Play interactive tour

Edit tour

Analysis Report Devizni izvod za partiju 0050100073053.exe

Overview

General Information

Sample Name:	Devizni izvod za partiju 0050100073053.exe
Analysis ID:	411771
MD5:	50ab414be17f4e03bee8f9c5cee06335
SHA1:	d0def6e40e7858a1b8c46d46f24a6b29499c7c37
SHA256:	333b1ae9552e6a65ab7c4edee6677746e801ebed73294795b9057e17a0e284e6
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Non Interactive PowerShell

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Devizni izvod za partiju 0050100073053.exe (PID: 4504 cmdline: 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe' MD5: 50AB414BE17F4E03BEE8F9C5CEE06335)

powershell.exe (PID: 5488 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5876 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 1744 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp2011.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 2104 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Devizni izvod za partiju 0050100073053.exe (PID: 5932 cmdline: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe MD5: 50AB414BE17F4E03BEE8F9C5CEE06335)

Devizni izvod za partiju 0050100073053.exe (PID: 6164 cmdline: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe MD5: 50AB414BE17F4E03BEE8F9C5CEE06335)

Devizni izvod za partiju 0050100073053.exe (PID: 6196 cmdline: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe MD5: 50AB414BE17F4E03BEE8F9C5CEE06335)

dhcpmon.exe (PID: 6792 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 50AB414BE17F4E03BEE8F9C5CEE06335)

powershell.exe (PID: 4708 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6092 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp864D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6644 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 4608 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 50AB414BE17F4E03BEE8F9C5CEE06335)

dhcpmon.exe (PID: 5356 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 50AB414BE17F4E03BEE8F9C5CEE06335)

dhcpmon.exe (PID: 900 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 50AB414BE17F4E03BEE8F9C5CEE06335)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "b90524a1-4a4b-41de-ac06-59066a86", "Group": "Panda", "Domain1": "emedoo.ddns.net", "Domain2": "127.0.0.1", "Port": 5230, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 50, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "emedoo.ddns.net", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1151:$a: NanoCore 0x11aa:$a: NanoCore 0x11e7:$a: NanoCore 0x1260:$a: NanoCore 0x1490b:$a: NanoCore 0x14920:$a: NanoCore 0x14955:$a: NanoCore 0x1e7b9:$a: NanoCore 0x1e812:$a: NanoCore 0x1e84f:$a: NanoCore 0x1e8c8:$a: NanoCore 0x31f73:$a: NanoCore 0x31f88:$a: NanoCore 0x31fbd:$a: NanoCore 0x3fbd2:$a: NanoCore 0x3fbf7:$a: NanoCore 0x3fc50:$a: NanoCore 0x11b3:$b: ClientPlugin 0x11f0:$b: ClientPlugin 0x1aee:$b: ClientPlugin 0x1afb:$b: ClientPlugin
0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x891dd:$x1: NanoCore.ClientPluginHost 0x8921a:$x2: IClientNetworkHost 0x8cd4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x88f45:$a: NanoCore 0x88f55:$a: NanoCore 0x89189:$a: NanoCore 0x8919d:$a: NanoCore 0x891dd:$a: NanoCore 0x88fa4:$b: ClientPlugin 0x891a6:$b: ClientPlugin 0x891e6:$b: ClientPlugin 0x890cb:$c: ProjectData 0x89ad2:$d: DESCrypto 0x9149e:$e: KeepAlive 0x8f48c:$g: LogClientMessage 0x8b687:$i: get_Connected 0x89e08:$j: #=q 0x89e38:$j: #=q 0x89e54:$j: #=q 0x89e84:$j: #=q 0x89ea0:$j: #=q 0x89ebc:$j: #=q 0x89eec:$j: #=q 0x89f08:$j: #=q
0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
0000000D.00000002.546929623.0000000005950000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
0000000D.00000002.546929623.0000000005950000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000D.00000002.546313038.00000000055C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
0000000D.00000002.546313038.00000000055C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd99:$a: NanoCore 0xdf2:$a: NanoCore 0xe2f:$a: NanoCore 0xea8:$a: NanoCore 0x14553:$a: NanoCore 0x14568:$a: NanoCore 0x1459d:$a: NanoCore 0x221b2:$a: NanoCore 0x221d7:$a: NanoCore 0x22230:$a: NanoCore 0x323cd:$a: NanoCore 0x323f3:$a: NanoCore 0x3244f:$a: NanoCore 0x3f2a4:$a: NanoCore 0x3f2fd:$a: NanoCore 0x3f330:$a: NanoCore 0x3f55c:$a: NanoCore 0x3f5d8:$a: NanoCore 0x3fbf1:$a: NanoCore 0x3fd3a:$a: NanoCore 0x4020e:$a: NanoCore
00000013.00000002.364891578.000000000378B000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000D.00000002.551440197.0000000006890000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
0000000D.00000002.551440197.0000000006890000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
0000000D.00000002.552438629.0000000006A20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
0000000D.00000002.552438629.0000000006A20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
0000000D.00000002.546995313.00000000059E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
0000000D.00000002.546995313.00000000059E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa8d6d:$x1: NanoCore.ClientPluginHost 0xa8daa:$x2: IClientNetworkHost 0xac8dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa8ad5:$a: NanoCore 0xa8ae5:$a: NanoCore 0xa8d19:$a: NanoCore 0xa8d2d:$a: NanoCore 0xa8d6d:$a: NanoCore 0xa8b34:$b: ClientPlugin 0xa8d36:$b: ClientPlugin 0xa8d76:$b: ClientPlugin 0xa8c5b:$c: ProjectData 0xa9662:$d: DESCrypto 0xb102e:$e: KeepAlive 0xaf01c:$g: LogClientMessage 0xab217:$i: get_Connected 0xa9998:$j: #=q 0xa99c8:$j: #=q 0xa99e4:$j: #=q 0xa9a14:$j: #=q 0xa9a30:$j: #=q 0xa9a4c:$j: #=q 0xa9a7c:$j: #=q 0xa9a98:$j: #=q
0000000D.00000002.551688994.00000000068C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
0000000D.00000002.551688994.00000000068C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1469:$a: NanoCore 0x14c2:$a: NanoCore 0x14ff:$a: NanoCore 0x1578:$a: NanoCore 0x14c23:$a: NanoCore 0x14c38:$a: NanoCore 0x14c6d:$a: NanoCore 0x22882:$a: NanoCore 0x228a7:$a: NanoCore 0x22900:$a: NanoCore 0x32a9d:$a: NanoCore 0x32ac3:$a: NanoCore 0x32b1f:$a: NanoCore 0x3f974:$a: NanoCore 0x3f9cd:$a: NanoCore 0x3fa00:$a: NanoCore 0x3fc2c:$a: NanoCore 0x3fca8:$a: NanoCore 0x402c1:$a: NanoCore 0x4040a:$a: NanoCore 0x408de:$a: NanoCore
0000000D.00000002.551733160.00000000068D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
0000000D.00000002.551733160.00000000068D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
0000000D.00000002.551056353.0000000006730000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
0000000D.00000002.551056353.0000000006730000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
0000000D.00000002.547173286.0000000005A80000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
0000000D.00000002.547173286.0000000005A80000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
0000000D.00000002.546044032.0000000005580000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
0000000D.00000002.546044032.0000000005580000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
0000000D.00000002.546082364.0000000005590000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
0000000D.00000002.546082364.0000000005590000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493dd:$a: NanoCore 0x49436:$a: NanoCore 0x49473:$a: NanoCore 0x494ec:$a: NanoCore 0x5cb97:$a: NanoCore 0x5cbac:$a: NanoCore 0x5cbe1:$a: NanoCore 0x7565b:$a: NanoCore 0x75670:$a: NanoCore 0x756a5:$a: NanoCore 0x4943f:$b: ClientPlugin 0x4947c:$b: ClientPlugin 0x49d7a:$b: ClientPlugin 0x49d87:$b: ClientPlugin 0x5c953:$b: ClientPlugin 0x5c96e:$b: ClientPlugin 0x5c99e:$b: ClientPlugin 0x5cbb5:$b: ClientPlugin 0x5cbea:$b: ClientPlugin 0x75417:$b: ClientPlugin 0x75432:$b: ClientPlugin
00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x12126d:$x1: NanoCore.ClientPluginHost 0x153a8d:$x1: NanoCore.ClientPluginHost 0x1212aa:$x2: IClientNetworkHost 0x153aca:$x2: IClientNetworkHost 0x124ddd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1575fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x120fd5:$a: NanoCore 0x120fe5:$a: NanoCore 0x121219:$a: NanoCore 0x12122d:$a: NanoCore 0x12126d:$a: NanoCore 0x1537f5:$a: NanoCore 0x153805:$a: NanoCore 0x153a39:$a: NanoCore 0x153a4d:$a: NanoCore 0x153a8d:$a: NanoCore 0x121034:$b: ClientPlugin 0x121236:$b: ClientPlugin 0x121276:$b: ClientPlugin 0x153854:$b: ClientPlugin 0x153a56:$b: ClientPlugin 0x153a96:$b: ClientPlugin 0x12115b:$c: ProjectData 0x15397b:$c: ProjectData 0x121b62:$d: DESCrypto 0x154382:$d: DESCrypto 0x12952e:$e: KeepAlive
0000000D.00000002.535153965.0000000002D8C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ed06:$a: NanoCore 0x2ed2b:$a: NanoCore 0x2ed84:$a: NanoCore 0x3ef2f:$a: NanoCore 0x3ef55:$a: NanoCore 0x3efb1:$a: NanoCore 0x4be0f:$a: NanoCore 0x4be68:$a: NanoCore 0x4be9b:$a: NanoCore 0x4c0c7:$a: NanoCore 0x4c143:$a: NanoCore 0x4c75c:$a: NanoCore 0x4c8a5:$a: NanoCore 0x4cd79:$a: NanoCore 0x4d060:$a: NanoCore 0x4d077:$a: NanoCore 0x55f1f:$a: NanoCore 0x55f9b:$a: NanoCore 0x5887e:$a: NanoCore 0x5de4d:$a: NanoCore 0x5dec7:$a: NanoCore
0000000D.00000002.545285946.00000000053A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000D.00000002.545285946.00000000053A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Click to see the 51 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d17:$x1: NanoCore.ClientPluginHost 0x1fb6f:$x1: NanoCore.ClientPluginHost 0x27a9d:$x1: NanoCore.ClientPluginHost 0x2da78:$x1: NanoCore.ClientPluginHost 0x374eb:$x1: NanoCore.ClientPluginHost 0x4191f:$x1: NanoCore.ClientPluginHost 0x4c909:$x1: NanoCore.ClientPluginHost 0x586b7:$x1: NanoCore.ClientPluginHost 0x6440a:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d50:$x2: IClientNetworkHost 0x1fba8:$x2: IClientNetworkHost 0x27ad6:$x2: IClientNetworkHost 0x37648:$x2: IClientNetworkHost 0x41958:$x2: IClientNetworkHost 0x4c923:$x2: IClientNetworkHost 0x586d1:$x2: IClientNetworkHost 0x64447:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a5f:$a: NanoCore 0x15ab8:$a: NanoCore 0x15aeb:$a: NanoCore 0x15d17:$a: NanoCore 0x15d93:$a: NanoCore 0x163ac:$a: NanoCore 0x164f5:$a: NanoCore 0x169c9:$a: NanoCore 0x16cb0:$a: NanoCore 0x16cc7:$a: NanoCore 0x1fb6f:$a: NanoCore 0x1fbeb:$a: NanoCore 0x224ce:$a: NanoCore 0x27a9d:$a: NanoCore 0x27b17:$a: NanoCore 0x2da78:$a: NanoCore 0x2dac2:$a: NanoCore 0x2e71c:$a: NanoCore
34.2.dhcpmon.exe.3f0e434.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28271:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2829e:$x2: IClientNetworkHost
34.2.dhcpmon.exe.3f0e434.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28271:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2934c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2828b:$s5: IClientLoggingHost
34.2.dhcpmon.exe.3f0e434.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.559e8a4.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.559e8a4.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3fd355c.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3fd355c.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3ea8041.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x2997c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost 0x299b9:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3ea8041.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x2997c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x2cdcf:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost 0x299a6:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.2dd69e4.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb53b:$x1: NanoCore.ClientPluginHost 0x13469:$x1: NanoCore.ClientPluginHost 0x19444:$x1: NanoCore.ClientPluginHost 0x22eb7:$x1: NanoCore.ClientPluginHost 0x2d2eb:$x1: NanoCore.ClientPluginHost 0x382d5:$x1: NanoCore.ClientPluginHost 0x44083:$x1: NanoCore.ClientPluginHost 0x4fdd6:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb574:$x2: IClientNetworkHost 0x134a2:$x2: IClientNetworkHost 0x23014:$x2: IClientNetworkHost 0x2d324:$x2: IClientNetworkHost 0x382ef:$x2: IClientNetworkHost 0x4409d:$x2: IClientNetworkHost 0x4fe13:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.2dd69e4.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb53b:$a: NanoCore 0xb5b7:$a: NanoCore 0xde9a:$a: NanoCore 0x13469:$a: NanoCore 0x134e3:$a: NanoCore 0x19444:$a: NanoCore 0x1948e:$a: NanoCore 0x1a0e8:$a: NanoCore 0x22eb7:$a: NanoCore 0x22fa1:$a: NanoCore 0x23e18:$a: NanoCore
13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3c691:$x1: NanoCore.ClientPluginHost 0x42662:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x3c6ca:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost
13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x18dbe:$x2: NanoCore.ClientPluginHost 0x28fda:$x2: NanoCore.ClientPluginHost 0x36143:$x2: NanoCore.ClientPluginHost 0x3c691:$x2: NanoCore.ClientPluginHost 0x42662:$x2: NanoCore.ClientPluginHost 0x4c0ce:$x2: NanoCore.ClientPluginHost 0x564f9:$x2: NanoCore.ClientPluginHost 0x614d6:$x2: NanoCore.ClientPluginHost 0x29fa9:$s2: FileCommand 0x4d024:$s3: PipeExists 0xc25f:$s4: PipeCreated 0x1ac6e:$s4: PipeCreated 0x2e9ab:$s4: PipeCreated 0x36260:$s4: PipeCreated 0x3c7ac:$s4: PipeCreated 0x42740:$s4: PipeCreated 0x4c2c4:$s4: PipeCreated 0x56644:$s4: PipeCreated 0x6250b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3c691:$a: NanoCore 0x3c70b:$a: NanoCore
13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
19.2.dhcpmon.exe.52f2be0.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.dhcpmon.exe.52f2be0.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.2.dhcpmon.exe.52f2be0.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dhcpmon.exe.52f2be0.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
13.2.Devizni izvod za partiju 0050100073053.exe.2d412c0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.2d412c0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
34.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
34.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
34.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Devizni izvod za partiju 0050100073053.exe.3fc9957.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3fc9957.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.2.dhcpmon.exe.3f095fe.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0a7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0d4:$x2: IClientNetworkHost
34.2.dhcpmon.exe.3f095fe.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0a7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e182:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c1:$s5: IClientLoggingHost
34.2.dhcpmon.exe.3f095fe.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.2.dhcpmon.exe.3f095fe.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d05d:$a: NanoCore 0x2d072:$a: NanoCore 0x2d0a7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce19:$b: ClientPlugin 0x2ce34:$b: ClientPlugin
13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Devizni izvod za partiju 0050100073053.exe.68c0000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
13.2.Devizni izvod za partiju 0050100073053.exe.68c0000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x2e61b:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost 0x2e658:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x2e61b:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x31a6e:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost 0x2e645:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Devizni izvod za partiju 0050100073053.exe.53a0000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.53a0000.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0x2d603:$x1: NanoCore.ClientPluginHost 0x3a76c:$x1: NanoCore.ClientPluginHost 0x40cba:$x1: NanoCore.ClientPluginHost 0x46c8b:$x1: NanoCore.ClientPluginHost 0x506f7:$x1: NanoCore.ClientPluginHost 0x5ab22:$x1: NanoCore.ClientPluginHost 0x65aff:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost 0x2d630:$x2: IClientNetworkHost 0x3a7a5:$x2: IClientNetworkHost 0x40cf3:$x2: IClientNetworkHost 0x50854:$x2: IClientNetworkHost 0x5ab5b:$x2: IClientNetworkHost 0x65b19:$x2: IClientNetworkHost
13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x1d3e7:$x2: NanoCore.ClientPluginHost 0x2d603:$x2: NanoCore.ClientPluginHost 0x3a76c:$x2: NanoCore.ClientPluginHost 0x40cba:$x2: NanoCore.ClientPluginHost 0x46c8b:$x2: NanoCore.ClientPluginHost 0x506f7:$x2: NanoCore.ClientPluginHost 0x5ab22:$x2: NanoCore.ClientPluginHost 0x65aff:$x2: NanoCore.ClientPluginHost 0x2e5d2:$s2: FileCommand 0x5164d:$s3: PipeExists 0x10888:$s4: PipeCreated 0x1f297:$s4: PipeCreated 0x32fd4:$s4: PipeCreated 0x3a889:$s4: PipeCreated 0x40dd5:$s4: PipeCreated 0x46d69:$s4: PipeCreated 0x508ed:$s4: PipeCreated 0x5ac6d:$s4: PipeCreated 0x66b34:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x40cba:$a: NanoCore 0x40d34:$a: NanoCore
19.2.dhcpmon.exe.52f2be0.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.dhcpmon.exe.52f2be0.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
19.2.dhcpmon.exe.52f2be0.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dhcpmon.exe.52f2be0.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
34.2.dhcpmon.exe.2ee3ac8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
34.2.dhcpmon.exe.2ee3ac8.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.5594c9f.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.5594c9f.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
34.2.dhcpmon.exe.2ed14ec.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
34.2.dhcpmon.exe.2ed14ec.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x196a7:$x1: NanoCore.ClientPluginHost 0x2ce15:$x1: NanoCore.ClientPluginHost 0x3aa4f:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x196c1:$x2: IClientNetworkHost 0x2ce42:$x2: IClientNetworkHost 0x3aa79:$x2: IClientNetworkHost
13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x196a7:$x2: NanoCore.ClientPluginHost 0x2ce15:$x2: NanoCore.ClientPluginHost 0x3aa4f:$x2: NanoCore.ClientPluginHost 0x19a93:$s3: PipeExists 0x10888:$s4: PipeCreated 0x19968:$s4: PipeCreated 0x2def0:$s4: PipeCreated 0x3c8ff:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x196e2:$s5: IClientLoggingHost 0x2ce2f:$s5: IClientLoggingHost
13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x19611:$a: NanoCore 0x1966a:$a: NanoCore 0x196a7:$a: NanoCore 0x19720:$a: NanoCore 0x2cdcb:$a: NanoCore 0x2cde0:$a: NanoCore 0x2ce15:$a: NanoCore 0x3aa2a:$a: NanoCore 0x3aa4f:$a: NanoCore 0x3aaa8:$a: NanoCore 0xf51f:$b: ClientPlugin 0xf53a:$b: ClientPlugin 0xf56a:$b: ClientPlugin 0xf781:$b: ClientPlugin 0xf7b6:$b: ClientPlugin 0x19673:$b: ClientPlugin 0x196b0:$b: ClientPlugin 0x19fae:$b: ClientPlugin
13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
34.2.dhcpmon.exe.3f12a5d.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c48:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c75:$x2: IClientNetworkHost
34.2.dhcpmon.exe.3f12a5d.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c48:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d23:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c62:$s5: IClientLoggingHost
34.2.dhcpmon.exe.3f12a5d.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Devizni izvod za partiju 0050100073053.exe.5a80000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.5a80000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x1507e:$x1: NanoCore.ClientPluginHost 0x287ec:$x1: NanoCore.ClientPluginHost 0x36426:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x15098:$x2: IClientNetworkHost 0x28819:$x2: IClientNetworkHost 0x36450:$x2: IClientNetworkHost
13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x1507e:$x2: NanoCore.ClientPluginHost 0x287ec:$x2: NanoCore.ClientPluginHost 0x36426:$x2: NanoCore.ClientPluginHost 0x1546a:$s3: PipeExists 0xc25f:$s4: PipeCreated 0x1533f:$s4: PipeCreated 0x298c7:$s4: PipeCreated 0x382d6:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x150b9:$s5: IClientLoggingHost 0x28806:$s5: IClientLoggingHost
13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x14fe8:$a: NanoCore 0x15041:$a: NanoCore 0x1507e:$a: NanoCore 0x150f7:$a: NanoCore 0x287a2:$a: NanoCore 0x287b7:$a: NanoCore 0x287ec:$a: NanoCore 0x36401:$a: NanoCore 0x36426:$a: NanoCore 0x3647f:$a: NanoCore 0xaef6:$b: ClientPlugin 0xaf11:$b: ClientPlugin 0xaf41:$b: ClientPlugin 0xb158:$b: ClientPlugin 0xb18d:$b: ClientPlugin 0x1504a:$b: ClientPlugin 0x15087:$b: ClientPlugin 0x15985:$b: ClientPlugin
34.2.dhcpmon.exe.3f0e434.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
34.2.dhcpmon.exe.3f0e434.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
34.2.dhcpmon.exe.3f0e434.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x1e4dd:$x1: NanoCore.ClientPluginHost 0x31c4b:$x1: NanoCore.ClientPluginHost 0x3f885:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x1e4f7:$x2: IClientNetworkHost 0x31c78:$x2: IClientNetworkHost 0x3f8af:$x2: IClientNetworkHost
13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x1e4dd:$x2: NanoCore.ClientPluginHost 0x31c4b:$x2: NanoCore.ClientPluginHost 0x3f885:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1e8c9:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x1e79e:$s4: PipeCreated 0x32d26:$s4: PipeCreated 0x41735:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x1e518:$s5: IClientLoggingHost 0x31c65:$s5: IClientLoggingHost
13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x1e447:$a: NanoCore 0x1e4a0:$a: NanoCore 0x1e4dd:$a: NanoCore 0x1e556:$a: NanoCore 0x31c01:$a: NanoCore 0x31c16:$a: NanoCore 0x31c4b:$a: NanoCore 0x3f860:$a: NanoCore 0x3f885:$a: NanoCore 0x3f8de:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin
13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0x32439:$x1: NanoCore.ClientPluginHost 0x3f5a2:$x1: NanoCore.ClientPluginHost 0x45af0:$x1: NanoCore.ClientPluginHost 0x4bac1:$x1: NanoCore.ClientPluginHost 0x5552d:$x1: NanoCore.ClientPluginHost 0x5f958:$x1: NanoCore.ClientPluginHost 0x6a935:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost 0x32466:$x2: IClientNetworkHost 0x3f5db:$x2: IClientNetworkHost 0x45b29:$x2: IClientNetworkHost 0x5568a:$x2: IClientNetworkHost 0x5f991:$x2: IClientNetworkHost 0x6a94f:$x2: IClientNetworkHost
13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2221d:$x2: NanoCore.ClientPluginHost 0x32439:$x2: NanoCore.ClientPluginHost 0x3f5a2:$x2: NanoCore.ClientPluginHost 0x45af0:$x2: NanoCore.ClientPluginHost 0x4bac1:$x2: NanoCore.ClientPluginHost 0x5552d:$x2: NanoCore.ClientPluginHost 0x5f958:$x2: NanoCore.ClientPluginHost 0x6a935:$x2: NanoCore.ClientPluginHost 0x33408:$s2: FileCommand 0x1261:$s3: PipeExists 0x56483:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x240cd:$s4: PipeCreated 0x37e0a:$s4: PipeCreated 0x3f6bf:$s4: PipeCreated 0x45c0b:$s4: PipeCreated 0x4bb9f:$s4: PipeCreated 0x55723:$s4: PipeCreated
13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0x32413:$a: NanoCore 0x32439:$a: NanoCore 0x32495:$a: NanoCore 0x3f2ea:$a: NanoCore 0x3f343:$a: NanoCore 0x3f376:$a: NanoCore 0x3f5a2:$a: NanoCore 0x3f61e:$a: NanoCore 0x3fc37:$a: NanoCore 0x3fd80:$a: NanoCore 0x40254:$a: NanoCore
13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3c691:$a: NanoCore 0x3c70b:$a: NanoCore
13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x2848e:$a: NanoCore 0x28508:$a: NanoCore 0x2d0a5:$a: NanoCore 0x2e45f:$a: NanoCore 0x2e4a9:$a: NanoCore
13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14de5:$x1: NanoCore.ClientPluginHost 0x21f57:$x1: NanoCore.ClientPluginHost 0x2bdaf:$x1: NanoCore.ClientPluginHost 0x33cdd:$x1: NanoCore.ClientPluginHost 0x39cb8:$x1: NanoCore.ClientPluginHost 0x4372b:$x1: NanoCore.ClientPluginHost 0x4db5f:$x1: NanoCore.ClientPluginHost 0x58b49:$x1: NanoCore.ClientPluginHost 0x648f7:$x1: NanoCore.ClientPluginHost 0x7064a:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e12:$x2: IClientNetworkHost 0x21f90:$x2: IClientNetworkHost 0x2bde8:$x2: IClientNetworkHost 0x33d16:$x2: IClientNetworkHost 0x43888:$x2: IClientNetworkHost 0x4db98:$x2: IClientNetworkHost 0x58b63:$x2: IClientNetworkHost 0x64911:$x2: IClientNetworkHost 0x70687:$x2: IClientNetworkHost
13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dbf:$a: NanoCore 0x14de5:$a: NanoCore 0x14e41:$a: NanoCore 0x21c9f:$a: NanoCore 0x21cf8:$a: NanoCore 0x21d2b:$a: NanoCore 0x21f57:$a: NanoCore 0x21fd3:$a: NanoCore 0x225ec:$a: NanoCore 0x22735:$a: NanoCore 0x22c09:$a: NanoCore 0x22ef0:$a: NanoCore 0x22f07:$a: NanoCore 0x2bdaf:$a: NanoCore 0x2be2b:$a: NanoCore 0x2e70e:$a: NanoCore 0x33cdd:$a: NanoCore 0x33d57:$a: NanoCore
13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x40cba:$a: NanoCore 0x40d34:$a: NanoCore
Click to see the 168 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe, ProcessId: 6196, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe' , ParentImage: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe, ParentProcessId: 4504, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe', ProcessId: 5488

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b90524a1-4a4b-41de-ac06-59066a86", "Group": "Panda", "Domain1": "emedoo.ddns.net", "Domain2": "127.0.0.1", "Port": 5230, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 50, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "emedoo.ddns.net", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 20%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Roaming\AGYVBigGPY.exe	Metadefender: Detection: 20%	Perma Link
Source: C:\Users\user\AppData\Roaming\AGYVBigGPY.exe	ReversingLabs: Detection: 48%

Multi AV Scanner detection for submitted file

Show sources

Source: Devizni izvod za partiju 0050100073053.exe	Virustotal: Detection: 65%	Perma Link
Source: Devizni izvod za partiju 0050100073053.exe	Metadefender: Detection: 20%	Perma Link
Source: Devizni izvod za partiju 0050100073053.exe	ReversingLabs: Detection: 48%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\AGYVBigGPY.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Devizni izvod za partiju 0050100073053.exe

Joe Sandbox ML: detected

Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack	Avira: Label: TR/NanoCore.fadte
Source: 34.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: Devizni izvod za partiju 0050100073053.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Devizni izvod za partiju 0050100073053.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.260890521.0000000004BB0000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.545321090.00000000053C0000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	2_2_05BD1C58
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	2_2_05BD1C57
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	13_2_061D5670
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 4x nop then mov esp, ebp	13_2_061D4628
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	13_2_061D5660
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 4x nop then mov esp, ebp	13_2_061D4498

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49715 -> 79.134.225.71:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49720 -> 79.134.225.71:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49723 -> 79.134.225.71:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49725 -> 79.134.225.71:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49726 -> 79.134.225.71:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49727 -> 79.134.225.71:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49728 -> 79.134.225.71:5230
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49730 -> 79.134.225.71:5230

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: emedoo.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: emedoo.ddns.net

Source: global traffic

TCP traffic: 192.168.2.7:49715 -> 79.134.225.71:5230

Source: Joe Sandbox View

IP Address: 79.134.225.71 79.134.225.71

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Code function: 13_2_05092B9A WSARecv,

13_2_05092B9A

Source: unknown

DNS traffic detected: queries for: emedoo.ddns.net

Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/account/update_profile.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/account/update_profile.xmlQhttp://api.twitter.com/1.1/favorites.xmlghttp:
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/account/update_profile_image.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/account/verify_credentials.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/blocks/blocking.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/blocks/blocking.xmlUhttp://api.twitter.com/1.1/report_spam.xml_http://api
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/blocks/blocking.xmldhttp://api.twitter.com/1.1/blocks/blocking/ids.xml
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/blocks/blocking/ids.xml
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/blocks/create/
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/blocks/destroy/
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/direct_messages.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/direct_messages.xmlghttp://api.twitter.com/1.1/direct_messages/sent.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/direct_messages.xmlthttp://api.twitter.com/1.1/direct_messages/destroy/
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/direct_messages/destroy/
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/direct_messages/new.xml?user=
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/direct_messages/new.xmlfhttp://api.twitter.com/1.1/direct_messages/sent.x
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/direct_messages/sent.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/favorites.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/favorites.xmlXhttp://api.twitter.com/1.1/followers/ids.xmlThttp://api.twi
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/favorites/create/
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/favorites/destroy/
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/followers/ids.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/friends/ids.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/friends/ids.xmlYhttp://api.twitter.com/1.1/followers/ids.xmlshttp://api.t
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/friendships/create/
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/friendships/destroy/
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/friendships/show.xml?
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/report_spam.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/report_spam.xmlJhttp://search.twitter.com/search.atomfhttp://api.twitter.
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/statuses/destroy/
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/statuses/followers.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/statuses/friends.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/statuses/friends.xmlbhttp://api.twitter.com/1.1/statuses/followers.xmlpht
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/statuses/friends_timeline.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/statuses/home_timeline.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/statuses/mentions.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/statuses/mentions.xmlnhttp://api.twitter.com/1.1/statuses/public_timeline
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/statuses/public_timeline.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/statuses/replies.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/statuses/replies.xmlfhttp://api.twitter.com/1.1/statuses/retweet/
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/statuses/retweet/
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/statuses/retweeted_by_me.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/statuses/retweets/id.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/statuses/retweets/id.xml_http://api.twitter.com/1.1/statuses/replies.xmlS
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/statuses/retweets_of_me.xml
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/statuses/show/
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/statuses/update.xml?status=
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/statuses/update.xmljhttp://api.twitter.com/1.1/statuses/user_timeline.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/statuses/user_timeline.xml
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/trends/
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/trends/available.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/trends/available.xmlThttp://api.twitter.com/1.1/trends/
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/users/search.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://api.twitter.com/1.1/users/search.xmlRhttp://api.twitter.com/1.1/users/show.xmlvhttp://api.twi
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://api.twitter.com/1.1/users/show.xml
Source: powershell.exe, 00000003.00000002.530350749.000000000377B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000009.00000003.496419975.0000000007787000.00000004.00000001.sdmp	String found in binary or memory: http://crl.mi
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://im.twitvid.com/api/upload
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://im.twitvid.com/api/uploadrhttp://api.twitter.com/1.1/account/verify_credentials.xmljhttp://ap
Source: powershell.exe, 00000005.00000002.543192744.0000000006172000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.430789624.0000000007721000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngH
Source: powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.532843494.0000000004F41000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.532258311.0000000005111000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.534281663.0000000004591000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://search.twitter.com/search.atom
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://search.twitter.com/search.atomKhttp://search.twitter.com/trends.json
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://search.twitter.com/trends.json
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://search.twitter.com/trends/current.json
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://search.twitter.com/trends/current.jsonWhttp://search.twitter.com/trends/daily.jsonYhttp://sea
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://search.twitter.com/trends/daily.json
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://search.twitter.com/trends/weekly.json
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/audio.mp3?id=
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/getContent?id=
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://twic.li/api/getUsersContent?userid=
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/getUsersContent?userid=)&content_type=photos
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/getUsersContent?username=
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/photo.jpg?id=
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://twic.li/api/uploadAudio
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://twic.li/api/uploadAudioAndTweet
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/uploadAudioAndTweetUContent-Disposition:
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/uploadAudioLhttp://twic.li/api/uploadAudioAndTweet:http://twic.li/api/getContentD
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/uploadAudioiContent-disposition:
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://twic.li/api/uploadPhoto
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/uploadPhotoAndTweet
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/uploadPhotoLhttp://twic.li/api/uploadPhotoAndTweet
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/uploadPhotokContent-Disposition:
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/uploadVideo
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/uploadVideoAndTweet
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/uploadVideoLhttp://twic.li/api/uploadVideoAndTweet
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://twic.li/api/video.flv?id=
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twic.li/api/video.flv?id=-No
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://twitter.com/oauth/access_token
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twitter.com/oauth/access_token#?x_auth_username=#&x_auth_password=1&x_auth_mode=client_authUh
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://twitter.com/oauth/request_token
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twitter.com/oauth/request_token-
Source: Devizni izvod za partiju 0050100073053.exe	String found in binary or memory: http://twitter.com/statuses/retweeted_to_me.xml
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://twitter.com/statuses/retweeted_to_me.xmlfhttp://api.twitter.com/1.1/statuses/retweets/id.xmll
Source: powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.430789624.0000000007721000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlH
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://yfrog.com/api/uploadAndPost
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: http://yfrog.com/api/uploadAndPostAmultipart/form-data
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: https://api.twitter.com/oauth/access_token
Source: powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.430789624.0000000007721000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/PesterH
Source: powershell.exe, 00000003.00000003.415909540.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: https://im.twitvid.com/api/authenticate
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	String found in binary or memory: https://im.twitvid.com/api/authenticateCapplication/x-www-form-urlencoded
Source: powershell.exe, 00000005.00000002.543192744.0000000006172000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.546929623.0000000005950000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.546313038.00000000055C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.551440197.0000000006890000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.552438629.0000000006A20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.546995313.00000000059E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.551688994.00000000068C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.551733160.00000000068D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.551056353.0000000006730000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.547173286.0000000005A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.546044032.0000000005580000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.546082364.0000000005590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.535153965.0000000002D8C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.545285946.00000000053A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.559e8a4.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fd355c.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea8041.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dd69e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dd69e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2d412c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc9957.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68c0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.53a0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.dhcpmon.exe.2ee3ac8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5594c9f.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.2ed14ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5a80000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_024D180E NtQuerySystemInformation,	2_2_024D180E
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_024D17DD NtQuerySystemInformation,	2_2_024D17DD
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_050915CE NtQuerySystemInformation,	13_2_050915CE
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_05091593 NtQuerySystemInformation,	13_2_05091593

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025AEE60	2_2_025AEE60
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025AE7F8	2_2_025AE7F8
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025AE430	2_2_025AE430
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A30F8	2_2_025A30F8
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A10F0	2_2_025A10F0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A08F7	2_2_025A08F7
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A0CA0	2_2_025A0CA0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A2918	2_2_025A2918
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A39EF	2_2_025A39EF
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A19E7	2_2_025A19E7
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A15A0	2_2_025A15A0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A6271	2_2_025A6271
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A1E1F	2_2_025A1E1F
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025AAAC8	2_2_025AAAC8
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025AB2A0	2_2_025AB2A0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025AB748	2_2_025AB748
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A6770	2_2_025A6770
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A676F	2_2_025A676F
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A6B11	2_2_025A6B11
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A13DF	2_2_025A13DF
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A5FD0	2_2_025A5FD0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A5FE0	2_2_025A5FE0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025AC7B0	2_2_025AC7B0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025AC030	2_2_025AC030
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A10E1	2_2_025A10E1
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A0C9F	2_2_025A0C9F
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025AF150	2_2_025AF150
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A5578	2_2_025A5578
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A6570	2_2_025A6570
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A556B	2_2_025A556B
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A6560	2_2_025A6560
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A2915	2_2_025A2915
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025AA530	2_2_025AA530
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A699F	2_2_025A699F
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A69A0	2_2_025A69A0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_05BD19A6	2_2_05BD19A6
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_05BD0006	2_2_05BD0006
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_05BD0070	2_2_05BD0070
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031BC348	3_2_031BC348
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031BF690	3_2_031BF690
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031B95C0	3_2_031B95C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031BDAB0	3_2_031BDAB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031BB9B8	3_2_031BB9B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031B8210	3_2_031B8210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031B6730	3_2_031B6730
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031B67A8	3_2_031B67A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031B67A7	3_2_031B67A7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031B9DF0	3_2_031B9DF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031BB9B8	3_2_031BB9B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031C0040	3_2_031C0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031CEE30	3_2_031CEE30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031C2EA0	3_2_031C2EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031C2EA0	3_2_031C2EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031CEE30	3_2_031CEE30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031CFB98	3_2_031CFB98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031C2EA0	3_2_031C2EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031CEE30	3_2_031CEE30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031C2EA0	3_2_031C2EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031C2EA0	3_2_031C2EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031C8D53	3_2_031C8D53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0106E028	5_2_0106E028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0106F890	5_2_0106F890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0106BD18	5_2_0106BD18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_010F8919	5_2_010F8919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_010F44CF	5_2_010F44CF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_010F8919	5_2_010F8919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_010F44CF	5_2_010F44CF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_010F8919	5_2_010F8919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_010F8919	5_2_010F8919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_010F8919	5_2_010F8919
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0318C340	5_2_0318C340
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0318F7D0	5_2_0318F7D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0318DBF0	5_2_0318DBF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_031899C0	5_2_031899C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0318BDB8	5_2_0318BDB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_03188210	5_2_03188210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0318BDB8	5_2_0318BDB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_031867A8	5_2_031867A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_031867A7	5_2_031867A7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_010FE7DB	5_2_010FE7DB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008CB218	9_2_008CB218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008CD300	9_2_008CD300
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008CF4F7	9_2_008CF4F7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008CB7A0	9_2_008CB7A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008C8E20	9_2_008C8E20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008C6008	9_2_008C6008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008CB218	9_2_008CB218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008C9650	9_2_008C9650
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008C7A70	9_2_008C7A70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008C7EE0	9_2_008C7EE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008C5FFA	9_2_008C5FFA
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_00F47AC1	13_2_00F47AC1
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_04F63850	13_2_04F63850
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_04F68938	13_2_04F68938
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_04F6B208	13_2_04F6B208
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_04F623A0	13_2_04F623A0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_04F62FA8	13_2_04F62FA8
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_04F6306F	13_2_04F6306F
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_04F695FF	13_2_04F695FF
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_04F69DE0	13_2_04F69DE0
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_04F69538	13_2_04F69538
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D6E10	13_2_061D6E10
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D6210	13_2_061D6210
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D2600	13_2_061D2600
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D76B8	13_2_061D76B8
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D8980	13_2_061D8980
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D3200	13_2_061D3200
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D9647	13_2_061D9647
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D6ED7	13_2_061D6ED7
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D32C7	13_2_061D32C7
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D7F9B	13_2_061D7F9B
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_061D9580	13_2_061D9580

Source: Devizni izvod za partiju 0050100073053.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AGYVBigGPY.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Devizni izvod za partiju 0050100073053.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.546929623.0000000005950000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546929623.0000000005950000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.546313038.00000000055C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546313038.00000000055C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.551440197.0000000006890000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.551440197.0000000006890000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.552438629.0000000006A20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.552438629.0000000006A20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.546995313.00000000059E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546995313.00000000059E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.551688994.00000000068C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.551688994.00000000068C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.551733160.00000000068D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.551733160.00000000068D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.551056353.0000000006730000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.551056353.0000000006730000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.547173286.0000000005A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.547173286.0000000005A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.546044032.0000000005580000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546044032.0000000005580000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.546082364.0000000005590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.546082364.0000000005590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.535153965.0000000002D8C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.545285946.00000000053A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.545285946.00000000053A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.559e8a4.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.559e8a4.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fd355c.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fd355c.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dc23b0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea8041.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea8041.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dd69e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2dd69e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5580000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2d412c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2d412c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc9957.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc9957.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68c0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68c0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.68d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3ea33a2.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.53a0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.53a0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.dhcpmon.exe.2ee3ac8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.2ee3ac8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5594c9f.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5594c9f.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6730000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.2ed14ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.2ed14ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.55c0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.59e0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3e9a16e.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.3fc4cb8.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a50000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5a80000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5a80000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6a20000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.6890000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.5590000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.412b61c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Devizni izvod za partiju 0050100073053.exe.2db6170.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: Devizni izvod za partiju 0050100073053.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AGYVBigGPY.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@35/31@9/2

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_024D114E AdjustTokenPrivileges,	2_2_024D114E
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_024D1117 AdjustTokenPrivileges,	2_2_024D1117
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_0509138E AdjustTokenPrivileges,	13_2_0509138E
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_05091357 AdjustTokenPrivileges,	13_2_05091357

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

File created: C:\Program Files (x86)\DHCP Monitor

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

File created: C:\Users\user\AppData\Roaming\AGYVBigGPY.exe

Jump to behavior

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Mutant created: \Sessions\1\BaseNamedObjects\FBmlKPsCRkTxrXOa
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_01
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_01
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b90524a1-4a4b-41de-ac06-59066a861712}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_01

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2011.tmp

Jump to behavior

Source: Devizni izvod za partiju 0050100073053.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: Devizni izvod za partiju 0050100073053.exe	Virustotal: Detection: 65%
Source: Devizni izvod za partiju 0050100073053.exe	Metadefender: Detection: 20%
Source: Devizni izvod za partiju 0050100073053.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

File read: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp2011.tmp'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp864D.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp2011.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp864D.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: Devizni izvod za partiju 0050100073053.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Devizni izvod za partiju 0050100073053.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.260890521.0000000004BB0000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.545321090.00000000053C0000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_00C392D9 push ebx; retf	2_2_00C392DA
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_00C36A7C push 6B7000C3h; ret	2_2_00C36B4A
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_00C36B51 push 6B7000C3h; ret	2_2_00C36B4A
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_00C3631D push ebx; retf	2_2_00C3631E
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_00C36B28 push 6B7000C3h; ret	2_2_00C36B4A
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_00C36CC1 push 6CE000C3h; ret	2_2_00C36CBA
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_00C36CB3 push 6CE000C3h; ret	2_2_00C36CBA
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_00C36D79 push 0200C36Dh; ret	2_2_00C36D8E
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A201A pushfd ; iretd	2_2_025A201B
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A902C push esp; ret	2_2_025A902D
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 2_2_025A94FD push ebx; iretd	2_2_025A94FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031B0720 push eax; ret	3_2_031B0733
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_031B06E0 push esp; ret	3_2_031B06B3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01069000 push eax; mov dword ptr [esp], ecx	5_2_01069014
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01065B19 push eax; mov dword ptr [esp], edx	5_2_01065B2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01065EC0 push eax; mov dword ptr [esp], edx	5_2_01065ED4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01065ED0 push eax; mov dword ptr [esp], edx	5_2_01065ED4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_03183D72 push esp; retf	5_2_03183D81
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_008C6F52 push es; ret	9_2_008C6F7B
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_00F462D4 push ebx; retf	13_2_00F462D6
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_00F462D1 push ebx; retf	13_2_00F462D2
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_00F4769F push es; ret	13_2_00F476A0

Source: initial sample	Static PE information: section name: .text entropy: 7.66159215719
Source: initial sample	Static PE information: section name: .text entropy: 7.66159215719

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	File created: C:\Users\user\AppData\Roaming\AGYVBigGPY.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp2011.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

File opened: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.364891578.000000000378B000.00000004.00000001.sdmp, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3086	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4301	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4110	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2946	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3846	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2879	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 785
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 429

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe TID: 4964	Thread sleep time: -102902s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe TID: 2324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6172	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6172	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5400	Thread sleep count: 4110 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5400	Thread sleep count: 2946 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3352	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6156	Thread sleep count: 3846 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6256	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5804	Thread sleep count: 2879 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe TID: 6316	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe TID: 6324	Thread sleep time: -37000s >= -30000s
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe TID: 6308	Thread sleep time: -2160000s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6796	Thread sleep time: -100824s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5412	Thread sleep count: 785 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6532	Thread sleep count: 67 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6696	Thread sleep count: 429 > 30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6720	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Code function: 13_2_0509101A GetSystemInfo,

13_2_0509101A

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Thread delayed: delay time: 102902	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 100824
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000003.00000003.415909540.00000000058E5000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.444940190.0000000005AC7000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	Binary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 00000003.00000003.415909540.00000000058E5000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.444940190.0000000005AC7000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.446464104.0000000004F63000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Code function: 13_2_04F6F8B8 LdrInitializeThunk,

13_2_04F6F8B8

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Memory written: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp2011.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Jump to behavior
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Process created: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp864D.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: powershell.exe, 00000003.00000002.531329214.0000000003B30000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.533165277.0000000003180000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.523845475.0000000001330000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.538916843.0000000002EFF000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000003.00000002.531329214.0000000003B30000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.533165277.0000000003180000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.523845475.0000000001330000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000003.00000002.531329214.0000000003B30000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.533165277.0000000003180000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.523845475.0000000001330000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.538916843.0000000002EFF000.00000004.00000001.sdmp	Binary or memory string: Program ManagerX
Source: powershell.exe, 00000003.00000002.531329214.0000000003B30000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.533165277.0000000003180000.00000002.00000001.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.523845475.0000000001330000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.538916843.0000000002EFF000.00000004.00000001.sdmp	Binary or memory string: Program Manager4P

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Code function: 13_2_0509339A GetSystemTimes,

13_2_0509339A

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 34.2.dhcpmon.exe.3f0e434.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40a1ae9.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.52f2be0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f095fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d9b521.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409d4c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.52f2be0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.3d96ef8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40451a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f12a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Devizni izvod za partiju 0050100073053.exe.56b4629.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.40497d1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.dhcpmon.exe.3f0e434.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Devizni izvod za partiju 0050100073053.exe.3b220e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4040372.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.409868a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4117419.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.Devizni izvod za partiju 0050100073053.exe.4112df0.8.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_050926DE bind,		13_2_050926DE
Source: C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe	Code function: 13_2_0509268C bind,		13_2_0509268C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools11	Input Capture11	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection112	Obfuscated Files or Information3	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Software Packing3	Security Account Manager	System Information Discovery14	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading2	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion31	LSA Secrets	Security Software Discovery221	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol21	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Virtualization/Sandbox Evasion31	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Devizni izvod za partiju 0050100073053.exe	66%	Virustotal		Browse
Devizni izvod za partiju 0050100073053.exe	24%	Metadefender		Browse
Devizni izvod za partiju 0050100073053.exe	48%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
Devizni izvod za partiju 0050100073053.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\AGYVBigGPY.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	24%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	48%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
C:\Users\user\AppData\Roaming\AGYVBigGPY.exe	24%	Metadefender		Browse
C:\Users\user\AppData\Roaming\AGYVBigGPY.exe	48%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore

Unpacked PE Files

Source	Detection	Scanner	Label	Download
13.2.Devizni izvod za partiju 0050100073053.exe.56b0000.23.unpack	100%	Avira	TR/NanoCore.fadte	Download File
34.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
13.2.Devizni izvod za partiju 0050100073053.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
emedoo.ddns.net	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://im.twitvid.com/api/upload	0%	Virustotal		Browse
http://im.twitvid.com/api/upload	0%	Avira URL Cloud	safe
http://twic.li/api/uploadAudioAndTweet	0%	Avira URL Cloud	safe
http://twic.li/api/video.flv?id=-No	0%	Avira URL Cloud	safe
http://yfrog.com/api/uploadAndPostAmultipart/form-data	0%	Avira URL Cloud	safe
https://im.twitvid.com/api/authenticate	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://twic.li/api/uploadVideoAndTweet	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://twic.li/api/photo.jpg?id=	0%	Avira URL Cloud	safe
http://twic.li/api/getUsersContent?userid=)&content_type=photos	0%	Avira URL Cloud	safe
http://twic.li/api/getUsersContent?userid=	0%	Avira URL Cloud	safe
http://twic.li/api/uploadPhotoAndTweet	0%	Avira URL Cloud	safe
http://twic.li/api/getContent?id=	0%	Avira URL Cloud	safe
emedoo.ddns.net	0%	Avira URL Cloud	safe
http://twic.li/api/uploadAudio	0%	Avira URL Cloud	safe
http://yfrog.com/api/uploadAndPost	0%	Avira URL Cloud	safe
http://twic.li/api/uploadAudioiContent-disposition:	0%	Avira URL Cloud	safe
http://twic.li/api/video.flv?id=	0%	Avira URL Cloud	safe
http://twic.li/api/getUsersContent?username=	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://twic.li/api/uploadAudioAndTweetUContent-Disposition:	0%	Avira URL Cloud	safe
https://im.twitvid.com/api/authenticateCapplication/x-www-form-urlencoded	0%	Avira URL Cloud	safe
http://twic.li/api/uploadVideoLhttp://twic.li/api/uploadVideoAndTweet	0%	Avira URL Cloud	safe
http://twic.li/api/uploadVideo	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://twic.li/api/uploadPhoto	0%	Avira URL Cloud	safe
http://twic.li/api/uploadPhotokContent-Disposition:	0%	Avira URL Cloud	safe
127.0.0.1	0%	Avira URL Cloud	safe
http://twic.li/api/uploadAudioLhttp://twic.li/api/uploadAudioAndTweet:http://twic.li/api/getContentD	0%	Avira URL Cloud	safe
http://twic.li/api/uploadPhotoLhttp://twic.li/api/uploadPhotoAndTweet	0%	Avira URL Cloud	safe
http://im.twitvid.com/api/uploadrhttp://api.twitter.com/1.1/account/verify_credentials.xmljhttp://ap	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
emedoo.ddns.net	79.134.225.71	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
emedoo.ddns.net	true	Avira URL Cloud: safe	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://im.twitvid.com/api/upload	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api.twitter.com/1.1/statuses/mentions.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://api.twitter.com/1.1/blocks/blocking.xmldhttp://api.twitter.com/1.1/blocks/blocking/ids.xml	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/statuses/retweeted_by_me.xml	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/statuses/friends_timeline.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://api.twitter.com/1.1/direct_messages.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://twic.li/api/uploadAudioAndTweet	Devizni izvod za partiju 0050100073053.exe	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp	false		high
http://api.twitter.com/1.1/blocks/destroy/	Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/direct_messages/new.xmlfhttp://api.twitter.com/1.1/direct_messages/sent.x	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/report_spam.xmlJhttp://search.twitter.com/search.atomfhttp://api.twitter.	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://twic.li/api/video.flv?id=-No	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.twitter.com/1.1/account/update_profile.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://yfrog.com/api/uploadAndPostAmultipart/form-data	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.twitter.com/1.1/statuses/show/	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/friendships/show.xml?	Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.543192744.0000000006172000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp	false		high
http://search.twitter.com/trends/current.json	Devizni izvod za partiju 0050100073053.exe	false		high
http://api.twitter.com/1.1/statuses/friends.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.532843494.0000000004F41000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.532258311.0000000005111000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.534281663.0000000004591000.00000004.00000001.sdmp	false		high
http://api.twitter.com/1.1/report_spam.xml	Devizni izvod za partiju 0050100073053.exe	false		high
https://im.twitvid.com/api/authenticate	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://twitter.com/oauth/request_token-	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/statuses/destroy/	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.430789624.0000000007721000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	false		high
http://twitter.com/oauth/access_token#?x_auth_username=#&x_auth_password=1&x_auth_mode=client_authUh	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.430789624.0000000007721000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	false		high
http://api.twitter.com/1.1/statuses/public_timeline.xml	Devizni izvod za partiju 0050100073053.exe	false		high
https://go.micro	powershell.exe, 00000003.00000003.415909540.00000000058E5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.twitter.com/1.1/trends/available.xmlThttp://api.twitter.com/1.1/trends/	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/account/update_profile.xmlQhttp://api.twitter.com/1.1/favorites.xmlghttp:	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://twic.li/api/uploadVideoAndTweet	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.twitter.com/1.1/direct_messages/sent.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://api.twitter.com/1.1/favorites/destroy/	Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/trends/available.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://twic.li/api/photo.jpg?id=	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://twic.li/api/getUsersContent?userid=)&content_type=photos	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://twic.li/api/getUsersContent?userid=	Devizni izvod za partiju 0050100073053.exe	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.430789624.0000000007721000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	false		high
http://api.twitter.com/1.1/favorites/create/	Devizni izvod za partiju 0050100073053.exe	false		high
http://twic.li/api/uploadPhotoAndTweet	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.twitter.com/1.1/statuses/replies.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://api.twitter.com/1.1/statuses/friends.xmlbhttp://api.twitter.com/1.1/statuses/followers.xmlpht	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://twic.li/api/getContent?id=	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.twitter.com/1.1/account/update_profile_image.xml	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/users/show.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://twitter.com/oauth/request_token	Devizni izvod za partiju 0050100073053.exe	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.535788541.0000000005251000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.538651440.00000000046D7000.00000004.00000001.sdmp	false		high
http://api.twitter.com/1.1/direct_messages/destroy/	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://twic.li/api/uploadAudio	Devizni izvod za partiju 0050100073053.exe	false	Avira URL Cloud: safe	unknown
http://api.twitter.com/1.1/direct_messages/new.xml?user=	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://twitter.com/oauth/access_token	Devizni izvod za partiju 0050100073053.exe	false		high
http://yfrog.com/api/uploadAndPost	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://twic.li/api/uploadAudioiContent-disposition:	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.twitter.com/1.1/users/search.xmlRhttp://api.twitter.com/1.1/users/show.xmlvhttp://api.twi	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/statuses/replies.xmlfhttp://api.twitter.com/1.1/statuses/retweet/	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/blocks/blocking.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://twitter.com/statuses/retweeted_to_me.xmlfhttp://api.twitter.com/1.1/statuses/retweets/id.xmll	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/	Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://search.twitter.com/search.atom	Devizni izvod za partiju 0050100073053.exe	false		high
http://twic.li/api/video.flv?id=	Devizni izvod za partiju 0050100073053.exe	false	Avira URL Cloud: safe	unknown
http://twic.li/api/getUsersContent?username=	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/PesterH	powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.twitter.com/1.1/statuses/mentions.xmlnhttp://api.twitter.com/1.1/statuses/public_timeline	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/friendships/destroy/	Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/statuses/update.xml?status=	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://twic.li/api/uploadAudioAndTweetUContent-Disposition:	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://im.twitvid.com/api/authenticateCapplication/x-www-form-urlencoded	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://twic.li/api/uploadVideoLhttp://twic.li/api/uploadVideoAndTweet	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.twitter.com/trends/weekly.json	Devizni izvod za partiju 0050100073053.exe	false		high
https://api.twitter.com/oauth/access_token	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://search.twitter.com/search.atomKhttp://search.twitter.com/trends.json	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://twic.li/api/uploadVideo	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://twic.li/api/uploadPhoto	Devizni izvod za partiju 0050100073053.exe	false	Avira URL Cloud: safe	unknown
http://api.twitter.com/1.1/blocks/create/	Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/statuses/retweet/	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/blocks/blocking/ids.xml	Devizni izvod za partiju 0050100073053.exe, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/favorites.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://api.twitter.com/1.1/statuses/home_timeline.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://api.twitter.com/1.1/account/verify_credentials.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://twic.li/api/uploadPhotokContent-Disposition:	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.twitter.com/1.1/trends/	Devizni izvod za partiju 0050100073053.exe	false		high
http://api.twitter.com/1.1/statuses/retweets_of_me.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.543192744.0000000006172000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.545169249.00000000055F3000.00000004.00000001.sdmp	false		high
http://twic.li/api/uploadAudioLhttp://twic.li/api/uploadAudioAndTweet:http://twic.li/api/getContentD	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://twitter.com/statuses/retweeted_to_me.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://api.twitter.com/1.1/followers/ids.xml	Devizni izvod za partiju 0050100073053.exe	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlH	powershell.exe, 00000003.00000002.537074533.0000000005083000.00000004.00000001.sdmp	false		high
http://api.twitter.com/1.1/statuses/update.xmljhttp://api.twitter.com/1.1/statuses/user_timeline.xml	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://twic.li/api/uploadPhotoLhttp://twic.li/api/uploadPhotoAndTweet	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.twitter.com/1.1/statuses/retweets/id.xml_http://api.twitter.com/1.1/statuses/replies.xmlS	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://api.twitter.com/1.1/favorites.xmlXhttp://api.twitter.com/1.1/followers/ids.xmlThttp://api.twi	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false		high
http://im.twitvid.com/api/uploadrhttp://api.twitter.com/1.1/account/verify_credentials.xmljhttp://ap	Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233483406.0000000000262000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245256892.00000000002A2000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000C.00000000.246259331.0000000000432000.00000002.00020000.sdmp, Devizni izvod za partiju 0050100073053.exe, 0000000D.00000000.247851336.0000000000582000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.twitter.com/trends.json	Devizni izvod za partiju 0050100073053.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.71	emedoo.ddns.net	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411771
Start date:	12.05.2021
Start time:	06:29:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Devizni izvod za partiju 0050100073053.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@35/31@9/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 64.8% Quality standard deviation: 32.4%
HCA Information:	Successful, ratio: 97% Number of executed functions: 490 Number of non-executed functions: 33
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:30:44	API Interceptor	355x Sleep call for process: Devizni izvod za partiju 0050100073053.exe modified
06:30:58	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
06:31:09	API Interceptor	1x Sleep call for process: dhcpmon.exe modified
06:31:44	API Interceptor	185x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.71	QwUl4FaToe.exe	Get hash	malicious	Browse
	SCAN ORDER DOC 040202021.exe	Get hash	malicious	Browse
	gfcYixSdyD.exe	Get hash	malicious	Browse
	WxTm2cWLHF.exe	Get hash	malicious	Browse
	uHAHxir7cFIdUqL.exe	Get hash	malicious	Browse
	Wrcpl1dkib.exe	Get hash	malicious	Browse
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse
	Swift-EUR 28700.exe	Get hash	malicious	Browse
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse
	PAYMENT NOTIFICATION.exe	Get hash	malicious	Browse
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse
	fakture.exe	Get hash	malicious	Browse
	BACK ORDER EXPORT0026254E_DOC_PDF.exe	Get hash	malicious	Browse
	img_Payment Advice_822020_jpg.exe	Get hash	malicious	Browse
	Bank Swift_7312020_PDF.exe	Get hash	malicious	Browse
	LKVQYCZZkBgadMX.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	QwUl4FaToe.exe	Get hash	malicious	Browse	79.134.225.71
	IMG_1035852_607.exe	Get hash	malicious	Browse	79.134.225.10
	RFQEMFA.Elektrik.exe	Get hash	malicious	Browse	79.134.225.17
	Waybill Document 22700456.exe	Get hash	malicious	Browse	79.134.225.7
	Give Offer CVE6535 _TVOP-MIO, pdf.exe	Get hash	malicious	Browse	79.134.225.8
	Waybill Document 22700456.exe	Get hash	malicious	Browse	79.134.225.7
	RFQEMFA.Elektrik.pdf.exe	Get hash	malicious	Browse	79.134.225.17
	w85rzxid7y.exe	Get hash	malicious	Browse	79.134.225.81
	Remittance E-MAIL Layout - 10_.jar	Get hash	malicious	Browse	79.134.225.106
	s65eJyjKga.exe	Get hash	malicious	Browse	79.134.225.47
	new order.xlsx	Get hash	malicious	Browse	79.134.225.47
	Ot3srIM10B.exe	Get hash	malicious	Browse	79.134.225.47
	Remittance E-MAIL Layout - 10_.jar	Get hash	malicious	Browse	79.134.225.106
	wnQXyfONbS.exe	Get hash	malicious	Browse	79.134.225.82
	kwK4iGa9DL.exe	Get hash	malicious	Browse	79.134.225.47
	Remittance E-MAIL Layout - 10_.jar	Get hash	malicious	Browse	79.134.225.106
	4z9Saf2vu3.exe	Get hash	malicious	Browse	79.134.225.47
	NewOrderSupplypdf.exe	Get hash	malicious	Browse	79.134.225.52
	Pu5UMH4fWK.exe	Get hash	malicious	Browse	79.134.225.14
	Swift-Correction.exe	Get hash	malicious	Browse	79.134.225.19

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	877568
Entropy (8bit):	7.25401903162754
Encrypted:	false
SSDEEP:	24576:0lO/1fBDLs8i4Y77/21nEgEcJCHwpKCfLc:0s/1pRY77/Lnc8HwlLc
MD5:	50AB414BE17F4E03BEE8F9C5CEE06335
SHA1:	D0DEF6E40E7858A1B8C46D46F24A6B29499C7C37
SHA-256:	333B1AE9552E6A65AB7C4EDEE6677746E801EBED73294795B9057E17A0E284E6
SHA-512:	A397E7DCEF69FBD15A51080CA4F6AC2A698C9B880D0773950BD7C7777DFC2C5436A084694A825A60CD638E0B637599EE2C9A08119709FF62BBB89374A92361DD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 24%, Browse Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P......`....... ... ...@....@.. ....................................@.................................0 ..O....@..`]........................................................................... ............... ..H............text........ ...................... ..`.rsrc...`]...@...^..................@..@.reloc...............b..............@..B................d ......H.......T}..TI......e........Y............................................( ...&..(!.....s"........s#........s$........s%........s&...........0...........~....o'....+...0...........~....o(....+...0...........~....o)....+...0...........~....o....+...0...........~....o+....+...0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+...0...........~.....+.."........0..&........(....r'..p~....o0...(1.....t#....+..*...0..&........(....r_..p~....o0...(1.....

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Devizni izvod za partiju 0050100073053.exe.log Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	25168
Entropy (8bit):	4.975582086060887
Encrypted:	false
SSDEEP:	768:6BV3IpNBQkj2Lh4iUxQedNYotBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYoI:6BV3CNBQkj2Lh4iUxvdNYotBV3CNBQkx
MD5:	62E1AE94DE84ED9286704EBD6856A263
SHA1:	4888C4CFAA74FA9BCD7339CBF760B1060314246B
SHA-256:	9AC3E181F8EB940093EF7F212696338C30CD1407AF8ECB25610C39D6B00D4C43
SHA-512:	E99B7BA733C622C675AA7944338E994EE0D941663D812D702D986F4C162C4BC40FA2C837C6C761598B826A8CB7157DFBDDC20932B41B3D637209B3333BEEEB37
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nf01gm5.vvm.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2br1q3bz.k2u.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgwq2vs1.fuu.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kv2bxms5.otf.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1gqcsja.gw5.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhz4qu2t.ytv.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udy30vs2.d4j.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2l21i0h.hu0.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zm0bfdmr.3xj.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zopv30bh.0qg.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp2011.tmp Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1659
Entropy (8bit):	5.181728169538348
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1tn:cbhH7MlNQ8/rydbz9I3YODOLNdq3V
MD5:	B27BCB69317043F17C0C452DBE3F9E4D
SHA1:	EF1FC850D6C2E7D02760122EF4DA4E8F918138A5
SHA-256:	1D46225432C74CBE4F42B1958FBEA7F1694B69FBFBE0F5FB9CB8043AB271554E
SHA-512:	216D3A4B522AB72A40D6F72A2FDB022324E91F286F2247B4A61AC8471235BFFE5ED8C7E6AFEC4019FB2ACD4EE2C5146CC162D9DC2B891300BA79B0F911629E35
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

C:\Users\user\AppData\Local\Temp\tmp864D.tmp Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1659
Entropy (8bit):	5.181728169538348
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1tn:cbhH7MlNQ8/rydbz9I3YODOLNdq3V
MD5:	B27BCB69317043F17C0C452DBE3F9E4D
SHA1:	EF1FC850D6C2E7D02760122EF4DA4E8F918138A5
SHA-256:	1D46225432C74CBE4F42B1958FBEA7F1694B69FBFBE0F5FB9CