4d9fdc1cedb5d020779c3d82
                                                • Instruction ID: 8853e5f8223e435f89b221e31159d921dcdcfbcb8109e44590673ae4d8737d48
                                                • Opcode Fuzzy Hash: 64036a39c10fc8831c6fbea457db0323a1d9e4cc4d9fdc1cedb5d020779c3d82
                                                • Instruction Fuzzy Hash: DFA1C475E042189FDB64CFAAD990B9DFBB2FF88200F10C1AAD509A7354EB345A858F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C67E91, Relevance: .2, Instructions: 203COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 584d310fd5e5eb0fc676112969095a104dedc2380b6d10da84925bee1ca0243b
                                                • Instruction ID: 9170516c72c3e1c48acc7213efbd466ffa01d5ac383e13b168371c90daf541bb
                                                • Opcode Fuzzy Hash: 584d310fd5e5eb0fc676112969095a104dedc2380b6d10da84925bee1ca0243b
                                                • Instruction Fuzzy Hash: 5BA1D274E04218DFDB64DFA5C994B9DFBB2EF88200F2085AAD409A7354DB349E85CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6F8A8, Relevance: .2, Instructions: 189COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57216434f04ed96790b5b2bb52a5ecf6dac62e723a3b6556c75627c729976459
                                                • Instruction ID: b95aebce82dea456f392dc0c8f7c05697b47f59b32594e56d322eab8fd4690ff
                                                • Opcode Fuzzy Hash: 57216434f04ed96790b5b2bb52a5ecf6dac62e723a3b6556c75627c729976459
                                                • Instruction Fuzzy Hash: F981D174E002198FDB08CFEAD9946AEBBB2FF89300F10852AD81ABB754D7349945CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C67EFA, Relevance: .2, Instructions: 186COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd0108bdb02613219b97a23658cc821139612511a2150a5c7162ccc0388dc668
                                                • Instruction ID: 58f6e233f3649f808eee0a3f8b55b2ba29976280c4d55188974e26a473990658
                                                • Opcode Fuzzy Hash: cd0108bdb02613219b97a23658cc821139612511a2150a5c7162ccc0388dc668
                                                • Instruction Fuzzy Hash: 1D91C274E042189FDB64DFA5C990B9DFBB2FF88200F1085AAD509A7354EB349E85CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6D768, Relevance: .2, Instructions: 150COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 919abcded6a6a2744c85556f32fdf48436d39d11a7937b1a8a1ab9a51fffe977
                                                • Instruction ID: 7f6194f33f8d1d181f12455e297eb4ea09b9a05a55cc4e9a0a3a1e8470088894
                                                • Opcode Fuzzy Hash: 919abcded6a6a2744c85556f32fdf48436d39d11a7937b1a8a1ab9a51fffe977
                                                • Instruction Fuzzy Hash: FB51B374E012189FDB08DFAAD9946EEFBF2AF89300F148129D409BB354EB359945CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0108A9B8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 0108BEA9
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.317681841.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 7ac82a70a3d5855a782cdff6ed4d3e11c79ece552d967bc9cd3b7ffcce397bf4
                                                • Instruction ID: d5d119405eba9cd4d1563312b28094ddf4e131426c3f6fa0ca8c896112ebada8
                                                • Opcode Fuzzy Hash: 7ac82a70a3d5855a782cdff6ed4d3e11c79ece552d967bc9cd3b7ffcce397bf4
                                                • Instruction Fuzzy Hash: 6841F371C0461CCFDB24EFA9C884B9EBBB5FF88304F20805AD549AB251DB756946CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C377AC, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,02C38745,?,?), ref: 02C387F7
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318188736.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 38b873d9f67d69c2bbc4b2231b7bbbcbbcf47e7137ffe7846feb1c6d32c95145
                                                • Instruction ID: 0604478660c6d103d3ccbb15befafcc216ee6e3a102f43d5d7e6898c2edc7449
                                                • Opcode Fuzzy Hash: 38b873d9f67d69c2bbc4b2231b7bbbcbbcf47e7137ffe7846feb1c6d32c95145
                                                • Instruction Fuzzy Hash: CE31E0B59002099FCB11CF9AD884ADEBBF5FF48324F24842AE915A7310D374A944CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C3875B, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,02C38745,?,?), ref: 02C387F7
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318188736.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 8f568a747fb591ae6dedb5c6446f8d8a04545b240ce1b6f5e9e5af325cb69929
                                                • Instruction ID: 7ce19fab051ccd6ba4b55528b9dc9aaf9692d30c2806614ff9184e753d912890
                                                • Opcode Fuzzy Hash: 8f568a747fb591ae6dedb5c6446f8d8a04545b240ce1b6f5e9e5af325cb69929
                                                • Instruction Fuzzy Hash: D531E3B59002499FCB11CF9AD884ADEFBF5FF88324F14842AE815A7310D374A945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C67FE9, Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: }`e
                                                • API String ID: 0-793969669
                                                • Opcode ID: db2dde92d32076061b1d8209100f3d1b9d741b74c8e847575e3e4b68ed96e869
                                                • Instruction ID: ccef5800251607c47a087de91a958d8e767087023bb587b7601387609763ed34
                                                • Opcode Fuzzy Hash: db2dde92d32076061b1d8209100f3d1b9d741b74c8e847575e3e4b68ed96e869
                                                • Instruction Fuzzy Hash: C5F09BB8E15308AFCF55DFA9D4845ADFBB2EF88210F208029A419EB354EB309942CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C61413, Relevance: .5, Instructions: 464COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 55f0f768af7382afff70e190319622cd2015f5af151ab708702f29c5e9d5f997
                                                • Instruction ID: 82eab4f38e30ffb426157d0e32002fa41a9668115fa183995fc9da1716f64fae
                                                • Opcode Fuzzy Hash: 55f0f768af7382afff70e190319622cd2015f5af151ab708702f29c5e9d5f997
                                                • Instruction Fuzzy Hash: 17E17D60B00212478B55BF7944E413EA2939FD521934DDA3EAA4EAF756DFF8CD081BE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C61418, Relevance: .5, Instructions: 464COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 509281e116f7461ee1aafc361833019dd0fbc5866f6740ff329d78393d9ae48a
                                                • Instruction ID: 490f1e257226d38609ffa9ec4016ae31a283ffe4161a79ecb33fbafea6a2e005
                                                • Opcode Fuzzy Hash: 509281e116f7461ee1aafc361833019dd0fbc5866f6740ff329d78393d9ae48a
                                                • Instruction Fuzzy Hash: 2AE16D60B00212478B55BF7944E413EA2939FD521934DDA3EAA4EAF756DFF8CD081BE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66478, Relevance: .3, Instructions: 332COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e08ddaa6be72c510e756ca2d02ff08ca1dfe8d7393ce1f5f4aaf95aea6b7ee2
                                                • Instruction ID: d6ee68847465924ff1087a2704b82e953cac18fbb243a2f076302bfab4241b6e
                                                • Opcode Fuzzy Hash: 3e08ddaa6be72c510e756ca2d02ff08ca1dfe8d7393ce1f5f4aaf95aea6b7ee2
                                                • Instruction Fuzzy Hash: 54F1DC75D1061ACBCF14DFA8C8946EDB7B5FF58300F108699E949B7214EB30AA85CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66468, Relevance: .3, Instructions: 302COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 547dda0f79997edd09dbd15d3090c5415dad32dfe632a65ef31a794f493fd6b0
                                                • Instruction ID: e8c09f758c80993291729cc2cc9a93b463134efb64954218671e7da9832c55e0
                                                • Opcode Fuzzy Hash: 547dda0f79997edd09dbd15d3090c5415dad32dfe632a65ef31a794f493fd6b0
                                                • Instruction Fuzzy Hash: 20E1FC75D1061ACBCF14DFA8C8946EDB7B5FF58300F108699E949B7214EB70AA89CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6FB48, Relevance: .2, Instructions: 243COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1abdcb28c9e0ea5623045d6bb8370344ac547462fe118f335a87ab98524869b
                                                • Instruction ID: d4439174b9efba562106807068c592e163ab39fa47da6465a816930442f3a035
                                                • Opcode Fuzzy Hash: a1abdcb28c9e0ea5623045d6bb8370344ac547462fe118f335a87ab98524869b
                                                • Instruction Fuzzy Hash: 6DB11A70E1025ACFCB44EFA4D490ADEBBB2FF88304F508A69E515AB354DB34A945CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C608E0, Relevance: .2, Instructions: 192COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 98663a2335e26d9f04657bfd896ae4914fd0afebcf6d080dbcd5c48aca526688
                                                • Instruction ID: 9643df485bdb40457345701e696f481cfed2504ec03d4b4b58501d1b4467122e
                                                • Opcode Fuzzy Hash: 98663a2335e26d9f04657bfd896ae4914fd0afebcf6d080dbcd5c48aca526688
                                                • Instruction Fuzzy Hash: 8F91FB3591061ACFCB10EF68C884AD9F7B1FF89314F11C699E5497B225EB30AA85CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C69A80, Relevance: .2, Instructions: 182COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e24f407973fbfdf344af0e6965b1c65e6d0f489a99bb424175dfdcc72c735073
                                                • Instruction ID: ef7e4482c2aefb9edbebf3d8212c54d5447b319812b8102332e29dee9c63fe59
                                                • Opcode Fuzzy Hash: e24f407973fbfdf344af0e6965b1c65e6d0f489a99bb424175dfdcc72c735073
                                                • Instruction Fuzzy Hash: 8D51BA31A08606DFCB24DFB9C8C8A7EBBF2ABC9218B054469D505D7355DB31E941CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C69658, Relevance: .2, Instructions: 176COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 915fc5d7eeb82038a3c1da79ae064df7bd950938b24fffc9bcff3dbacda1e00e
                                                • Instruction ID: ed98a34cf6f90ddcacc465dac2ee779bb5fa0fd4217a01c74e02350aaa668d04
                                                • Opcode Fuzzy Hash: 915fc5d7eeb82038a3c1da79ae064df7bd950938b24fffc9bcff3dbacda1e00e
                                                • Instruction Fuzzy Hash: 0061AD31B002548FCF04DF68D898AEDBBB6AF89610F144469E902EB3A1DB31DD41CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C60BF7, Relevance: .2, Instructions: 167COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f12146c3b473651e37cae1be942ce405762bbc54c9098c361f91ba3221002e03
                                                • Instruction ID: 09db5cb9a708a10e4024c85b8d690241ec7d3fcf8d5089c9f43e7ca14ee886e7
                                                • Opcode Fuzzy Hash: f12146c3b473651e37cae1be942ce405762bbc54c9098c361f91ba3221002e03
                                                • Instruction Fuzzy Hash: 4371D675A006099FCB14DFA5D988BEDBBF2BF88314F208159E905BB2A5D732AD41CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6DEC0, Relevance: .1, Instructions: 146COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: db5ab5a1e8170e4152c14d06902ae94918cdb9b73cdd35e54f65246123aee705
                                                • Instruction ID: 5fe856c25881652490c8cc5245648620a45c18b2d5d5286533b97b5dcc9419b5
                                                • Opcode Fuzzy Hash: db5ab5a1e8170e4152c14d06902ae94918cdb9b73cdd35e54f65246123aee705
                                                • Instruction Fuzzy Hash: 32418271A002149FCB10DFB9C448AAFBBF6EFC8254F15842EE906E7340DB3599458BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C60C00, Relevance: .1, Instructions: 146COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1d4ddb937e4f27e49a8a850867c6ed82d36117b1f98cdc789935d95a426d0e9f
                                                • Instruction ID: f3f623da3fdbd4dfcd3b30f6237ac939dc66ac21ecc47e47e5e1c0b2b85a0426
                                                • Opcode Fuzzy Hash: 1d4ddb937e4f27e49a8a850867c6ed82d36117b1f98cdc789935d95a426d0e9f
                                                • Instruction Fuzzy Hash: B761B674A006099FCB14DFA5D988BEDB7F2BF88704F108159E905BB2A5D732AD41CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C69DBF, Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c23c831ad8eada199b759f3a601259d08b3a5fb754fc1f63f46bdf693659ce7a
                                                • Instruction ID: 31378ac2cf616b9f5cd01283098fe422cc690137a824003e93a0aee8d39c3359
                                                • Opcode Fuzzy Hash: c23c831ad8eada199b759f3a601259d08b3a5fb754fc1f63f46bdf693659ce7a
                                                • Instruction Fuzzy Hash: 01416D30B001199FCB14DF60D898ABE77A6FFC8244F158528F8069B290CB35DDA6CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C646C0, Relevance: .1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e902e0a73fbf69f4b7f83c468a652e79d804548ac6ffea6124a257b86ccf2e02
                                                • Instruction ID: 5195e8c9224825cadf469dc76bc2d4f5fc761495efc3dc646535e160805a2da4
                                                • Opcode Fuzzy Hash: e902e0a73fbf69f4b7f83c468a652e79d804548ac6ffea6124a257b86ccf2e02
                                                • Instruction Fuzzy Hash: F54191357001098FCB15DF64C894AEE7BF2EF89304F1584A9E905AB361DB39ED05CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66210, Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3df5d2ad7121344d5a5bb9f6c0a2830d489eba64aa5808d6b3e3dcfe7e547b77
                                                • Instruction ID: f70f0be17dcc6165dc920544db961cd9e7b5c4e5a38f98e4536c0ac0ec5dfe1b
                                                • Opcode Fuzzy Hash: 3df5d2ad7121344d5a5bb9f6c0a2830d489eba64aa5808d6b3e3dcfe7e547b77
                                                • Instruction Fuzzy Hash: 0D417475A10609DFCB04EFA8C884CEDFBB5FF89310B058299E515AB361EB70AD45CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66983, Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12c8f5acc820d483126e999e7f72b7e25e86b25fe491d248749edc42b6b95fff
                                                • Instruction ID: f9524e8fae45f0ab010f399792a02c3ba1fac26d8f99fbcb63472bf55f44b821
                                                • Opcode Fuzzy Hash: 12c8f5acc820d483126e999e7f72b7e25e86b25fe491d248749edc42b6b95fff
                                                • Instruction Fuzzy Hash: 2F318BB5B002059FCF04DFA8D4849EEBBF9FF8D210B148169E949EB345EB359842CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C646BB, Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67b5d1ab2c9dbe5c72b19ca946685fbe582cd74aa7c229f8f75eb22fc2816370
                                                • Instruction ID: 3fc4cf9fe87c889b3c92ae2b132e4e6448dbfe50947eef237b347767784f6106
                                                • Opcode Fuzzy Hash: 67b5d1ab2c9dbe5c72b19ca946685fbe582cd74aa7c229f8f75eb22fc2816370
                                                • Instruction Fuzzy Hash: 25316D356001098FCB15DF64C994AEEBBF2EF89304F1580A9E905AB362DB35ED05CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C605A8, Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2d151ace3fbf7918198e2dd6cce9f87fa800fd88fa7e1ca34d79c873129bb84
                                                • Instruction ID: 789de490cb248b77d633b1269f6d5cbaf1823f88df54f6b41260064bcc6cbb04
                                                • Opcode Fuzzy Hash: d2d151ace3fbf7918198e2dd6cce9f87fa800fd88fa7e1ca34d79c873129bb84
                                                • Instruction Fuzzy Hash: 80319E30B102098FCB04EB68C4589AEB7F6EFC9314F11855AE509EB361DF709D418BA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C630E0, Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25779aad54f2a8aca323a28b53c09067cd8e505590e4b94b405729d53eba3582
                                                • Instruction ID: 57c4b5330f375d831fb4cd15778751fa9f50208cbbf9323803d2b9940509e555
                                                • Opcode Fuzzy Hash: 25779aad54f2a8aca323a28b53c09067cd8e505590e4b94b405729d53eba3582
                                                • Instruction Fuzzy Hash: EA21CCB1A042489BCB10EBA4D840AEFB7F6EFC5314F01886ED65997350EB345905CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0102D4C4, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.317436334.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf0a871ea8607b3a43516165ccafa82ce8458ba5dba08d273331df7b096cd350
                                                • Instruction ID: 5ddeb6a2bc160c46415f78b0ade7f1f256fd9aa25603f08557f527e7026f4c95
                                                • Opcode Fuzzy Hash: bf0a871ea8607b3a43516165ccafa82ce8458ba5dba08d273331df7b096cd350
                                                • Instruction Fuzzy Hash: 232125B1504250DFDB05DF54D9C0B2ABFA5FB88328F24C5A9E9454B206C376EC46CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0103D1D4, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.317486497.000000000103D000.00000040.00000001.sdmp, Offset: 0103D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f6430338ae0ee88306691fe7d97d747f606f2e610c67e61c8879a650ef715469
                                                • Instruction ID: 6e1ceb08bee897e16d50d124f61a0027760c0d73bb1dfc0e87a8d575e897fe05
                                                • Opcode Fuzzy Hash: f6430338ae0ee88306691fe7d97d747f606f2e610c67e61c8879a650ef715469
                                                • Instruction Fuzzy Hash: B92129B1504200EFDB45DF94D9C0B26BBA9FBC4328F64C5ADE9894B242C736D846CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0103D01C, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.317486497.000000000103D000.00000040.00000001.sdmp, Offset: 0103D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ab653bf162d1e38792fa5beaf965d44d181b0ecde08ded00d23fa97b6edafb5
                                                • Instruction ID: 91065e70ffb4a6e664786efd6bfd082cc1c2bd3900343c086dbcf57ea62b2a5b
                                                • Opcode Fuzzy Hash: 7ab653bf162d1e38792fa5beaf965d44d181b0ecde08ded00d23fa97b6edafb5
                                                • Instruction Fuzzy Hash: F42103B1604200DFCB15DF54D8C0B26FBA9FBC4654F64C5ADE9894B246C33AD806CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6EB57, Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1eb8c9cfc74fdd6d765c5c796b8b4af36f01df69810cf73a4d80ecd1cd5970f
                                                • Instruction ID: 0507a275e0a017ed3a773e0c5b0d0b68becda04c927fffc5002c01f406f79982
                                                • Opcode Fuzzy Hash: a1eb8c9cfc74fdd6d765c5c796b8b4af36f01df69810cf73a4d80ecd1cd5970f
                                                • Instruction Fuzzy Hash: CE21C02540E3E09FC7039F3898E04997F729F87214B1A49C3D5C1CF1A3E2249D5AD366
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C660C8, Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b1cd14721d0e78c8d06ed4e00a39d14915a35bf2f457c9f1ea87d9cef5666816
                                                • Instruction ID: 3a337aa8f1dfb1290a3f173a4fdc1ba7cc708b388be76881469f17fb5b6e7302
                                                • Opcode Fuzzy Hash: b1cd14721d0e78c8d06ed4e00a39d14915a35bf2f457c9f1ea87d9cef5666816
                                                • Instruction Fuzzy Hash: 79213175E002098FCF44EF69C8948EEF7B9FF893007108569E905B7345EB30AA45CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C660C3, Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f64cd9c1d0df24c355c782c0253cb195fc3d8991a9eb309d9632ba1384868dc
                                                • Instruction ID: 7603ea2dfe0a2cdf09a7fe1ce92fe28f7a670cb9960575ee3c0e8a0e8d03ca3e
                                                • Opcode Fuzzy Hash: 3f64cd9c1d0df24c355c782c0253cb195fc3d8991a9eb309d9632ba1384868dc
                                                • Instruction Fuzzy Hash: FE213EB5E002058FCB44EF69C9948EEB7B9FF89200710456DE906A7355EB34AA45CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6059F, Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2319d040308afe76c209b1ebfe64ceab238230d5192955965a3b51d87acd2e92
                                                • Instruction ID: 39c00e814ebd222942e441c9f329b36c578fbac3c4f93b95379daffb908a8e2e
                                                • Opcode Fuzzy Hash: 2319d040308afe76c209b1ebfe64ceab238230d5192955965a3b51d87acd2e92
                                                • Instruction Fuzzy Hash: C9215B34B106198FCB04EF68C4449AEBBF6FFC8314F11859AE509EB361EB70A945CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0103D006, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.317486497.000000000103D000.00000040.00000001.sdmp, Offset: 0103D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2087333ac573e1be76904ff45a9d034a2e33a493b46b273ab2afeff426303fc
                                                • Instruction ID: 4f17ec6255fcbc3220f55ceadcb72a7a5c2b74dbe286960603225c636f7e3a19
                                                • Opcode Fuzzy Hash: d2087333ac573e1be76904ff45a9d034a2e33a493b46b273ab2afeff426303fc
                                                • Instruction Fuzzy Hash: 4D2180754083809FCB02CF64D994B11BFB5EB86214F28C5DAD8858F267C33AD85ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66C80, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d95f412ceea83d665d5387e922d158940d3bc6efa182b49d3419e4c02fb1f023
                                                • Instruction ID: 5289d3af09684a28c43bff37e55b5ac661a0da2ccdc07880cdae4ff5bad31e20
                                                • Opcode Fuzzy Hash: d95f412ceea83d665d5387e922d158940d3bc6efa182b49d3419e4c02fb1f023
                                                • Instruction Fuzzy Hash: F8112931704A048FC704AB79E8585ADBBAAFFD5254B10453EE606CB350EF35D805C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6DA50, Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b64f41dd7e893a1ad5942e31fcb05dd32602c78ce7fbba5bf6a953c40646158
                                                • Instruction ID: 0b0f2e901034b22d10e2019f062553416ec96877df98c4532caee3a654dd8bfb
                                                • Opcode Fuzzy Hash: 9b64f41dd7e893a1ad5942e31fcb05dd32602c78ce7fbba5bf6a953c40646158
                                                • Instruction Fuzzy Hash: 8F115E71B002058B8B14EBB899505FEB7B2ABC8258B500139C505EB744FF329E15CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6271C, Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1624b72063ba3dda66d8a21252e34d340a24f17d5ebd6b0eb6df444f0e4cbd3a
                                                • Instruction ID: ba99f809dc3848c5ba566df8eb62a7e777c399f5908a64d4c6b2555ae52de10f
                                                • Opcode Fuzzy Hash: 1624b72063ba3dda66d8a21252e34d340a24f17d5ebd6b0eb6df444f0e4cbd3a
                                                • Instruction Fuzzy Hash: 280180363442104BC628AA3AD498B7EB3A6EFC4755F55447DD20ACB791CE35D8418750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6273C, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25b0d7598b62a14e9c6ff650d4f36647ee9a688a1b34217cabce0744665decd4
                                                • Instruction ID: 3b0251119f9c80832e5ba98e3d34f6b06d384ac7eeeccac9dc54aeaef24aca32
                                                • Opcode Fuzzy Hash: 25b0d7598b62a14e9c6ff650d4f36647ee9a688a1b34217cabce0744665decd4
                                                • Instruction Fuzzy Hash: 90118E307102159BCB04EBA9D894AAFB7EAFFC9704F018869E644DB361DBB1DD0187A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0102D4BF, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.317436334.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
                                                • Instruction ID: c9da307cc426cd19050b888c770d44eac897d7fbab8b2604c7c0f9e45a1d50b0
                                                • Opcode Fuzzy Hash: 47076947d0cae9de72b912d4314ccf217260e82977345402d4a79466876f1438
                                                • Instruction Fuzzy Hash: 6B11B176404280CFDB12CF54D9C4B16BFB1FB84328F24C6A9D8454B616C336D85ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6DB28, Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fbaeb8343d82771a9c2346b29ad818384132fb8972e4e27b86eb2eea330d45d
                                                • Instruction ID: 8b1d28363c424002473bdd3a637eb975b2fa8076e4b64b041cff0446ab6e0e22
                                                • Opcode Fuzzy Hash: 8fbaeb8343d82771a9c2346b29ad818384132fb8972e4e27b86eb2eea330d45d
                                                • Instruction Fuzzy Hash: F20161B6B007164B8B15EE7988845BFB7F7EFC82607154A2AD829D7340EF309A058B60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6FEFB, Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8bb7197f936693d01feba12a258a6689ef4b222cd0bfc01e986f5d98618a479a
                                                • Instruction ID: 2e00c9b8403fb492cf0d472b5cabe817262d298b775506d0c7c6ce6e3ea7ba0c
                                                • Opcode Fuzzy Hash: 8bb7197f936693d01feba12a258a6689ef4b222cd0bfc01e986f5d98618a479a
                                                • Instruction Fuzzy Hash: 89114C70D0021A8BCB44EFE4D4506EEBBB2FF88314F658A25D541B7354DB716D9ACBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6FF00, Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cf11861155155f0431dc2c519fd2f9cf64f66992b1191b0cda559ace100f9d42
                                                • Instruction ID: 22f0857028916b00554b720046e14408d4d75b33f88f51c61db2cef2d95f0cc6
                                                • Opcode Fuzzy Hash: cf11861155155f0431dc2c519fd2f9cf64f66992b1191b0cda559ace100f9d42
                                                • Instruction Fuzzy Hash: 87111970E0021A8BCB04EFE4D4506EEBBB2FF88314F618A25D500B7344DB756996CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0103D1CF, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.317486497.000000000103D000.00000040.00000001.sdmp, Offset: 0103D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c7476f9ef67022c6f40ab1799bec6ea3099b5a12b22541a18a444746aa0498e5
                                                • Instruction ID: d28241d4546ee0f96fd7a33a1f5b8b651856e8d9b89029ec65238dc212d58787
                                                • Opcode Fuzzy Hash: c7476f9ef67022c6f40ab1799bec6ea3099b5a12b22541a18a444746aa0498e5
                                                • Instruction Fuzzy Hash: A611BB75904280DFCB42CF54C5C0B15BBA1FB84224F28C6A9D8894B656C33AD44ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C64EDA, Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b6a8e355da112e54e9131bc55e1d35a1418358db3b0ecb0a2e6a8abf9ade377
                                                • Instruction ID: b86fd943b328b52f5a7f4dde73108420518a2eb60ac1a6f46c0eccdec10398ac
                                                • Opcode Fuzzy Hash: 9b6a8e355da112e54e9131bc55e1d35a1418358db3b0ecb0a2e6a8abf9ade377
                                                • Instruction Fuzzy Hash: 890169357101148F8A24EB28E4C88BD77A6EFD8725724815AEA46CB3A0CB729D41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6DEB1, Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 81cb6299dafefe993b4723bf8d7956d5c3e07a896c664eb574b368aa37168521
                                                • Instruction ID: f5984f0bc5c0d5c27c53fb343fbb7290557de77f9fab757a175b26ba8e56d22a
                                                • Opcode Fuzzy Hash: 81cb6299dafefe993b4723bf8d7956d5c3e07a896c664eb574b368aa37168521
                                                • Instruction Fuzzy Hash: 200175B1B006155B8B11DF69DCC45BFB7FAEFD8350B104829E916D7240DB3199058BE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6460F, Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00d3e481d377d7318be435a0ffb70e8d7c8e36f7d8479952e466ab884ce9a6df
                                                • Instruction ID: 1c43fdc8f02c49d74c143f60eacda789b30b871982aa95141b3d1254c7efabf3
                                                • Opcode Fuzzy Hash: 00d3e481d377d7318be435a0ffb70e8d7c8e36f7d8479952e466ab884ce9a6df
                                                • Instruction Fuzzy Hash: 44118E347102119FDB04EFA9D844AAFB7F6FFC8305F10886AE144DB364DA719C0187A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C62B40, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 906d15899c0a81103b11c33c3dc05710c003e622daaa4cc8fcbdec5688267cc9
                                                • Instruction ID: 0734a57ff42722c656257036dba4fed2ea40581814801db67fdafa05275aed72
                                                • Opcode Fuzzy Hash: 906d15899c0a81103b11c33c3dc05710c003e622daaa4cc8fcbdec5688267cc9
                                                • Instruction Fuzzy Hash: 53012631B493184FC719AB75E45827E7BA6EBC5324F04086DE48AC7B90CF346842C7D1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C64E20, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e0fa42b4019f7acef2aa5fbde8e63ceef76ddc1214db27d06ae48bf85b01217
                                                • Instruction ID: 572a65c272b3c58c521e1ddf1fef48d9e81a6a7e797061bbbe8e147b392b059e
                                                • Opcode Fuzzy Hash: 9e0fa42b4019f7acef2aa5fbde8e63ceef76ddc1214db27d06ae48bf85b01217
                                                • Instruction Fuzzy Hash: 01012C353406509FD738AF6AD848F2AB3AAEFC5624B144569E5168B7A1CB21E805CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C68EF8, Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2cd1a0080ce97cd66dc07c04a641bc64b078d734700810d616692c62fa883c1
                                                • Instruction ID: 16831c56c5aa0d61d349a9f1c5acb12ea8cdb805ba918bc90d01748a87412ae2
                                                • Opcode Fuzzy Hash: b2cd1a0080ce97cd66dc07c04a641bc64b078d734700810d616692c62fa883c1
                                                • Instruction Fuzzy Hash: 66116674D04259EFCB11DFE8D944BAEBFB0FB48314F108A99E864A7351C7769A61CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6239B, Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3114f11fe1a9a48cba4f2ef8fa71db7ca9e27ef4fde3244d50ef138f6eb575c1
                                                • Instruction ID: a4671d849bdb9521c7d2a5c2acd0bcc5ea3242c98b0f9cc4e401cf3d9c49981e
                                                • Opcode Fuzzy Hash: 3114f11fe1a9a48cba4f2ef8fa71db7ca9e27ef4fde3244d50ef138f6eb575c1
                                                • Instruction Fuzzy Hash: 2001D1383006408FC728DE2DE094A7E37EAEFC52107098079EA4ACB725DB31EC018B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C623A0, Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c9aaacc886ca4a9e418b668dd4deaa56e39053f472bd1aefc4cdcf0c0904b62
                                                • Instruction ID: 447e23d6a795d4917e1b9a9719a4957251e5806e594b3b18cc1c18089ff49402
                                                • Opcode Fuzzy Hash: 2c9aaacc886ca4a9e418b668dd4deaa56e39053f472bd1aefc4cdcf0c0904b62
                                                • Instruction Fuzzy Hash: BBF081343005548FC728AE2DD09493F73AAEFD52107158039EA4ACB764DB31EC019B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66C00, Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ecf4a75cbf1e35e7f49e91bb25e64ce2db438530bb778a82c4d1be2ee99c4f24
                                                • Instruction ID: fa574a401a4891782cb493846e35ec74a16910876355ade0035536487a1d0fda
                                                • Opcode Fuzzy Hash: ecf4a75cbf1e35e7f49e91bb25e64ce2db438530bb778a82c4d1be2ee99c4f24
                                                • Instruction Fuzzy Hash: 25018131A10A298BCF14EB68D8544EEB77AFF89311F008529DA1577248FF356A19CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C63FD9, Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 930ea4c217a7a27c8e035ff5b5a5babca7406cafb01ddac01b4a33ef51fc6d76
                                                • Instruction ID: 8d8540be67d76b4c820d74fb1feaca8e9544df82c02c9ee53998609b52e3f2c8
                                                • Opcode Fuzzy Hash: 930ea4c217a7a27c8e035ff5b5a5babca7406cafb01ddac01b4a33ef51fc6d76
                                                • Instruction Fuzzy Hash: 3DF0B4357081604F8B196B7DA4544AE7FEA8FC9611315809BE444C73A1CE348D02CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6EBF5, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57cd472be5a0af6ba7bca7daccb5593fa04fc3a752e871162ae368e37582ba05
                                                • Instruction ID: d0a75c9cbba45220a7a64bf7533cb53f3d43e628e31e0acef01dd0b425ab13a0
                                                • Opcode Fuzzy Hash: 57cd472be5a0af6ba7bca7daccb5593fa04fc3a752e871162ae368e37582ba05
                                                • Instruction Fuzzy Hash: 47F0C834E40719EFCB05DFB5D58969EBBF3EB89211F208966D805D3204E7349AA19B80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6EBF8, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a651227485e9dd64f5a18fcb9823850e6d6e364c7fea7baa280027cf6cea33a
                                                • Instruction ID: b5c766d081eb46e52d9e981b45bafc9fd6f986ede25b4b55ed1ff728fd2c9bdb
                                                • Opcode Fuzzy Hash: 6a651227485e9dd64f5a18fcb9823850e6d6e364c7fea7baa280027cf6cea33a
                                                • Instruction Fuzzy Hash: 63F0C834E40718EFCB05DFB5D5887AEBBF7EB89211F108966D906D3204D7349AA09A80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66C70, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fdbedb5ac87152f6d2f09bc4df7e2da48071af3c068011032f8090e147b51688
                                                • Instruction ID: d7120e55432a312caaf273e160773d2c1c8c13088f91b6514fa957d933091467
                                                • Opcode Fuzzy Hash: fdbedb5ac87152f6d2f09bc4df7e2da48071af3c068011032f8090e147b51688
                                                • Instruction Fuzzy Hash: EEF05231604B44ABC310AE2AE8949AABBAEEFCA210B10443EE505C3240EF31C948C6B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66BF1, Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46227561562ca23e5c2bd4122e02e0ad63f9c8ef00ac7e9f97ad1044b35bfe46
                                                • Instruction ID: 3f43c1cecc486f7e0766b27bc1382675405d7ddbde6df501791cc89c3db07ccb
                                                • Opcode Fuzzy Hash: 46227561562ca23e5c2bd4122e02e0ad63f9c8ef00ac7e9f97ad1044b35bfe46
                                                • Instruction Fuzzy Hash: 6DF02B32E00B548FCF05AB78D8141EDB7B5EF85311F01816AD955B7155FF349A18C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C62BB7, Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca81d57ecfd27820a91eee63aac518e967bc7ea9e7033845caf077b3d39b81c7
                                                • Instruction ID: 73882302acc82973730fcdc6cb64ed10d9ff33af6d003a6a9d82b88494d3572c
                                                • Opcode Fuzzy Hash: ca81d57ecfd27820a91eee63aac518e967bc7ea9e7033845caf077b3d39b81c7
                                                • Instruction Fuzzy Hash: 45F02737B042210B87142B2CB8044E973A1EBC5330304526BD5059B391DB2154538780
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C60D66, Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 02df14791d70e637edc2771a8cdc4c41c82cdf1fcb5fd9e8af97052da90f0423
                                                • Instruction ID: 59b8616efabc82d82145b0956d12fe22744518824e3f5a1b6f423d452206848a
                                                • Opcode Fuzzy Hash: 02df14791d70e637edc2771a8cdc4c41c82cdf1fcb5fd9e8af97052da90f0423
                                                • Instruction Fuzzy Hash: EC010035A81108EBDF15CF94C989FEEBBB2BB48305F108154FA01362E0C772A950DF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C62B50, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cba72d0e32b263a9c7edc4b9e049d2704f021aed7016828079e631c0b22fda21
                                                • Instruction ID: f161bf6d6113b56536e5a4eb2bb36064b9ca2c1e96c66891ce84c153236d23e7
                                                • Opcode Fuzzy Hash: cba72d0e32b263a9c7edc4b9e049d2704f021aed7016828079e631c0b22fda21
                                                • Instruction Fuzzy Hash: 7FF05E35B463189BC718AB75E45856E77A7EBC4325B004C2DE54A87750CF389856CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C65588, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 549d2158c151276f5648e1926ed327880b1f3edb02b5c8bdca9b4e6b498dcc50
                                                • Instruction ID: 624a4ac1407c084e0389334ca4e729fd478d9bc987f56489301156b5ad4295fe
                                                • Opcode Fuzzy Hash: 549d2158c151276f5648e1926ed327880b1f3edb02b5c8bdca9b4e6b498dcc50
                                                • Instruction Fuzzy Hash: 1FF0B432A10B15C7CB10AF6DE404485F7B5FF91321750C63ED54967200FB31A9A9C7D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C68F50, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4608fe57d2e7bec52113d6b1dc424bb9954bd691837c35c3031b77d462b306b6
                                                • Instruction ID: cdf0147310990f55c5678a08f3b4e26274869bdd7d8a710dec579b0f35ef4a8b
                                                • Opcode Fuzzy Hash: 4608fe57d2e7bec52113d6b1dc424bb9954bd691837c35c3031b77d462b306b6
                                                • Instruction Fuzzy Hash: 38F049B1C08258EFCB01CFE4D8446AE7FB1FB49340F00869AE854E7260D3368665EB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C65580, Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f63f522e9ca7b1e93881b6dad41d3b4dc986607a3c400516ca240dd3ed45b8b4
                                                • Instruction ID: 819a3083d5e7069f911b59f76da0c6e995ee60797137e650b24a7f2365a55048
                                                • Opcode Fuzzy Hash: f63f522e9ca7b1e93881b6dad41d3b4dc986607a3c400516ca240dd3ed45b8b4
                                                • Instruction Fuzzy Hash: BFF05531604B088BC720AF6CE4084C9B7B6EF81311B50C63EE049A7200FF31E898C7D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C69A6F, Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cdb7bc18115cd9008ed4bde915cded234d861067f37d3bcf22327e1304c2b4fb
                                                • Instruction ID: ead58cddd8366f8ecd3ace43d5f95962f6d205d75d860e35b0bbecacd09219c0
                                                • Opcode Fuzzy Hash: cdb7bc18115cd9008ed4bde915cded234d861067f37d3bcf22327e1304c2b4fb
                                                • Instruction Fuzzy Hash: 95E09B32745206DFDB105E65D88CAEBBFE9DF95291F004475E5059B142E7338519C660
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66BA6, Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0897277cf00b1429fc7dc03b26008614ee556facec94019a0fe06c00f17abcce
                                                • Instruction ID: 5116c11d7eaa4b19e12edc2c35b0f30397bdccb5bf5e83bdd85e3ed4bda6e346
                                                • Opcode Fuzzy Hash: 0897277cf00b1429fc7dc03b26008614ee556facec94019a0fe06c00f17abcce
                                                • Instruction Fuzzy Hash: 80F0D47291011BDACB11DF85E9859FEB7B8EB54310F208126E515BA140EB386A14ABA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C68EA8, Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 508979255d1cefb8c066153dfd031d28ae15edfaa6347da43dca987e688b5a7c
                                                • Instruction ID: ce3b3c614e4e5c109751e48b196c999e8ec1e43ff66529ded5d051a2d8b6aea1
                                                • Opcode Fuzzy Hash: 508979255d1cefb8c066153dfd031d28ae15edfaa6347da43dca987e688b5a7c
                                                • Instruction Fuzzy Hash: C5F082749042A49FCB15CFB8D4945EE7FF0EF06314B1446D9D854AB352C7365906CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C62410, Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eaea2761c46fc5b9d937f71cdaf770e8f159dacdf06248763895bdbe27abb881
                                                • Instruction ID: 154cd936e2708a90c06f4383bce2301535d4f943e5c112d67dbd3e33e8a4084f
                                                • Opcode Fuzzy Hash: eaea2761c46fc5b9d937f71cdaf770e8f159dacdf06248763895bdbe27abb881
                                                • Instruction Fuzzy Hash: 01E02B39344A808FCB15AF78D4984BD3BA69FD621074844BAD546CB662CB30D802DB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C68E58, Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7c7949a04e2e7851334c0fb188b78b98aa945b810c6952a416fd09373b11a7bb
                                                • Instruction ID: e8412327e3dfa7732c016d6d9a9e9b1e776b320906a1eb9193a8e1e062a6cebb
                                                • Opcode Fuzzy Hash: 7c7949a04e2e7851334c0fb188b78b98aa945b810c6952a416fd09373b11a7bb
                                                • Instruction Fuzzy Hash: E4F01C749082D49FCB25CFA8D4846ED7FB0FF0A214F5446DAE8559B3A2C7365A42CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C630F0, Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f86e2fafda308cdf34a7d13312d083aea98378f195bd54e3b17037b7ab02e31e
                                                • Instruction ID: 944c5133e2beec35cd6c407a0bdacad34037370d489d9499ac7931ae17f5d0e3
                                                • Opcode Fuzzy Hash: f86e2fafda308cdf34a7d13312d083aea98378f195bd54e3b17037b7ab02e31e
                                                • Instruction Fuzzy Hash: 50E09A312007048BC324AA75D8006DAB2E69BC6728F01882DC51987200CF70A8118BD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C63F97, Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13bccaea31c17a0ce4a37ffdad0905befad831220a22c5f9b4e778aa00936e20
                                                • Instruction ID: 4cedc0a682bbeb63186cf1c6553940bab4a6c8f51aafccdc7cf4b18daf86b1e4
                                                • Opcode Fuzzy Hash: 13bccaea31c17a0ce4a37ffdad0905befad831220a22c5f9b4e778aa00936e20
                                                • Instruction Fuzzy Hash: 83E09A307006644FC6255A29E49C6AA3BE5AB89B10B04009AE68287660CBA2A8428F92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C661C8, Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca0ddad39da0d451e765aff116c5e9b97851c1316b36c9f027a228149f57f1c2
                                                • Instruction ID: 59116e13751f638a24d3c49bf8414eaa2622d36dd585c444a2d349ff971a9354
                                                • Opcode Fuzzy Hash: ca0ddad39da0d451e765aff116c5e9b97851c1316b36c9f027a228149f57f1c2
                                                • Instruction Fuzzy Hash: 8AF0C976C106199FCB41EFA8D9055DDBBB4FF55311B00CA26DA58B7110FB306299CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C661D0, Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0fcbae2942e473a22eac2151fd27f100ad5c334d630385d5f881f3d2b48449ad
                                                • Instruction ID: 6a6a49f3c894cef8766da5b4611dc3010255f701a49d50ea6b277b5e702fc91e
                                                • Opcode Fuzzy Hash: 0fcbae2942e473a22eac2151fd27f100ad5c334d630385d5f881f3d2b48449ad
                                                • Instruction Fuzzy Hash: CAE0ED32C106199ACB40FFADDC044DEBBB4FE55311B00C626D658B7110FB306258CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C60EBE, Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2797035e1378bc7c8089f5523fca8e2a8a3b04cd958dc5cbed5db352b4d86829
                                                • Instruction ID: 095c2b5d9415af47e3c735ffb9412dd643009b94b1c7440d8d37e1e6886a8eaf
                                                • Opcode Fuzzy Hash: 2797035e1378bc7c8089f5523fca8e2a8a3b04cd958dc5cbed5db352b4d86829
                                                • Instruction Fuzzy Hash: FDE01ABA504218EFDB148F51E8489EF7F68EB89262B10442AF90893240C7355801CBB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C64E10, Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7f6d4dfa94c2a3338d569733f23e4acc21891f8b85873f95e0a1323f39630cd
                                                • Instruction ID: 72d5ca715a82aafa5487e45d49de1850145cc9c5019d97ae3251b7fb955346a0
                                                • Opcode Fuzzy Hash: e7f6d4dfa94c2a3338d569733f23e4acc21891f8b85873f95e0a1323f39630cd
                                                • Instruction Fuzzy Hash: 3AE0D83530D2D08FC739AB3CA8588B57B759E8722531501EEE066C76B2C6218C06CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C68F08, Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 20aa400a6d29665055c8979d3c04f9dfd43d175271efc751d5e92a4713078efb
                                                • Instruction ID: 09cbe0545974c3ae75a69378cc3310870e9870e4c048d913c68ffafb3425f7b8
                                                • Opcode Fuzzy Hash: 20aa400a6d29665055c8979d3c04f9dfd43d175271efc751d5e92a4713078efb
                                                • Instruction Fuzzy Hash: 9AF0F874C0021DEFCF01DFE8D8446AEBBB5FB48300F008A59E814A3210D3715A60DB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C68C98, Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ad9e4600d5e03ab2ad9cd24db8127f65ab114e6a437e6090f04c8833661f473
                                                • Instruction ID: 972ac3c0a1190568baf83f9a745bb6f32538663520601462ec68bf1b984d8d8d
                                                • Opcode Fuzzy Hash: 4ad9e4600d5e03ab2ad9cd24db8127f65ab114e6a437e6090f04c8833661f473
                                                • Instruction Fuzzy Hash: B6F0C9B4D01209EFCB40EFE8D9447AEBBF4FB49304F5046A9C419A7344E7751A56CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6636B, Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65aaf6133339a5f61d08f47145136b8d00624c60ef1872984bd18f69cb575e1a
                                                • Instruction ID: a3e1c2af931779a2c038e3965eebed8c89a2aded0c19fb327f0e770fc97d2d0f
                                                • Opcode Fuzzy Hash: 65aaf6133339a5f61d08f47145136b8d00624c60ef1872984bd18f69cb575e1a
                                                • Instruction Fuzzy Hash: 38E01276E001599ECB40EFA89C146DEB7B4EF99311F148566D569E3200E7315615CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66370, Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8477f6b5e4275a9ddce0757f1f8b1a4340b9286ba6eb130a7d4f1af5dec66f55
                                                • Instruction ID: 082955598d0a6d83890f4450d5c6c79e7ec2895fbdc9a5a0936ecc1b2d31212e
                                                • Opcode Fuzzy Hash: 8477f6b5e4275a9ddce0757f1f8b1a4340b9286ba6eb130a7d4f1af5dec66f55
                                                • Instruction Fuzzy Hash: 70E0BF76E002199BCB40EFA9DC04ADFF7B8FF99311F108526DA68E3200E7316655CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C68EB8, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201864cda75d6195598d11ce4ea2c199cce642275a680cd87a57b33865e963e8
                                                • Instruction ID: 11eb56e6bd3fbcdf46a103daff4239f252ce6ffaf518d96dd45c55547d5f9cc6
                                                • Opcode Fuzzy Hash: 201864cda75d6195598d11ce4ea2c199cce642275a680cd87a57b33865e963e8
                                                • Instruction Fuzzy Hash: EAE0C974D00218DFCB44DFE8D5446AEBBF4FB48304F1046AAD818E7310D7719A15CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C68E68, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e927b6440eab14a7d1acfed07070f10fc30007580817b01f21e0fcab8dd8b75c
                                                • Instruction ID: 81180158395cd053a1ae112664d716cbaf4169af3659c57bb934416fd44fd09e
                                                • Opcode Fuzzy Hash: e927b6440eab14a7d1acfed07070f10fc30007580817b01f21e0fcab8dd8b75c
                                                • Instruction Fuzzy Hash: CBE04E74D002189FCB44EFE8D9856AEBBB4FB48304F5046AAD819A7364D7715A51CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C65E30, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cae49140f50be76165e50985552364768a8fcb15410fbcb7802bf69ee9dd137d
                                                • Instruction ID: f0d0f208abe65429e1e4ec35fb7e8e709ab86fe564cfa98c018a85183dd19750
                                                • Opcode Fuzzy Hash: cae49140f50be76165e50985552364768a8fcb15410fbcb7802bf69ee9dd137d
                                                • Instruction Fuzzy Hash: 26E0DF3090A2E499CB12C7F8A584AAD7FB0AB43115F6402CAC0A017287C73E0A2AE321
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C63FA0, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 872c52d74ca148768fcfb8d8cb66d7b21e1c4b21b2b1504158ba91099b1d84d9
                                                • Instruction ID: 3ac24519e41fb315aa2b5ff743acec8e17415f48fbc8d1f10b4b6da34f939b78
                                                • Opcode Fuzzy Hash: 872c52d74ca148768fcfb8d8cb66d7b21e1c4b21b2b1504158ba91099b1d84d9
                                                • Instruction Fuzzy Hash: ABE08C307006244FC7259A19D45CB2B33EAAF88B51F00449AFA46C72A0CBA2ED408F83
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C63F51, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 76ddf3a804972d38abd1b44641eae081f194d7873570e6f3085ec1d62280143c
                                                • Instruction ID: 5648c1160ceb532549023951ed8d77eb8f2d91f3f81103fed31da53f4c34de34
                                                • Opcode Fuzzy Hash: 76ddf3a804972d38abd1b44641eae081f194d7873570e6f3085ec1d62280143c
                                                • Instruction Fuzzy Hash: B0E0DF349502409FCB14CFB4D488AED7FB0EB02224F5052C5D8A05B3A1C7365803DB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C69537, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13537113a1ad347d0b8c2a8185d0b97509603db86588e365023f1b1721471574
                                                • Instruction ID: f8094b7c6c90a73cd2553768e8551b9134e167cc7a8d29203567e2b00b7918e1
                                                • Opcode Fuzzy Hash: 13537113a1ad347d0b8c2a8185d0b97509603db86588e365023f1b1721471574
                                                • Instruction Fuzzy Hash: 07E0C27A00D1905EC302BF3888F48EA7FA2AE9320C74948E3E1858A033E622C45AE755
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C67970, Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09845f1c977184aeb1a022fd4ed0334fca66edc49f8ab3afe4d80e8e84ea5e2f
                                                • Instruction ID: 2a5aab87a5d1e813cb513260b04bded341482d5af1a54439810ccc87f72c964f
                                                • Opcode Fuzzy Hash: 09845f1c977184aeb1a022fd4ed0334fca66edc49f8ab3afe4d80e8e84ea5e2f
                                                • Instruction Fuzzy Hash: DDE09234A00208AFCB54DFA8E588AADBBB4FB49309F1085E9D818A7354D7359A15CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C63F58, Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b7dae5b966ca271c113a041842f3b149974879e6492fa619660a676beaf45d9
                                                • Instruction ID: 43fe702d5b9bf39a8ab5b96200631584ecb435a5a00573420c22c2e85ec6e0ef
                                                • Opcode Fuzzy Hash: 3b7dae5b966ca271c113a041842f3b149974879e6492fa619660a676beaf45d9
                                                • Instruction Fuzzy Hash: EBE04634E10208AFCB04DFE8E488AADBBB8FB48304F1081E9D808A7320D7319A51CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C653E8, Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8917381eea236408f624573b4ec1433ef29fdbd03c2322766437fdc70361c358
                                                • Instruction ID: d483a8b24b4142a5714ed4d3afc0c56aaa711dc86e53501f08d18b993d774f4c
                                                • Opcode Fuzzy Hash: 8917381eea236408f624573b4ec1433ef29fdbd03c2322766437fdc70361c358
                                                • Instruction Fuzzy Hash: 6FE086309452D499C765DBB491541ADBFA0DB43215F7447D9D0E016281C7360A17D710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C653F0, Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1d9b05e313fc8b0bc54a432f769131478c330599447081c2b1181555b561d998
                                                • Instruction ID: cea596c43e24c7a9cb06a5468c836a7abc4d1eb9d33a3cc7317b75c156200b92
                                                • Opcode Fuzzy Hash: 1d9b05e313fc8b0bc54a432f769131478c330599447081c2b1181555b561d998
                                                • Instruction Fuzzy Hash: 09E08C30D0521CAACB14EFF4A1042ADBBF4AB81305F6081E9C414A3340D7394A11CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C679B8, Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b137bb154c75884937116a6ec9e5ae03cd67270591ff3af5a226cecfc35d7d58
                                                • Instruction ID: 20941a9d0f92f9d5fd34aa8723e555deedd8f69b6cab2686bda189886daea95d
                                                • Opcode Fuzzy Hash: b137bb154c75884937116a6ec9e5ae03cd67270591ff3af5a226cecfc35d7d58
                                                • Instruction Fuzzy Hash: F1E0EC74C042089FCB40EFF8A5093AEBBF8FB04305F005AAAD818E3240E7700654CB85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6796B, Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52aa3ad62d03be0997988ce2aad36aa142a0d4370dbddbf467693ec55b89b4b5
                                                • Instruction ID: 333c2a2139f4ff7b417b4df827b800fb8105cf3bc6adce1aef1d6b77f53687b2
                                                • Opcode Fuzzy Hash: 52aa3ad62d03be0997988ce2aad36aa142a0d4370dbddbf467693ec55b89b4b5
                                                • Instruction Fuzzy Hash: 57E04F306442849FC714CFB8D594AEDBFB0FB46219B2406D9D5945B3A2C7329906DB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C64383, Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a25f4d9ecec883abf1b9ba679dcc8ae7f822b1cdaacb036e09b9a62ab1c896ce
                                                • Instruction ID: 380e08d125888a891933aab78d5b97d511e807b236c0ac3bd9dee28e85aa1d2a
                                                • Opcode Fuzzy Hash: a25f4d9ecec883abf1b9ba679dcc8ae7f822b1cdaacb036e09b9a62ab1c896ce
                                                • Instruction Fuzzy Hash: 59D0C23094519499CB25D6F4E5846FD7FA09B42215F2803EAD494172C1C7360A16E601
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C64388, Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4117fca97f71759c2d7bff86350965b1e21f1719664e1b25d6482884038d953d
                                                • Instruction ID: d475c9a9d5a435a34ad70ee6861e38a72e4a179abee39b249d2ead49b010aefb
                                                • Opcode Fuzzy Hash: 4117fca97f71759c2d7bff86350965b1e21f1719664e1b25d6482884038d953d
                                                • Instruction Fuzzy Hash: DDD01270D05218AACB14EFF4A5486ADBBF4AB45305F1481B98848A3344D7354A50DB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C679B3, Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74258fc94f7974e2e2c49f0f6eee0bad08020889fa5de8ac9a3377457db77ebe
                                                • Instruction ID: d305f26b0ef1baa19d71871c4b7081ebfd836fb0a086502a369773fde0b691b7
                                                • Opcode Fuzzy Hash: 74258fc94f7974e2e2c49f0f6eee0bad08020889fa5de8ac9a3377457db77ebe
                                                • Instruction Fuzzy Hash: 06E086748082854ACF168FE8E5493AEBFF0EB02329F14079ADC5466286C7350551C745
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C65E40, Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 80a4a2451a70cdab0e6a19177425dcd7df9376ee4a5551b759d91a419cd054fb
                                                • Instruction ID: 214334609fc4ef60171c34b8158ef608ef0d983d46098f75fe6c89eaf9381ff5
                                                • Opcode Fuzzy Hash: 80a4a2451a70cdab0e6a19177425dcd7df9376ee4a5551b759d91a419cd054fb
                                                • Instruction Fuzzy Hash: 53D01270D0525CAACB54EFF4A5442ADBBF4AB85204F5085A98464A3345D7390A15DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C65528, Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51c9f274d847afa7f323a1a3bfec8075ebdd670ecbfa5ba4df7a3df94e2888e2
                                                • Instruction ID: b5ea31e2100e1b58aacda3dfd0ec388bac8e729aafa35b5d562d58c1a8256a33
                                                • Opcode Fuzzy Hash: 51c9f274d847afa7f323a1a3bfec8075ebdd670ecbfa5ba4df7a3df94e2888e2
                                                • Instruction Fuzzy Hash: ABD05E70811208EFC714EFF4A44939DBBB8AB01205FA005ADC80597244E7324AA5C781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66088, Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 646aebb0b79d6bdb60c675eedf86150d2538562c7087b420496906b5ec48f92c
                                                • Instruction ID: d6f05aba14daa02fb1db55776abc365c35668576ae776c7a82146d3c7cea45ab
                                                • Opcode Fuzzy Hash: 646aebb0b79d6bdb60c675eedf86150d2538562c7087b420496906b5ec48f92c
                                                • Instruction Fuzzy Hash: 6ED0A73081120CAFCB10EFF4E4443DD7BB8AB00204F6001B9C80593244EB310A65C786
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6EF5A, Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b60ec93a7b57bb2f2c76210035dec02be6e3448f72519ec37658741b986d3042
                                                • Instruction ID: c24bc61e0423c5504415dd212c73e80344997d7886fb7a81b0853d6f30e1ed77
                                                • Opcode Fuzzy Hash: b60ec93a7b57bb2f2c76210035dec02be6e3448f72519ec37658741b986d3042
                                                • Instruction Fuzzy Hash: ACE09270E45229CFDB94DF65DC84F9CB7B2FB88205F419AAAD409A7260DB305E81CF21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C65523, Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa7d3e4feb905a2de6cc42b7a68300f6048570fdc0cd10f6b5c8a4f1214635cd
                                                • Instruction ID: 46e4778c45dd2f8c93f293f80c7611ca880aad0ff2ead2519a5de2c1f411ef38
                                                • Opcode Fuzzy Hash: aa7d3e4feb905a2de6cc42b7a68300f6048570fdc0cd10f6b5c8a4f1214635cd
                                                • Instruction Fuzzy Hash: F2D0127010529595C7769AB890957E97F51DB43129F9407DDC4D10A186CB361453C346
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66080, Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7e00ab5aab24a2848c67a2bd7170f6fe5dc999031c0e877f7c9aee7b82c0b6ad
                                                • Instruction ID: d5c27efbe6307d3d17b78ba9ce09f5ada3c4737e730e8de360525936ae9f79bf
                                                • Opcode Fuzzy Hash: 7e00ab5aab24a2848c67a2bd7170f6fe5dc999031c0e877f7c9aee7b82c0b6ad
                                                • Instruction Fuzzy Hash: A8D02E3000028652CB35C7ACE4893EA7F40AB03328F2403CAC8660A1C3CB2A08A7C38B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C68C70, Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0c25bf0304e8cf0aca7e90b843e737bc78bf0cc9cafc12f9a4b038cc4c61da3
                                                • Instruction ID: 1a9ade7d68e13159d81b90cf19c57a82d4e42b46ac7050d3a43c0829f1b4c911
                                                • Opcode Fuzzy Hash: f0c25bf0304e8cf0aca7e90b843e737bc78bf0cc9cafc12f9a4b038cc4c61da3
                                                • Instruction Fuzzy Hash: 25D012F01082218BD3586F5094927AAB7E0EB0A301F2044AEE0CA8B380EB788086A725
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66193, Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bddd172d64acf8b76aac9e6d6c18b42edbf594e7c96f4eb93139efd606865dee
                                                • Instruction ID: 030b9e0e121256ec8a0e3e56404575af7d5f7bd51b18daa42bcafd119ab45ba7
                                                • Opcode Fuzzy Hash: bddd172d64acf8b76aac9e6d6c18b42edbf594e7c96f4eb93139efd606865dee
                                                • Instruction Fuzzy Hash: 97D02231100900CFC300EF2CEA0285937B0FF4531471A05AAF049EF732E731E8088B00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C65ED0, Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8b83b50c904952371016a85aa99cf94dfd705b6a35f88feacc8fc3f0293d5407
                                                • Instruction ID: bfa322f4f402fe799c4064e6366426ee0356fbc8696db3a56b12ea635fa3e8fb
                                                • Opcode Fuzzy Hash: 8b83b50c904952371016a85aa99cf94dfd705b6a35f88feacc8fc3f0293d5407
                                                • Instruction Fuzzy Hash: 12D0A9B2CA47008EE350FB748806BAE3BF0FB02205B40013BC486C2011FA2802ACEB12
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C66198, Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c20e8247f5fbf42779935f6937f5d12f4334a8b16e318c9cde476d4d8b1a8bf
                                                • Instruction ID: 98bd15fcf0de639c5f50b574376b73f64777af36af52e62363327a924d46d7ea
                                                • Opcode Fuzzy Hash: 4c20e8247f5fbf42779935f6937f5d12f4334a8b16e318c9cde476d4d8b1a8bf
                                                • Instruction Fuzzy Hash: 3ED01231510B04CFC700EF6CD84585477B8FF45604B450595E1059B331FB21F9548B41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C64E9B, Relevance: .0, Instructions: 8COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b37d008c5f87b88772a9cf4f5d3390b8c5269cf9cfc5f78882dd968f37761050
                                                • Instruction ID: 4c6efa81a0f0518f5dc5e1c74dfc4a79d83506e50eaa8f616a2b4e21bc3cd2ab
                                                • Opcode Fuzzy Hash: b37d008c5f87b88772a9cf4f5d3390b8c5269cf9cfc5f78882dd968f37761050
                                                • Instruction Fuzzy Hash: 24C04C755545408FC7608FA8D5C9961B7A19F966253154095F5058B637C331D951C604
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C64EA0, Relevance: .0, Instructions: 8COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5af93f938d45a8c8c75519aa89b245e98736fad928cac97377826c0a219ea11
                                                • Instruction ID: 7df92ea0fb284714e324d49ebc714b23e44657096c8cf37ea5e3fc949f46cc50
                                                • Opcode Fuzzy Hash: a5af93f938d45a8c8c75519aa89b245e98736fad928cac97377826c0a219ea11
                                                • Instruction Fuzzy Hash: D4C09239140208EFC740DF5AD848C45BBA8EF1977074180A1FA098B732C732EC60DA94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C62433, Relevance: .0, Instructions: 8COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d5e4bda17483dc297a0f387c5a856b2e01b5e4cff4b4b78b601b833e5ecd9ce
                                                • Instruction ID: 62df27ccbcbd310c108f2800f87d62ca3e17c81430bf17f01938f1405417349d
                                                • Opcode Fuzzy Hash: 8d5e4bda17483dc297a0f387c5a856b2e01b5e4cff4b4b78b601b833e5ecd9ce
                                                • Instruction Fuzzy Hash: 58C0922114D6CA0FD71367B098721CA3FB49C93010BCD04DAC8C28F4A3D108A50B939E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02C6DA20, Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.318248569.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7fe927fd353817262cdcfd579172a55b978a48dc27dd049b20d74ecf5a43a79b
                                                • Instruction ID: e84295fc3213cbf139eff07dfaf9e4b50cb326aeee2137a03f0161bd75f2e29f
                                                • Opcode Fuzzy Hash: 7fe927fd353817262cdcfd579172a55b978a48dc27dd049b20d74ecf5a43a79b
                                                • Instruction Fuzzy Hash: 40C092FA000209BFC70AEF40C958C86BBE7BF69300B808892E1840B030CB328438EF01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Analysis Process: dhcpmon.exe PID: 5032 Parent PID: 3388 dhcpmon.exeCOMMON

                                                Executed Functions

                                                Function 054585D0, Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: ^9sV$v".$v".
                                                • API String ID: 0-4269212391
                                                • Opcode ID: dffaa32234c12b382b8d6dadf0b67978216aaa66fdd8177e9c803db74a6e1713
                                                • Instruction ID: b6d74ae0f4285f9381914bb02f5d751308eb73b747b4b1c9f546be5b81d8b355
                                                • Opcode Fuzzy Hash: dffaa32234c12b382b8d6dadf0b67978216aaa66fdd8177e9c803db74a6e1713
                                                • Instruction Fuzzy Hash: 8D61D074E00219CFCB08CFEAD9845EEBBF2BB89310F20852AD415B7359EB3499068F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054585E0, Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: ^9sV$v".$v".
                                                • API String ID: 0-4269212391
                                                • Opcode ID: d7aca913faa959bb1b8c1a82cc56cb932e8fd7444900c468e66106cce4bdf1d9
                                                • Instruction ID: 3cf79f3c658e40ce1d93aa7e5824dbf365e5f73180a1d4eddaad945dac22453f
                                                • Opcode Fuzzy Hash: d7aca913faa959bb1b8c1a82cc56cb932e8fd7444900c468e66106cce4bdf1d9
                                                • Instruction Fuzzy Hash: 2161C074E04219DFCB08CFEAD9849EEFBF2BB89350F20852AD415B7255EB3499068F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05459C80, Relevance: 3.3, Instructions: 3315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09e83e89e4d6aa7af82aea8cf73dda19532a3eaeea12eb7f68ba0dc53c4911dc
                                                • Instruction ID: 374675dd1db414db2323f7bbd15ed20cebd611a227b03f86304b431de567d2b8
                                                • Opcode Fuzzy Hash: 09e83e89e4d6aa7af82aea8cf73dda19532a3eaeea12eb7f68ba0dc53c4911dc
                                                • Instruction Fuzzy Hash: BE731D34A04219CFCB64DF69C888ADDB7B2BF49315F158599E90AAB361DB30ED81CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545F831, Relevance: .2, Instructions: 233COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e021d088f1a723630c280231ed39eb62b9f09bdf9f5b11e895c4c86c39e4fbcb
                                                • Instruction ID: 9318c43de200827572b52da048cba70d14bc986122265d33bbc86cc2a9c0b67a
                                                • Opcode Fuzzy Hash: e021d088f1a723630c280231ed39eb62b9f09bdf9f5b11e895c4c86c39e4fbcb
                                                • Instruction Fuzzy Hash: 319149B5E102089FDB08CFA5C8956EDFBB2FF89310F54812AD815AB355D730990ACF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05457E90, Relevance: .2, Instructions: 220COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9cd411a8a22e38fa783ad1e5d2e2f4dcea8f5be10d572798c3ed01bd89b37d1f
                                                • Instruction ID: ec5b2e3bdc517a51719963dea136269b41481782da7851097f26b71d3854a3cf
                                                • Opcode Fuzzy Hash: 9cd411a8a22e38fa783ad1e5d2e2f4dcea8f5be10d572798c3ed01bd89b37d1f
                                                • Instruction Fuzzy Hash: 93A1D975E042189FDB64DFAAD950B9DFBB2FF89200F10C1AAD509A7354DB345A828F21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05457F31, Relevance: .2, Instructions: 203COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eff22786cf8f7c371a0face35bc7da47ff98941db03fd37c288c897d2663814e
                                                • Instruction ID: e72117a318856f2a41dcb03c527bf9dece0bc2e5147656bfcee0ca82cd3bb322
                                                • Opcode Fuzzy Hash: eff22786cf8f7c371a0face35bc7da47ff98941db03fd37c288c897d2663814e
                                                • Instruction Fuzzy Hash: 92A1D874E042189FDB64DFA9D950B9DFBB2FF89200F1081AAD509A7355DB349E828F11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545F8A8, Relevance: .2, Instructions: 189COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4c4e8ae0e53bdb5ddafad69889e6d9a05c269350a6515b0d28afdc40fdc0d65
                                                • Instruction ID: af537c65dd943ced9b6cf953b6b1e9d583dd6c1e38c141d3e24bf38cc59ee997
                                                • Opcode Fuzzy Hash: f4c4e8ae0e53bdb5ddafad69889e6d9a05c269350a6515b0d28afdc40fdc0d65
                                                • Instruction Fuzzy Hash: 9981C1B4E102199FDB08CFE9C994AEEFBB2BF89310F10812AD919AB354D7309905CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05457F9A, Relevance: .2, Instructions: 186COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2706ba60c87476b9450c7f3e6ff5423ea63d3a162dcecfe6645fdb383d31a51
                                                • Instruction ID: b0bf4a121e1ee22ce7b696d1dd82dde2ede277d26d6ccb5b0042d59b856032db
                                                • Opcode Fuzzy Hash: d2706ba60c87476b9450c7f3e6ff5423ea63d3a162dcecfe6645fdb383d31a51
                                                • Instruction Fuzzy Hash: 3091D574E052189FDB64DFA9D950B9DFBB2FF89200F10C1AAD509A7354DB349E818F21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545D768, Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 90f71c1162a03f8d861129b03c466ef376a4a4fbb207167674ee5af5bc270d13
                                                • Instruction ID: 94d2719357c5626cb304f85f6b312d3585d2d6c4f9b7f0593bf479ae66344e1e
                                                • Opcode Fuzzy Hash: 90f71c1162a03f8d861129b03c466ef376a4a4fbb207167674ee5af5bc270d13
                                                • Instruction Fuzzy Hash: F351B274E012089FDB08DFAAD955ADEBBF2FF89310F54802AE419AB354DB349945CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054A4DB8, Relevance: 1.6, APIs: 1, Instructions: 146processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 054AC21B
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 2ae2ab644c22c88a938fcf91b3fc0bb2594f9987e6dc2c179214613f30a57cf9
                                                • Instruction ID: 20548d9c5010a67646cb4c5af50704a1bdf9d8ee65602285f894f78a899bd313
                                                • Opcode Fuzzy Hash: 2ae2ab644c22c88a938fcf91b3fc0bb2594f9987e6dc2c179214613f30a57cf9
                                                • Instruction Fuzzy Hash: 13511872D00318DFDB64CF95C880BDEBBB1BF98314F15809AE908A7250DB715A89CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC0C1, Relevance: 1.6, APIs: 1, Instructions: 145processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 054AC21B
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: a11961433874b52ca6162e1c3c3ca00046d25efb33d955a2701a7e0770bc92ca
                                                • Instruction ID: 71993eb09b9dc08b9e3e2f16d7e8a5f338a7cffb1285b5003405d076c4f87aa2
                                                • Opcode Fuzzy Hash: a11961433874b52ca6162e1c3c3ca00046d25efb33d955a2701a7e0770bc92ca
                                                • Instruction Fuzzy Hash: 32512872D00318DFDB64CF95C880BDEBBB1BF98314F15809AE908A7210DB715A89CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054A4E64, Relevance: 1.6, APIs: 1, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 054AD1B5
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 44e930fab21518bf91b82008565790324b8b840f527b102070e772c13a285fb8
                                                • Instruction ID: dc383e1baecbc87fb901c85ad0a3efe5f941cfb937faa5953232e17bc4a6dad5
                                                • Opcode Fuzzy Hash: 44e930fab21518bf91b82008565790324b8b840f527b102070e772c13a285fb8
                                                • Instruction Fuzzy Hash: F7219CB28083888FDB51DF98C889BDFBFF4EF59224F15449AD485AB241D3789544CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05428759, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05428745,?,?), ref: 054287F7
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342787304.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: c6142901103719db89480c7c904bd6849d72ddd78afa143bdb61ffa68ac12f25
                                                • Instruction ID: 9260bd90f7eedcaeae2a9b4606711fb74449a14f5dc87ee95e3e62a0a49fd6ad
                                                • Opcode Fuzzy Hash: c6142901103719db89480c7c904bd6849d72ddd78afa143bdb61ffa68ac12f25
                                                • Instruction Fuzzy Hash: F431C0B59003199FDB10CF9AD884ADEBBF4FB98324F64842AE915A7310D774A945CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054277AC, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05428745,?,?), ref: 054287F7
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342787304.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 186890ab67633d7f9c628723904501e03a37e4994013e7d7d4ef4ef54094977d
                                                • Instruction ID: 0b10d05c8153b80ee12944d83fb8185bdc561f3d0a97f56e74ec958f9bdb717e
                                                • Opcode Fuzzy Hash: 186890ab67633d7f9c628723904501e03a37e4994013e7d7d4ef4ef54094977d
                                                • Instruction Fuzzy Hash: 6631E0B59043199FCB10CF9AD884ADEBBF5FB98324F64842AE915A7310D374A944CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC668, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 054AC6FD
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 016427a0b0e809d53a97df5ff8133c7f96dba974ef091f5b3889a950f2d1f017
                                                • Instruction ID: 46d18d493741403e9de5a65acee18f2a56119e02ada58db3474db8d0f325e5d7
                                                • Opcode Fuzzy Hash: 016427a0b0e809d53a97df5ff8133c7f96dba974ef091f5b3889a950f2d1f017
                                                • Instruction Fuzzy Hash: 692116B6900249DFCB50CF99D985BDEBBF4FB48314F10842AE518A3350D774A954CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC670, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 054AC6FD
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 50c3a3d13a2b6ce86fd1af9759d46ef75b963e4e2831b3fb646f8d07721ba30b
                                                • Instruction ID: fa2b876945b465e05f154c7638e1e23efed5c37d4f4e2a81003746d549154286
                                                • Opcode Fuzzy Hash: 50c3a3d13a2b6ce86fd1af9759d46ef75b963e4e2831b3fb646f8d07721ba30b
                                                • Instruction Fuzzy Hash: 022128B1900249DFCB50CF9AC884BDEBBF4FB48314F10842AE918A3350D774A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC4F0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 054AC577
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: de2aff48c9c361d8a5f07a83c9679ea1239b0013cc09bfc9a55dac3c51a1afc7
                                                • Instruction ID: cb1c410d10268587c20c8ac8403b6c9af131e89312b609f5c1a25c5810939180
                                                • Opcode Fuzzy Hash: de2aff48c9c361d8a5f07a83c9679ea1239b0013cc09bfc9a55dac3c51a1afc7
                                                • Instruction Fuzzy Hash: 4821E7B6900659DFCB10CF9AD884BDEBBF4FB48314F50842AE518A7350D374A554CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC430, Relevance: 1.6, APIs: 1, Instructions: 61threadinjectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 054AC4AF
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: 5eee1fcc2db379ae1c6f607c2bfe76d93e57206d54be724dee3dbb69589b900a
                                                • Instruction ID: e3b821de018f424fb21078a4f2d3afbd05703f93ca9046927842826ef8c10ccb
                                                • Opcode Fuzzy Hash: 5eee1fcc2db379ae1c6f607c2bfe76d93e57206d54be724dee3dbb69589b900a
                                                • Instruction Fuzzy Hash: 3D213EB1D006199FCB40CF9AC8857EEFBF4FB48214F14812AE418E3340D774A9448FA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC4F8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 054AC577
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: e87e2622ea284e1095a7f373fa65417d0a0e5cacaa4c3ea17d6a2822e0601a43
                                                • Instruction ID: 7619d4732ae974320f7c05c3f4a2a0bafe7c92f58d537828fa8320349caf2274
                                                • Opcode Fuzzy Hash: e87e2622ea284e1095a7f373fa65417d0a0e5cacaa4c3ea17d6a2822e0601a43
                                                • Instruction Fuzzy Hash: 7621E4B5900259DFCB10CF9AD884BDEBBF4FB48324F10842AE918A7250D374A954CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC438, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 054AC4AF
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: 6039218be5edb57aa70252030f8c0d222ca740b679d2dbba13ae26d40c70a911
                                                • Instruction ID: e2f98b80803bd5d86ab607e3d911966e23648494a3c8978e2d4640803a70fd70
                                                • Opcode Fuzzy Hash: 6039218be5edb57aa70252030f8c0d222ca740b679d2dbba13ae26d40c70a911
                                                • Instruction Fuzzy Hash: F22117B1D046199FCB50CFAAC8857EEFBF4BB48224F14816AE418A3340D778A954CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC5C0, Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 054AC633
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 6dfa3676ea9380fe85ef036d8745bcdd2bfb2f637412edf6d97cc464ad5c78d9
                                                • Instruction ID: 4965bdf9e5d1aaddce4de89fcd977a987cb4ae6521b4dd585a4556eb655ea30b
                                                • Opcode Fuzzy Hash: 6dfa3676ea9380fe85ef036d8745bcdd2bfb2f637412edf6d97cc464ad5c78d9
                                                • Instruction Fuzzy Hash: 4E1119B68002489FCB50CF9AC984BDFBBF4FB48324F20841AE518A7310C375A554CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC5C8, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 054AC633
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: ea9f671e5c98f4ea0c1e42d67554a4003abbd3d5894062bbdd22cc5f0093da22
                                                • Instruction ID: b8b86cd8a3664f8b40442f9a6b273eeb0a063a1ea85e1535ab0179fc2f8e41a9
                                                • Opcode Fuzzy Hash: ea9f671e5c98f4ea0c1e42d67554a4003abbd3d5894062bbdd22cc5f0093da22
                                                • Instruction Fuzzy Hash: 121116B58002489FCB10CF9AC984BDFBBF4FB88324F208419E518A7210C335A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054A4EA8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 054AD1B5
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 1a134bf770c141d0946aad310d038884c79e2596a7f572406362478343b00da6
                                                • Instruction ID: 01f8bf53bd2ba55150b9aa98751ad712df26237787a104bde53e2e026790c111
                                                • Opcode Fuzzy Hash: 1a134bf770c141d0946aad310d038884c79e2596a7f572406362478343b00da6
                                                • Instruction Fuzzy Hash: 0F1106B58003489FCB10DF9AC988BDEBBF8FB58324F10845AE515A7700C374A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC821, Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: f38c2d676b4d903d8baa5f92d0ed23ff94bf8bccdd314d138274fa3948571347
                                                • Instruction ID: 433f83e5712029e53abd632ee78bf74d75914c9f46eec32b380ba27698be3dc0
                                                • Opcode Fuzzy Hash: f38c2d676b4d903d8baa5f92d0ed23ff94bf8bccdd314d138274fa3948571347
                                                • Instruction Fuzzy Hash: F81103B18002088FCB50DF9AD884BDFBBF4EB59224F24845AE519A7340C774A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AD151, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 054AD1B5
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 318c5429f0f9e0d41cf4fecab242c460c3e9b8bee589b59f996d57b76aeaba1c
                                                • Instruction ID: febc6247ecd3700f1fd8256ef71917cb10bc7375c5075d2b09147bbec017c4de
                                                • Opcode Fuzzy Hash: 318c5429f0f9e0d41cf4fecab242c460c3e9b8bee589b59f996d57b76aeaba1c
                                                • Instruction Fuzzy Hash: 7D1103B58002089FDB10CF99D989BDEBBF8FB58324F24844AE815A3700C374A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054AC828, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.343284212.00000000054A0000.00000040.00000001.sdmp, Offset: 054A0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 8c54a620e03b398b8c8d67b0b6ca83f9eb59c165711e62255d115c6d39bed1ab
                                                • Instruction ID: 4fcd90f084431af222ea35b28681f7659214111d3d56bda3118dcc06f5104807
                                                • Opcode Fuzzy Hash: 8c54a620e03b398b8c8d67b0b6ca83f9eb59c165711e62255d115c6d39bed1ab
                                                • Instruction Fuzzy Hash: A11112B18002088FCB10DF9AD884BDEBBF8FB48324F20845AE519A7300C774A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05458089, Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: }`e
                                                • API String ID: 0-793969669
                                                • Opcode ID: 0810c884bf55d2cddfcea2164d9f5588fb583dbb1ee625af407c5e0acfd35197
                                                • Instruction ID: 166666b8df27e895067f38aedf4370bbc5820b6994541afaa9a05ae41daa8696
                                                • Opcode Fuzzy Hash: 0810c884bf55d2cddfcea2164d9f5588fb583dbb1ee625af407c5e0acfd35197
                                                • Instruction Fuzzy Hash: 8DF09274E053089F8F55DFA9D48059DBBB2EF89350F20812AE409EB355E6349942CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05451408, Relevance: .5, Instructions: 470COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e48c0ea9f7cf680dee9d4f59e38ba0f227d60677cbd39e3adf3e786c759d0f93
                                                • Instruction ID: 32c08c1b5d36728b93fad66a5b6706469a4afdf31631410293f3fbc2bf3739e3
                                                • Opcode Fuzzy Hash: e48c0ea9f7cf680dee9d4f59e38ba0f227d60677cbd39e3adf3e786c759d0f93
                                                • Instruction Fuzzy Hash: 0EE18130B00201478B55BF7948E026E92939FD56243C5E97E9E8AEF757DFB4DC098BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05451418, Relevance: .5, Instructions: 464COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff180e823e30d47abf8263adf5217e97e82819fffb4e69da3433a15150cbc6e8
                                                • Instruction ID: f9db1c2b988afd2e11bf60c2be9e41f653993d13b663d5bffb697795eb59396b
                                                • Opcode Fuzzy Hash: ff180e823e30d47abf8263adf5217e97e82819fffb4e69da3433a15150cbc6e8
                                                • Instruction Fuzzy Hash: B6E17130B00601478B55BF7948E026E92939FD56243C5E97E9E8ADF757DFB4DC088BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456478, Relevance: .3, Instructions: 332COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7b909da669126512f142ae5ed44a74c408e2f412a88cabd2822c2447ec1a5ea2
                                                • Instruction ID: 45fb6bee6fe504a32b2a9a0ccda1287246df7d73f03eb45de4d7707716b42c62
                                                • Opcode Fuzzy Hash: 7b909da669126512f142ae5ed44a74c408e2f412a88cabd2822c2447ec1a5ea2
                                                • Instruction Fuzzy Hash: C8F1E975D1061ACBCF10DFA8C854AEDB7B5FF48310F11869AD949B7215EB30AA89CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456468, Relevance: .3, Instructions: 305COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36eaa2d15ed734796309f03ca99c6db93d41a0d4037eed9bfcb1b5df58dada80
                                                • Instruction ID: 5f288e46ab172f7cb916ae1f3808b84a1aa8ca02265fd37e83788dd591f6fc8b
                                                • Opcode Fuzzy Hash: 36eaa2d15ed734796309f03ca99c6db93d41a0d4037eed9bfcb1b5df58dada80
                                                • Instruction Fuzzy Hash: DDE1FA75D1061ACBCF10DFA8C8546EDB7B5FF48310F1186AAD849B7215EB30AA89CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456C80, Relevance: .3, Instructions: 300COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ee3e678c7f7050cc3445492ae870e2fa30e8398066a535d666abfe0912dc5eb
                                                • Instruction ID: 9ba6eebae1e7d3c760848ddb078eb7de241456db40f1c50341838a0e9ece688a
                                                • Opcode Fuzzy Hash: 6ee3e678c7f7050cc3445492ae870e2fa30e8398066a535d666abfe0912dc5eb
                                                • Instruction Fuzzy Hash: E9C15E31E14218CFCB14DFA8C854AEDB7B2BF85315F5581AAD806BB351EB30AD85CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05459574, Relevance: .3, Instructions: 251COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f59b71ba283a980169b7689581bccdf53076719f0489c37396cd4d5717db5be4
                                                • Instruction ID: cb5e87a7964215498304cee598007bf66d6f51e70a2b24a690d123317e3e9902
                                                • Opcode Fuzzy Hash: f59b71ba283a980169b7689581bccdf53076719f0489c37396cd4d5717db5be4
                                                • Instruction Fuzzy Hash: 62A13735E012199FCF15DFA5C884BEEB7B2FF89310F1084A9D809A7251DB35AA46CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545FB40, Relevance: .2, Instructions: 244COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7baf50cc4e4109d62b1fb0fe6a11cef224903e73bdbe63dd51931f67ea119c5
                                                • Instruction ID: 29bac4f8d10cee2df92777ab27b0966ca981cd95271f634bdae8e4f29f873521
                                                • Opcode Fuzzy Hash: f7baf50cc4e4109d62b1fb0fe6a11cef224903e73bdbe63dd51931f67ea119c5
                                                • Instruction Fuzzy Hash: 4EB11C74E1020ADFCB44DFA4D880ADEBBB2FF89300F50891AD515AB354DB30A946CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054546C0, Relevance: .2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ffbe12e1c95703b87cba0edadd94df97dde7cc18ab98eabc15fae202a62a3afd
                                                • Instruction ID: 51c0747d8987cfc4018c76e97f60d27ac975a7b34a90cc894c6146dcceef6d76
                                                • Opcode Fuzzy Hash: ffbe12e1c95703b87cba0edadd94df97dde7cc18ab98eabc15fae202a62a3afd
                                                • Instruction Fuzzy Hash: 00915035A002099FCB05DFA8C8809EEB7F6FF89314B14806AE905EB351E735DD56CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054508E0, Relevance: .2, Instructions: 192COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d0505458f4d7df17ba53c6df4e22fb4a29cfe1430db1afe7c3efb8439d63283
                                                • Instruction ID: d1eefa50097a700d2341ccde325135ed6d3021a4d73c6bacbe4b51973e5ecba2
                                                • Opcode Fuzzy Hash: 2d0505458f4d7df17ba53c6df4e22fb4a29cfe1430db1afe7c3efb8439d63283
                                                • Instruction Fuzzy Hash: AD91E93591061ACFCB10EFA8C884A99F7B5FF89310F11C6D9E5497B225EB30AA85CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05459A80, Relevance: .2, Instructions: 181COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbb69e7d155b5529fee27e643f97ab554969cd41653f4b6743318a36ab43a6df
                                                • Instruction ID: bc560cac680c8c639ac506d1432393fc722c92dcd6fee2e84cdf7b4ac59c5474
                                                • Opcode Fuzzy Hash: cbb69e7d155b5529fee27e643f97ab554969cd41653f4b6743318a36ab43a6df
                                                • Instruction Fuzzy Hash: D851CF31B08206CFDB28CF69C988AAF77F2BF85264F0544AAD905DB356DB30E841C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05459658, Relevance: .2, Instructions: 176COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 371747b0df4a0d9caee5674199941b471c36bbaff9efcc311380737d9d741a4a
                                                • Instruction ID: becf91f72d83bcad96fe9e27aa1b884dcd2a8278bae3119df49a6a0a0ad1471c
                                                • Opcode Fuzzy Hash: 371747b0df4a0d9caee5674199941b471c36bbaff9efcc311380737d9d741a4a
                                                • Instruction Fuzzy Hash: FC615B35B14118DFCB18DF68D455AEEBBB6BF88620F14446AE902AB361DB31DC41CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05454EC8, Relevance: .2, Instructions: 174COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9adfa0a0bfa43f29331d5a173ee4ca37012eba93a4c6ad065d4e6eee02877a33
                                                • Instruction ID: cad377d24380d1559cdcc4733b1cfe7243313cb54f752a77eb1380df658e3c56
                                                • Opcode Fuzzy Hash: 9adfa0a0bfa43f29331d5a173ee4ca37012eba93a4c6ad065d4e6eee02877a33
                                                • Instruction Fuzzy Hash: 855197357041149FCB05DB29D8948BE77A6FF8972472581AAF91ACF3A2CB35DC42CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05450BB1, Relevance: .2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7af503b54c79578bd9e4cdbbb3af8d5d0613b3cc94eb5a3b0280e4caf26e0711
                                                • Instruction ID: d4157cd809303c554650a67c3eac6b1ad65dbe9ea1677779033721515123f73e
                                                • Opcode Fuzzy Hash: 7af503b54c79578bd9e4cdbbb3af8d5d0613b3cc94eb5a3b0280e4caf26e0711
                                                • Instruction Fuzzy Hash: 7C513039A045099FDB14CF64D989BEEB7B2FF49314F144195E809AB392C731ED51CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05450BF0, Relevance: .2, Instructions: 151COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2738718806b7a9133417c48c1388b3edc42ffadda8070e5ed75318129f3ff0d6
                                                • Instruction ID: 250f658d0a1cb704f9cbb8b2539750ef8fcce29828c89c493028694de7c90bb4
                                                • Opcode Fuzzy Hash: 2738718806b7a9133417c48c1388b3edc42ffadda8070e5ed75318129f3ff0d6
                                                • Instruction Fuzzy Hash: B761DA79A006099FDB14DFA4D989BEEB7F2BF48310F108099E909AB365D731AD45CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545DEC0, Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2c96b5e2b6479d0a5657b7022ecf69a8129a1d4a7ed39358b26b826a9de9ef6
                                                • Instruction ID: e7cf245cc284280ed3902a3d8dddf1ab1a30909b93cf7f57a5e5badf60d150c1
                                                • Opcode Fuzzy Hash: b2c96b5e2b6479d0a5657b7022ecf69a8129a1d4a7ed39358b26b826a9de9ef6
                                                • Instruction Fuzzy Hash: 76418075A002149FCB10DFA9C844AEFBBF6EF88264F15842EE905E7345DB349906CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05450C00, Relevance: .1, Instructions: 146COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 177d8dd4828a06a928e9525403b2b2f651d3752eaa488711f0771b85d80e92ae
                                                • Instruction ID: 8e1a23889a6b265993c5800a25ae3b03da4e631bdc3654ba59ec53ee5eed55f9
                                                • Opcode Fuzzy Hash: 177d8dd4828a06a928e9525403b2b2f651d3752eaa488711f0771b85d80e92ae
                                                • Instruction Fuzzy Hash: 5A61C979A005099FDB14DFA4D988BEEB7F2BF48710F108099E909AB365D731AD45CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054595A0, Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0ce94f3cb2ef91a05f3837d4eef9b17de8ecf45a1b4ffc8d925b72d27adb051
                                                • Instruction ID: 14bc77e985321986f8bd0543948c3c5f2843d421204380311ddd38a11c8d19b0
                                                • Opcode Fuzzy Hash: d0ce94f3cb2ef91a05f3837d4eef9b17de8ecf45a1b4ffc8d925b72d27adb051
                                                • Instruction Fuzzy Hash: FF415632405248DFCB00EF24D846ADEBBB5FF49314F1840AAE941AB362E730AD55CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05459DBF, Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6fde7abd58e397afe50c2f8381ef19e13fa0252a5d97cb649c1fc889501018fe
                                                • Instruction ID: 4ed2332d046a8618f008d894df925b6edfe84a5a73cc7f24b069f58daa8f8c37
                                                • Opcode Fuzzy Hash: 6fde7abd58e397afe50c2f8381ef19e13fa0252a5d97cb649c1fc889501018fe
                                                • Instruction Fuzzy Hash: 3841343560411ADBCB18AF64D845AEEBBA7FF88614F148429F8069B394DF30DC96CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456978, Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca23b9f033f6d2610bdd75550c7306da5f60844e0c48cfc8972b53195e37b266
                                                • Instruction ID: a953ff16c5e29443c445e2f6c22909b7138d301ceaaa818424e525da3920fd42
                                                • Opcode Fuzzy Hash: ca23b9f033f6d2610bdd75550c7306da5f60844e0c48cfc8972b53195e37b266
                                                • Instruction Fuzzy Hash: D8413E75A002099FCB15DF64D844AEEFBB6FB89310F10856AE909E7341EB35AD51CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545620F, Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be4cb5c17acc60ded6099f3bebbb68bce0fe95736498c6b8f6639b3d0a9102bb
                                                • Instruction ID: 166a4726061e2a285f85d4639516f6d7af61f15c30ec3a66a249335c65427342
                                                • Opcode Fuzzy Hash: be4cb5c17acc60ded6099f3bebbb68bce0fe95736498c6b8f6639b3d0a9102bb
                                                • Instruction Fuzzy Hash: A9415375A10609DFCB04EFA8C854CEDFBB5FF89310B058299E515AB321EB70AD45CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054505A8, Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4cc660d042ced261a2da59d08fdaffeb595f6b2c054daa0e1d41dd4c322e49d4
                                                • Instruction ID: e99cc6c739411d750fb0903b70800aee55633d664af1aecb4c1e1dcc5e9923e7
                                                • Opcode Fuzzy Hash: 4cc660d042ced261a2da59d08fdaffeb595f6b2c054daa0e1d41dd4c322e49d4
                                                • Instruction Fuzzy Hash: B531E435B106188FCB04EF69C4499AEB7F6EFC9310B15816EE509EB361EB709D41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054546B1, Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab5d2fe08947b9d69a7af7a8457b5dd8dce754cd4320498412633da9d4be4f4f
                                                • Instruction ID: 9373cc79cf2fef37430d357a7f2a0678001265cc33e2f72c300cef341f0712c5
                                                • Opcode Fuzzy Hash: ab5d2fe08947b9d69a7af7a8457b5dd8dce754cd4320498412633da9d4be4f4f
                                                • Instruction Fuzzy Hash: 4C3158356001099FDB05DFA4C984AEEBBF6FF89340F5480A9E905AB362DB35ED05CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456988, Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0a590291854bfa047b5a9408d2c094e2473467c5b8e593b196b702ae008e5dd
                                                • Instruction ID: b362173dd991d23f790c2644700bd6231af6dd1516b0f6ebb0849c04b3a6028a
                                                • Opcode Fuzzy Hash: f0a590291854bfa047b5a9408d2c094e2473467c5b8e593b196b702ae008e5dd
                                                • Instruction Fuzzy Hash: DE314175A0020A9FCB54DFA8D8449AEFBF6FF8D210B10816AE909D7341EB34DD55CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545EB57, Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b86bd698356b78982a2ecc929521f3a679e3eb34b0fab3e01e4e09161343f35
                                                • Instruction ID: 7d57542894ee33aa412332d8fd3f94b8d980ba314832c600118b19c49e87756a
                                                • Opcode Fuzzy Hash: 3b86bd698356b78982a2ecc929521f3a679e3eb34b0fab3e01e4e09161343f35
                                                • Instruction Fuzzy Hash: 422164328183449FD705EF74D8863CA7F72EB46321F2544E7D94ADB242EA34DA628B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054560B8, Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4817061d07471887a63a3e725023187fd0d6ea63e83cf699e1259c4e4ad5081d
                                                • Instruction ID: 6bfcbf0da059ee7c07158700d2448875c1614c18910956d083b40e6317748293
                                                • Opcode Fuzzy Hash: 4817061d07471887a63a3e725023187fd0d6ea63e83cf699e1259c4e4ad5081d
                                                • Instruction Fuzzy Hash: D8214175A042058FCF44EF69CC848EFBBB5FF89210B51456EE806E7352EB30A945CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054560C8, Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84bf0fe81d1073721c675d8525f780262e8fdf687f130775f7a874ed4be7c4c1
                                                • Instruction ID: 290a3b5d20b073ac5101f7f996372dc91d3affdb98f29617cbaf78fb8cf28f7a
                                                • Opcode Fuzzy Hash: 84bf0fe81d1073721c675d8525f780262e8fdf687f130775f7a874ed4be7c4c1
                                                • Instruction Fuzzy Hash: 7F213275E0020A8FCF44EF69C8848EEF7B5FF88200751956DE905B7351EB30A945CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05450598, Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7b6bb9fb1701f5acb5e75a0a72dc513b70937aa4cb6ad29948f4aeb679e9bdc
                                                • Instruction ID: 0c9535a2373ed785114284eab071ee3123bd4975283ef7c6520b284d4129f34f
                                                • Opcode Fuzzy Hash: f7b6bb9fb1701f5acb5e75a0a72dc513b70937aa4cb6ad29948f4aeb679e9bdc
                                                • Instruction Fuzzy Hash: 93212F34B106198FCB04EF69C445AAEBBF5FF88314F15819EE505EB361EB709941CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545DB20, Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3746d8a810f43e7e07def1546aaa694f88d1f8336d2d443327d5ec0c58fd9ed3
                                                • Instruction ID: c8d231832aa98cc793eb5c76b0a5459a46e087abd3dcca67d476ab2720c19ef2
                                                • Opcode Fuzzy Hash: 3746d8a810f43e7e07def1546aaa694f88d1f8336d2d443327d5ec0c58fd9ed3
                                                • Instruction Fuzzy Hash: 86118275B006255B9B14EA7A8C84AFFB6FBFFC4160B64452EDC55D7340EE309E0287A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545FEF0, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e05fc43f00ef9bde40dea940eb6b0b6236ad44b3ab8c9e4815aebca8f6ee23d4
                                                • Instruction ID: 0f65be7d6201af5f3bd1b19a1d036a3bf011fdb318b8decf2dcabc7758fba92d
                                                • Opcode Fuzzy Hash: e05fc43f00ef9bde40dea940eb6b0b6236ad44b3ab8c9e4815aebca8f6ee23d4
                                                • Instruction Fuzzy Hash: 5A214A71A0020A8BCF04EFE4C8516EEBBB2FF89310F658526D501B7344DB746D86CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05454608, Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 915c410c2e20c047a8bdc6970165725836507c8e2d4f5a15dec7514597d32a48
                                                • Instruction ID: 9c74bd6c6843066a7918cd37bf3173753d7716a3d30352dce4fc347a5ebea3e5
                                                • Opcode Fuzzy Hash: 915c410c2e20c047a8bdc6970165725836507c8e2d4f5a15dec7514597d32a48
                                                • Instruction Fuzzy Hash: 5811AC343102119BDB04DBA9D845AAFB7FAEFC9704F018469E108DB7A1EB729C0287E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545DA50, Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d21b75aa6f181e9cedce30bee972e5d3277019efd70a6c6d2b10be7d251f02b3
                                                • Instruction ID: a5bac027bc8687c1967f31cad23f2e08ad2221c0916dfa07d61950012ef3c243
                                                • Opcode Fuzzy Hash: d21b75aa6f181e9cedce30bee972e5d3277019efd70a6c6d2b10be7d251f02b3
                                                • Instruction Fuzzy Hash: 65115E71F002098B8B54EBB899105EFB7B3AF84264B50017AC905EB740FF329E15CBA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545271C, Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 752a0dd72a64e258306ed2fc21c851659b32c625cccfad7058b23297bf024418
                                                • Instruction ID: d095cd46f55cbecf8e5211f0425f5c623882ace3db214abe9e12441b8dd73cdf
                                                • Opcode Fuzzy Hash: 752a0dd72a64e258306ed2fc21c851659b32c625cccfad7058b23297bf024418
                                                • Instruction Fuzzy Hash: 0F01D6363442008FC728A63AD454B7E73A7FFC5665F11447ED106CB7A1CE359C418380
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545273C, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65f0017d427af17bfde217ccb5bc7dabc5735876fe2949bffd955ed189c69da0
                                                • Instruction ID: a0dad8a4a08c8cd695ce00bf556aeb7bd8da1bedf198a35b2d7e0414bda0c2e6
                                                • Opcode Fuzzy Hash: 65f0017d427af17bfde217ccb5bc7dabc5735876fe2949bffd955ed189c69da0
                                                • Instruction Fuzzy Hash: C2118B303102119FCB04EBA9D844A6FB7EAEFC9704F018869E208DB365EB719C0187A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545FF00, Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6223621b9aed7a7954367202b1474650da7af09a537926b483b4211f78173a2a
                                                • Instruction ID: 616f75dab9a41a7c1b5374322b51059617d4f15dae2768556960bf294c3c6d57
                                                • Opcode Fuzzy Hash: 6223621b9aed7a7954367202b1474650da7af09a537926b483b4211f78173a2a
                                                • Instruction Fuzzy Hash: 5311F675A1020A8BCF04EFE4C4516EEBBB2FF89310F618926D501B7344DB706D86CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545DEB0, Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eeb757e2240a988735fbe2e2e2ff9379752233e010589d25cdea4b591a128eef
                                                • Instruction ID: 714644b161a16023e153e28050d1040cf1c63b43e00c05110b80b7ea58ada27d
                                                • Opcode Fuzzy Hash: eeb757e2240a988735fbe2e2e2ff9379752233e010589d25cdea4b591a128eef
                                                • Instruction Fuzzy Hash: A1017572F0052557CB14DA5ACC849EFB7B9FFC8260B15442EFD55D3345EB309A0687A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545EBC8, Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18694887f473d1c611802318862b1e41c8003951794c41c127db3c2452edcca2
                                                • Instruction ID: 6942aa26524b9130937606cd37939d2b140356e4c4f0bde5688e6cdcbb81bd21
                                                • Opcode Fuzzy Hash: 18694887f473d1c611802318862b1e41c8003951794c41c127db3c2452edcca2
                                                • Instruction Fuzzy Hash: F40126319143089FCB45DF74D9463CEBFB2EB46210F2494A2E906D3201EB34DA619A90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05455519, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fed49ebf82ff678c5e91d94b128bfb05cbf0f4e5fe7e2281eb1f07e68e1de462
                                                • Instruction ID: 73cb55b5178822420d9ddfb6d1540afe17f3b116146621ea4762e6489458ffdb
                                                • Opcode Fuzzy Hash: fed49ebf82ff678c5e91d94b128bfb05cbf0f4e5fe7e2281eb1f07e68e1de462
                                                • Instruction Fuzzy Hash: 0001B530215204CFDB19EF74D8417FA7766FB80229B5089AEC90A87766DB35D847C690
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05454E20, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ce8b708060c9cf1183ea7dbd23dd47d400c275e788aee9e4193c57b089843082
                                                • Instruction ID: ca8dd0deed53c6e842c3e5719ae09ba2cf1844e51ecfb9e1d49357561f434f7f
                                                • Opcode Fuzzy Hash: ce8b708060c9cf1183ea7dbd23dd47d400c275e788aee9e4193c57b089843082
                                                • Instruction Fuzzy Hash: 92017C71304210DFDB289F2AD844F6A73AAFF84724B1445AAE5068B7A1CB21E845CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456B6F, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb59689814cde74da65e8f7d540ff07c06c36c4aa7ebdeb40992f99e9cf2ecb5
                                                • Instruction ID: 17c1d404c6310da3dd10b2e132e392ba7998424c62639a242cc5647ef8b2e8dc
                                                • Opcode Fuzzy Hash: eb59689814cde74da65e8f7d540ff07c06c36c4aa7ebdeb40992f99e9cf2ecb5
                                                • Instruction Fuzzy Hash: A9017C72D0021AAFDB11DFA9DC45AFFBBB8EF08360F01406AE944BB241D6346A55C7E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05452390, Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96a5c5748f3e45250b247386e94dedb87531d5fa1da456476b0fef2301775f90
                                                • Instruction ID: 3cea80c5647243a39e7062a1091b26935ac4ad8e8895be92346157711d8b21db
                                                • Opcode Fuzzy Hash: 96a5c5748f3e45250b247386e94dedb87531d5fa1da456476b0fef2301775f90
                                                • Instruction Fuzzy Hash: 4701D6393485008FC7189A2DD050AAB37A6FFD4221B25406FEA46CB366EB79EC028790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456B80, Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4e21b0ad13593da5d510caa610061c7f1cdd22804b24b8c7bf2d7d8282cc82f
                                                • Instruction ID: f1541b6f271491140b72149cd9829f96a14de05b752bd4115bfab1a55b3479cf
                                                • Opcode Fuzzy Hash: d4e21b0ad13593da5d510caa610061c7f1cdd22804b24b8c7bf2d7d8282cc82f
                                                • Instruction Fuzzy Hash: 0C011E71D0011AABCF10DF99D9459FFBBB5FB04320F11412AE915B7201E774AA548BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05452B40, Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1683cb34d3e8f0657b4003f7495ea73e2b6f7ecab72a3be6d71ecb1e9a426001
                                                • Instruction ID: cd94a78c083a46488ec38b2f4dd99a8b0b517662bf852f54e31ab21b34ae17b9
                                                • Opcode Fuzzy Hash: 1683cb34d3e8f0657b4003f7495ea73e2b6f7ecab72a3be6d71ecb1e9a426001
                                                • Instruction Fuzzy Hash: C3F0C836B053159BC718AF25E90C6AF7BA6FBC0325F44186ED54A87340CE349942CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054523A0, Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9041086b2b42eb4e11890f20e81cdeb33d6f1e6bbcd734f8c0c9c94efabdaba
                                                • Instruction ID: 9a45612c537aee91a92773d585ab4790e3673d0f80df119d319e8252002b6554
                                                • Opcode Fuzzy Hash: f9041086b2b42eb4e11890f20e81cdeb33d6f1e6bbcd734f8c0c9c94efabdaba
                                                • Instruction Fuzzy Hash: 38F081383445148FC718AA2ED0549AF77A6FFD5220715806FEA46CB365EB75EC028790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456C00, Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e84431ccee460a7ec7a63a6f2f331dc0aa0768daeb7a52dc210d14cca1861b50
                                                • Instruction ID: 4416c51b348d5412a4397f1b58e3d7a9af2d1e04e2c0eae6daced019fc4c5ded
                                                • Opcode Fuzzy Hash: e84431ccee460a7ec7a63a6f2f331dc0aa0768daeb7a52dc210d14cca1861b50
                                                • Instruction Fuzzy Hash: 9E018131A046298BCF05EBA8DC144EEB376FF88311F41862AD91577248FF346A198BE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456BF1, Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21099594ae4272813d0cd2c245787b6f0faa206604f7c161e5432c7ee4bd5955
                                                • Instruction ID: 44569ae6f4ad30580da1df4b8518b683042f33f34044cc1efd0cb7b4e2470cae
                                                • Opcode Fuzzy Hash: 21099594ae4272813d0cd2c245787b6f0faa206604f7c161e5432c7ee4bd5955
                                                • Instruction Fuzzy Hash: 15F02B32A04B189BCF05B768DC001EEB775EF85311F41826ADD45B7244FF309A5587E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05453FD9, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2bea7f2bc14746b67c2af122c4e992ac4602c87333b48dd63156925f2e4312ce
                                                • Instruction ID: e54642fcb0aa86eaed9ace0267f405382958a6e8f86eec852a9aaef2dc7433a1
                                                • Opcode Fuzzy Hash: 2bea7f2bc14746b67c2af122c4e992ac4602c87333b48dd63156925f2e4312ce
                                                • Instruction Fuzzy Hash: CBF0B4357182509F8B169729A85881EBBEA9F89610315409BF809CB3A2CE358C028BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545EBF8, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e210405f290112690818bbea32c62b5ee686c0136825b66d3dac7c1821e9ca77
                                                • Instruction ID: 56292fe8655a1090fc90499484a133d37fff2492908c6993870771275533e807
                                                • Opcode Fuzzy Hash: e210405f290112690818bbea32c62b5ee686c0136825b66d3dac7c1821e9ca77
                                                • Instruction Fuzzy Hash: 2AF0A434A10208DBCB09DFA496452DEBFFAEB89211F2084A6A90693205DB309B619A80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456C70, Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: da77b6638af1e35675ea2d579ea493c1d80c83ca8a07afb358f6f56d0564acf9
                                                • Instruction ID: 64cc8df18d1b86e94b597a6db9b863727f3d5b325f24827c7b7b74eb8a18007f
                                                • Opcode Fuzzy Hash: da77b6638af1e35675ea2d579ea493c1d80c83ca8a07afb358f6f56d0564acf9
                                                • Instruction Fuzzy Hash: C3F0B4316087449BC3116B2ADC548ABBFAEEFC6211B55447FE505C7352EB21C894CA71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05457A8C, Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 999cca8f1be5d65f9c385a5568128921a62ac44e52f53570146e4958d6f4a13b
                                                • Instruction ID: 29f8e9a22c9ea0f1111d463855a88a49c3aa18a97c560969b736dd11ffe70cda
                                                • Opcode Fuzzy Hash: 999cca8f1be5d65f9c385a5568128921a62ac44e52f53570146e4958d6f4a13b
                                                • Instruction Fuzzy Hash: 94F09061C482049FD719AFA89C463A9BFB4F705340F0486EBD845D7257E7788612CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05450D66, Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 83396b0e124b281242e369c26bcd466e2b837f2af38048d46812a6d819e9f46e
                                                • Instruction ID: fc341f5245afafae368050bc3dc752284bf1f5ce195977899b6ad8f7321b462c
                                                • Opcode Fuzzy Hash: 83396b0e124b281242e369c26bcd466e2b837f2af38048d46812a6d819e9f46e
                                                • Instruction Fuzzy Hash: 0401E239941108EFDF15CE94CD4AFEEB7B2BB48311F108095F906262E1C7726854CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05455588, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 642d2fb89321ea03e03a79acc00c4b93d24c6f616f8bd8415105755e82bf9805
                                                • Instruction ID: 50162a19aa130a48b3d3fa2441b2896af914d2c544eee5ce36458a9a4f9cbd7a
                                                • Opcode Fuzzy Hash: 642d2fb89321ea03e03a79acc00c4b93d24c6f616f8bd8415105755e82bf9805
                                                • Instruction Fuzzy Hash: C1F0B432910B14C7CB10AF6DE4045C5F7B5FF92321B50863ED54967201EB31A999C7D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05452B50, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: daa284a98dad4d85266de1dc636584a42d44a62e924c297af4b24a1fef4406ed
                                                • Instruction ID: 8f61c4d2cd4a5422d4b0b5d8ab4226c9ed707b6f105a577efc571a6901b010fa
                                                • Opcode Fuzzy Hash: daa284a98dad4d85266de1dc636584a42d44a62e924c297af4b24a1fef4406ed
                                                • Instruction Fuzzy Hash: E1F08234B053159BCB18AB76E45856F7BEAFBC4325F40582ED54A87350CE74A842CBD4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05458F50, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ca55394a4bd6a6b4638ad951e644e0ef9eebf15c9e08fe3789d317af9201566
                                                • Instruction ID: c90f0b0d12387a7a3fb204b2aa773ad2f5cd47c387e2f5499f4b93a087da90e2
                                                • Opcode Fuzzy Hash: 0ca55394a4bd6a6b4638ad951e644e0ef9eebf15c9e08fe3789d317af9201566
                                                • Instruction Fuzzy Hash: 3AF049B2D08258EFCB05CFD4DC406EEBFB2FB19310F10899AF85592266D7358661EB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05455579, Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b056a0f06ebb1f0972111683f620504c374133cf88c65624852352bd6ad8eab2
                                                • Instruction ID: 082c7da8a39c4d01db28d112091b12f4e06de2ad084625068ed21e1dafb0f477
                                                • Opcode Fuzzy Hash: b056a0f06ebb1f0972111683f620504c374133cf88c65624852352bd6ad8eab2
                                                • Instruction Fuzzy Hash: 12F0A731500715C7C714AF3CE5186C5BBB2EF91311F50862EE44EA7651EB35E595C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05459A70, Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e740f305920a16a036684ca7a4336e83765e6e6924b89c45af6d7ca679f501f0
                                                • Instruction ID: 563b7a8a3d3aa6f1f120c9da7454ee2b8e23e6b2e4e1748ba2414204f6eeff0d
                                                • Opcode Fuzzy Hash: e740f305920a16a036684ca7a4336e83765e6e6924b89c45af6d7ca679f501f0
                                                • Instruction Fuzzy Hash: D6E06832600244EFDF201EB5DC8DAE7BFA8EB91268F0004B7EE0182206DB308814CAA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05458EF9, Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e432b582453b3f67c0bea30a23650db9dd86661d6ca35e74de614c017bc51486
                                                • Instruction ID: ea7d5169d8b442891e153b4dc038f062bc53252f58d8c7329691eb19fd063c35
                                                • Opcode Fuzzy Hash: e432b582453b3f67c0bea30a23650db9dd86661d6ca35e74de614c017bc51486
                                                • Instruction Fuzzy Hash: 43F01776C00209AFCB48DF98DC417EEBBB1FB08310F108999E815A2341D7318A60DB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05453F48, Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14c205a55774deb42ec82b4e8b5780f4d788daee99fd04065dda77a8f3c3493a
                                                • Instruction ID: ec6ea9dc715fec0fe3974e875922690109b2b05c7ccc995edbead9841534c65d
                                                • Opcode Fuzzy Hash: 14c205a55774deb42ec82b4e8b5780f4d788daee99fd04065dda77a8f3c3493a
                                                • Instruction Fuzzy Hash: B1F06D34950208AFCB04DFA8E845BE9BBB4FB49304F1091E9D849A7312C7369953CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05458E5A, Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1943b2f4b0584d8285ff1c5d5b52ee91f18e49bdd029e56ab4e72df11dcf9aa9
                                                • Instruction ID: 34392e3b65b7b27d963ca33b6512b4c6c1d2ea56ae474bc31d2bc274adb2e2f9
                                                • Opcode Fuzzy Hash: 1943b2f4b0584d8285ff1c5d5b52ee91f18e49bdd029e56ab4e72df11dcf9aa9
                                                • Instruction Fuzzy Hash: A6F0D474D002189FCB40DFA8D88179EBBB0FF08300F2085AAE815A3311E7719A55DB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054530E2, Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f57656c8b3b72d1bf5c64fc27496db88358d169c05418d06f1fd9dde2d42ef4a
                                                • Instruction ID: 98e4f6a00e66b8250fae682e25d8b2901c8ef1e90968c29bf6b32ba54ca58f8a
                                                • Opcode Fuzzy Hash: f57656c8b3b72d1bf5c64fc27496db88358d169c05418d06f1fd9dde2d42ef4a
                                                • Instruction Fuzzy Hash: D4F092357007109BD324EB36D850BD7B3A3EBC5329F25883ED51987201DB799802C7D4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456360, Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b29b712bb3b891465e72e2fe55a3114c92854518ba95cddb52312f71185ae07c
                                                • Instruction ID: 3571820a0e01a8364bfc645fb1002a977db74225ce3fa645f89b62b31704a06d
                                                • Opcode Fuzzy Hash: b29b712bb3b891465e72e2fe55a3114c92854518ba95cddb52312f71185ae07c
                                                • Instruction Fuzzy Hash: 38F065719042599BCB40EBE9CC04BDEBBB4EF89310F10852AD568A3240E730521687A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05458EA8, Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0183ab888eef79bd34729e70ed6c1a9b5009f2e3673b9707af66769b7de7c3d1
                                                • Instruction ID: c6b90bcdec7dc7fab4cbb80c05f42d377f08c6fa7968641c7af44e4714d63cbd
                                                • Opcode Fuzzy Hash: 0183ab888eef79bd34729e70ed6c1a9b5009f2e3673b9707af66769b7de7c3d1
                                                • Instruction Fuzzy Hash: 0BF01CB5D002189FCB48DFA8D9457AEBBF0FB08314F2085EAD815E3351D7309A11CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05450EBE, Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c56325657036a17e334e6a9e49637bc6379d92d3265a2f7848a112761cafe2da
                                                • Instruction ID: ccc496c87af204a93fa88b55069adfd3d68c25ccf86166f01bab6887978aeb95
                                                • Opcode Fuzzy Hash: c56325657036a17e334e6a9e49637bc6379d92d3265a2f7848a112761cafe2da
                                                • Instruction Fuzzy Hash: 62E01275504219EFDB105E55DC48CAB7B6DEB89261B10442AF81893240C7319C11CBB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05457A01, Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fad921b4d585dbbeecb8a3b71f23d0462bed5a3f3884a4ca4456638d392ea3d1
                                                • Instruction ID: 0435e4d96341c36fbb41664cd5d4d77f434436792475e2c5ebc5f9626773418d
                                                • Opcode Fuzzy Hash: fad921b4d585dbbeecb8a3b71f23d0462bed5a3f3884a4ca4456638d392ea3d1
                                                • Instruction Fuzzy Hash: 8BE0ED309442089FCB18DFA8D88679DBBB4FB44305F1081E9D90593353D7359D158B80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05458D38, Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 029fecbdf8cad580628969c8c5af6a0ac984088bc6941396024495598309cd54
                                                • Instruction ID: d6a7a3ca8c2e13931ff24024139b4c4123ecbf3d6f1af4da4496e8cd942fdd8e
                                                • Opcode Fuzzy Hash: 029fecbdf8cad580628969c8c5af6a0ac984088bc6941396024495598309cd54
                                                • Instruction Fuzzy Hash: 4AF0C971D002189FDB54EFE8D8517EEBBF4FB08204F2056AAC859A3345E7715656CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05453F90, Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 724babbbc35cf6b485dda2ba145034d8e1bb3152e772de6f816063f06139b154
                                                • Instruction ID: 7628e23f099b23b49cae19e07596327e436ae6a64dde9a66727b18a4fb83e2cf
                                                • Opcode Fuzzy Hash: 724babbbc35cf6b485dda2ba145034d8e1bb3152e772de6f816063f06139b154
                                                • Instruction Fuzzy Hash: 49E022317042148FC7144E5AD00CBAB33E9BF05724F04088EF942C7366CBA59C41CF82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054561C2, Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a69f502d85f6e7bf4f8ef1086450f9c8b0b1cabeaad45f709328428939e3c077
                                                • Instruction ID: 334f3ddb27f2e4ddbce5b6a883de188da6b17c80c8d67a2296b6153fd757d0a8
                                                • Opcode Fuzzy Hash: a69f502d85f6e7bf4f8ef1086450f9c8b0b1cabeaad45f709328428939e3c077
                                                • Instruction Fuzzy Hash: 3DF0F832C10229DADB50BFA9D8046DEBBB0EF55311F00862AE558B7110F7305659CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054553DF, Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ddbfb1a2e0939f851fd793c1bbaf5a59e431af64546e8f133be26ac14a1ed134
                                                • Instruction ID: 069ca011e08a6fc1b7b0e85270d351abe519e08cacb4d5e4bf1764dc71fa1184
                                                • Opcode Fuzzy Hash: ddbfb1a2e0939f851fd793c1bbaf5a59e431af64546e8f133be26ac14a1ed134
                                                • Instruction Fuzzy Hash: 78E09A30C4A208AECB059BB9A8453DDBBB4EB42301F6082EAC49963342D7398A56DB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054530F0, Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc300a2925724d186ef8933ab0669483317d085787d57c26fd941b8ee9d3597f
                                                • Instruction ID: 9ba63598ef86110936228ec5618012ef36b83e8e8937b589129b4a4ab43d47cf
                                                • Opcode Fuzzy Hash: dc300a2925724d186ef8933ab0669483317d085787d57c26fd941b8ee9d3597f
                                                • Instruction Fuzzy Hash: 2AE04F357007108BC724EA76D810AEBB397DBC6765F10893ED91987301DFB4A80587E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05454378, Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc385cb4e7688c654fc477e51ebbac46b8fb0e0bfd8fabda89bd1d94496c030a
                                                • Instruction ID: 0a0d970a813353fb7a7d97ee19fb244fa308e476911e1a2bb30c795577a2ced4
                                                • Opcode Fuzzy Hash: dc385cb4e7688c654fc477e51ebbac46b8fb0e0bfd8fabda89bd1d94496c030a
                                                • Instruction Fuzzy Hash: 2DE04871D442189BCB18DEF599453DD7BB4E741315F1441BEC845A3382D7398A52D681
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05457A48, Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08927b603eed8ff98752dc7641e81cc390b1ae218afdff41d8db60da5ffdce89
                                                • Instruction ID: 3881e6de959b214742533fa8af9ac7cfbde341d268764966351230050eecfc85
                                                • Opcode Fuzzy Hash: 08927b603eed8ff98752dc7641e81cc390b1ae218afdff41d8db60da5ffdce89
                                                • Instruction Fuzzy Hash: 46E06D30C042089FCB18AFA8A8022AEBFB4FB00304F0046AAD808A3203E77045658B85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05458F08, Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3508951c669ecb4e0a3d69f13e05f12d760b7a7c4494ef2a5c4dc798f4f4a28c
                                                • Instruction ID: 83966f67ec4d32939902804b45e6ae792a822d793590ca4584dab2d696e1cbc9
                                                • Opcode Fuzzy Hash: 3508951c669ecb4e0a3d69f13e05f12d760b7a7c4494ef2a5c4dc798f4f4a28c
                                                • Instruction Fuzzy Hash: 36F0D475D00209EFCF04DFE8D8016AEBBB1FB08310F108A59E815A2215D7715660DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05454E10, Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e539cc72e292df5705209a3cd29d744fd16bdf8ecba8905a1c657f369b32fcdf
                                                • Instruction ID: 4274a50286eff0e44a38e9109c15fa68efce2bd66fda785da4c488771066af5c
                                                • Opcode Fuzzy Hash: e539cc72e292df5705209a3cd29d744fd16bdf8ecba8905a1c657f369b32fcdf
                                                • Instruction Fuzzy Hash: A0E0D83430D2D08FC7299B3CA8648E63B65AE8322530401FEE466CB7B2C6518C42C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05455E30, Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78a775d8870b920ecf916e98d92f2ef7593fabfaf71c85f27caa2ce2bb31e98a
                                                • Instruction ID: 4f5a891cbc0c2fcac757ebcfe5fcfadc802a59a2a7b9f44efbc06db25068c1b7
                                                • Opcode Fuzzy Hash: 78a775d8870b920ecf916e98d92f2ef7593fabfaf71c85f27caa2ce2bb31e98a
                                                • Instruction Fuzzy Hash: A8E0D870C0D398AECB11DFF868402DD7FF4AB41201F0041EBC45853343C6350AA4DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054561D0, Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 92495fafb4c7f7f44b5a65859e8c09469573c17a1cc80e293ab4dec51a7e2706
                                                • Instruction ID: 8a0f1315f7db8dfb4efa896b17e17099b004ce6270586eeabeebf73bf98dd40b
                                                • Opcode Fuzzy Hash: 92495fafb4c7f7f44b5a65859e8c09469573c17a1cc80e293ab4dec51a7e2706
                                                • Instruction Fuzzy Hash: 9FE0ED32C106199ACB40FFADDC044DEBBB4FE55311B00C626D558B7100FB306659CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456370, Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c9f8523d547228823543e465b21944eec99a23a2c7abbba64759f8b39e18639
                                                • Instruction ID: f6ba79b5b46add8fe274dd83ee69bf80a709e92547688bd663fc05b4dc4838c7
                                                • Opcode Fuzzy Hash: 2c9f8523d547228823543e465b21944eec99a23a2c7abbba64759f8b39e18639
                                                • Instruction Fuzzy Hash: D5E01271D002199BCB40EFA9DC009DEB7B8EF88310F108526D528A3100E73056558BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05458E68, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7fc952eda274f1a11f132edc39392f9006e2a097773d0783650144e36a58874
                                                • Instruction ID: 950cc56716824d2027cf9eb323106456b003c10d822c0377a6fa1d439995da6d
                                                • Opcode Fuzzy Hash: f7fc952eda274f1a11f132edc39392f9006e2a097773d0783650144e36a58874
                                                • Instruction Fuzzy Hash: ABE0AE74E002089FCB44EFA8D8456AEBBB4FB08300F1086AAD819A3321D7719A51CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05458EB8, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6acb67aaa862551036c772a1603588a6d3c9adaf2e68ec7829d75dc1b4e067ba
                                                • Instruction ID: 118ff80cd2c05bb51ab5f56e4ae4913a1b0d86a7ac7108470538d3a1791eb7f9
                                                • Opcode Fuzzy Hash: 6acb67aaa862551036c772a1603588a6d3c9adaf2e68ec7829d75dc1b4e067ba
                                                • Instruction Fuzzy Hash: 46E0C974D00218DFCB44DFA8D9456AEBBF4FB08300F1086AAD819E3311D7709A51CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05453FA0, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fcb324a3231a68d5f19361d5e128b9b7c06e9d228972071e368bd9f8a4f3827
                                                • Instruction ID: 9a48e6a221da1b47aebe4a5653e38b896e537a01a60d21bb3be305b87c48f172
                                                • Opcode Fuzzy Hash: 4fcb324a3231a68d5f19361d5e128b9b7c06e9d228972071e368bd9f8a4f3827
                                                • Instruction Fuzzy Hash: 0CE086317006245FC7245E59D00CB6B33E6BF44765B00485FF946C7355CBA1AC418F82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456188, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 04a5153f07042f119c0cffb86dcf5b1bbc7d2b4510074e3e0d7d48bca20071cb
                                                • Instruction ID: e8e10ce7ca1323c0b57760e9bd8ad5574017c7bfc8fb808477e4bbbaccb7e66d
                                                • Opcode Fuzzy Hash: 04a5153f07042f119c0cffb86dcf5b1bbc7d2b4510074e3e0d7d48bca20071cb
                                                • Instruction Fuzzy Hash: 0BD05E31150A048FD300EF2CD847B9A77A8FB4A314F4401D9E145DB323EA29EA018790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456077, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 008eb1f38d8bc58749f328206fc11c79442f67063a6b87476518594a1ee44d92
                                                • Instruction ID: 845ee6e74dfa4c6b7c272f8ee6d0d9f3012bd319ccce6f929673cecb8876a8e6
                                                • Opcode Fuzzy Hash: 008eb1f38d8bc58749f328206fc11c79442f67063a6b87476518594a1ee44d92
                                                • Instruction Fuzzy Hash: 71E08630C511049FDB54EFB4D8453DD7FB0EF41314F6011ADC80593256D735456AC742
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05453F58, Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a8592b69ea1341c0c7e89f836d3ec76b3b6020c858002328d250444aa122b1e9
                                                • Instruction ID: dd9defa921c0f232edbae8c2a0e1f08ede6eed5d82241cbf3f8f45ce8813def1
                                                • Opcode Fuzzy Hash: a8592b69ea1341c0c7e89f836d3ec76b3b6020c858002328d250444aa122b1e9
                                                • Instruction Fuzzy Hash: 42E04634E10208AFCB04DFA8E844A9EBBB4FB48300F1081EAD80993325D7309951CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05457A10, Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 76c91190c2a5557aca7560202c9e187d4c29b8ed3d67ca473c9bf0eea697d23f
                                                • Instruction ID: c2c3c82e0764986d45246859675ae8e4fb5777fd16b39afb194d95adddef575c
                                                • Opcode Fuzzy Hash: 76c91190c2a5557aca7560202c9e187d4c29b8ed3d67ca473c9bf0eea697d23f
                                                • Instruction Fuzzy Hash: 94E04630E00208EFCB04DFA8E844A9EBBB4FB48300F1081EAD80993311D7319E10CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 054553F0, Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bcc6378e4370c6248d9bc8e6862ca3eff6f2f82af1e4b2e82d7c796078e8d87d
                                                • Instruction ID: c54c65ded6ec47f4fa7001301b00f0aad5435c358c27ee6f7077742e94c27a3c
                                                • Opcode Fuzzy Hash: bcc6378e4370c6248d9bc8e6862ca3eff6f2f82af1e4b2e82d7c796078e8d87d
                                                • Instruction Fuzzy Hash: CDE08C70C0920CEACB14EFF8A4042ADBBF4BB41301F2082EAC80553341D7354A51DB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05457A58, Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 888401f4ba589e1e91c0e83b617b9ec06ad268ac5b1e45ebdd6cc5ddd6c2b46f
                                                • Instruction ID: b2cc44e4d6dad64a066d617fe41a2c483e0a45c5acab6227942bda4cefbb3a90
                                                • Opcode Fuzzy Hash: 888401f4ba589e1e91c0e83b617b9ec06ad268ac5b1e45ebdd6cc5ddd6c2b46f
                                                • Instruction Fuzzy Hash: 41E0EC74C042089FCB54EFF8A9053AEBBF4FB04300F0096AAC819A3305E77046508B85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05455E40, Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c0fba23ef3ce5d4b598bd7be113c84c0e73019a25f284ee17d873a85732c0616
                                                • Instruction ID: 3f5926c16cef0d25a7f86fb789eb0ef1886c1188e0361d05b673b13e56bc4d65
                                                • Opcode Fuzzy Hash: c0fba23ef3ce5d4b598bd7be113c84c0e73019a25f284ee17d873a85732c0616
                                                • Instruction Fuzzy Hash: 96D01270D0921CAACB54EFF8A9443EDBBF4BB45200F1096EA881553345D7340A54DB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05454388, Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14d0b055e13fe7a9c35c55fe8231be104923687b947047810ce141e901863690
                                                • Instruction ID: deab406ed67a130997c5dfa24942bee19ccbc7fe5a629f0009ad0bff331f54ce
                                                • Opcode Fuzzy Hash: 14d0b055e13fe7a9c35c55fe8231be104923687b947047810ce141e901863690
                                                • Instruction Fuzzy Hash: FAD01270D09218ABCB14EFF5A9442DDBBF4AB45200F1081EA884563345D7354A50DB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05455528, Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0397159c17fea279a0de0201f6cbdadd59f2cebcc848034acae121726e3a839
                                                • Instruction ID: 0f3f4c371f695d10e9a85fda46c7d557cf8ab6ad4264aaedcac6aa94ddf2bdda
                                                • Opcode Fuzzy Hash: d0397159c17fea279a0de0201f6cbdadd59f2cebcc848034acae121726e3a839
                                                • Instruction Fuzzy Hash: 9CD05E7085620CEFC714EFF4A80539EBBB4AB00205F5015ADC80553349EB3189A5C782
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05454E8F, Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0c2d8fded841334427894b6ffcc5c7239de0c0e4c10e0a3b018d3b2bf67d2ec1
                                                • Instruction ID: 493041f934073e758cb8576b35b8c10960d348cb872b5dab2da710f3ba57bfd0
                                                • Opcode Fuzzy Hash: 0c2d8fded841334427894b6ffcc5c7239de0c0e4c10e0a3b018d3b2bf67d2ec1
                                                • Instruction Fuzzy Hash: 88D012B5180108AFD6048E55D846F84B7D5DF04334F044054F64587733C639D8539A40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545EF5A, Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0425542934de6e1ec851c912a473fd1b0119d730f323e5c6e7da160579a23788
                                                • Instruction ID: 474787d30dd6ea69d814101d412268a04013302029f1a4b8e41876a98d1e4cfe
                                                • Opcode Fuzzy Hash: 0425542934de6e1ec851c912a473fd1b0119d730f323e5c6e7da160579a23788
                                                • Instruction Fuzzy Hash: 82E01230E0521ACFDB94EF24DC40BCCB7B2FB88200F0199AAD809A3220DB305E81CF20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456088, Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97c52054f7c4c17ee718c5cb5af21ee68f52a8298cf034fe479ca63888f1134a
                                                • Instruction ID: ba1feec539a47fb27aa6193ba7170bca225416e4850584e1c62d3bcf3594d0d0
                                                • Opcode Fuzzy Hash: 97c52054f7c4c17ee718c5cb5af21ee68f52a8298cf034fe479ca63888f1134a
                                                • Instruction Fuzzy Hash: 11D0A73081520CAFCB44EFF4A80539E7BB4AB00200F5016A9C80553345EB304965C782
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05452432, Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec0ca42a184a2c0a279dd1450f58b9833b03bdc3ab8c29ac911775b3c6130443
                                                • Instruction ID: 7afb0824cb96e32d9f86b45b5c54d1093c875edce47597ae36c3190fa80d8579
                                                • Opcode Fuzzy Hash: ec0ca42a184a2c0a279dd1450f58b9833b03bdc3ab8c29ac911775b3c6130443
                                                • Instruction Fuzzy Hash: 19D0129746929147E7015794C5477D42F00A7A72A1F58509EC490C5346D09CC146C113
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05455ED0, Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 834d027631ffeb9b91c6289c28c7ac46b98b7b96aa09b75de1a38dc9894a35d5
                                                • Instruction ID: 16c8d919b1b19aef838b40b1f5d10696af8329af269b71165017f004cee3729e
                                                • Opcode Fuzzy Hash: 834d027631ffeb9b91c6289c28c7ac46b98b7b96aa09b75de1a38dc9894a35d5
                                                • Instruction Fuzzy Hash: C0D0A7B18D8B048DC340FF78DC002897BF4BF52210B104357D048D2190E7700298D712
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05456198, Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 50a1d986f2beb8c57c20ec187577220000a63b236649fd568cee8be883ef7eb2
                                                • Instruction ID: cb8f39504a3c68cfdc420a7ebcbed31808f9a4d9a0ee28e61dcd01971da0e251
                                                • Opcode Fuzzy Hash: 50a1d986f2beb8c57c20ec187577220000a63b236649fd568cee8be883ef7eb2
                                                • Instruction Fuzzy Hash: BDD01231510B04CFC700EF6CD84585477B4FF46604B450195E1059B331EB21F9548B41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0545DA18, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 956fbef69abe1df34a115a610c3e9b9846270a7b706aa73dc8adf110c9392f00
                                                • Instruction ID: cc00f7c690cb553fe3188dc6887c708b05d1c942d510e7650832eea1f1e64f6f
                                                • Opcode Fuzzy Hash: 956fbef69abe1df34a115a610c3e9b9846270a7b706aa73dc8adf110c9392f00
                                                • Instruction Fuzzy Hash: 91C08CAE0022005BDB02AB14CD10BC63F90AB12298F0550A1C8C207232C1018436E791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05459554, Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4a4c16ada9e35021c94e201ea7bf36708bd1c6c6a5fa0a69dbe9b2b02e4396e
                                                • Instruction ID: 27896c6afcd5f0932edccf5e82eabbe038e17d15c5baec339bee3601eb72cefd
                                                • Opcode Fuzzy Hash: b4a4c16ada9e35021c94e201ea7bf36708bd1c6c6a5fa0a69dbe9b2b02e4396e
                                                • Instruction Fuzzy Hash: CFC02B3A118108DEC301FF21C104C4ABA92FFC03103418C03F10042032C721C924D712
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05454EA0, Relevance: .0, Instructions: 8COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.342901021.0000000005450000.00000040.00000001.sdmp, Offset: 05450000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5af93f938d45a8c8c75519aa89b245e98736fad928cac97377826c0a219ea11
                                                • Instruction ID: 7df92ea0fb284714e324d49ebc714b23e44657096c8cf37ea5e3fc949f46cc50
                                                • Opcode Fuzzy Hash: a5af93f938d45a8c8c75519aa89b245e98736fad928cac97377826c0a219ea11
                                                • Instruction Fuzzy Hash: D4C09239140208EFC740DF5AD848C45BBA8EF1977074180A1FA098B732C732EC60DA94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions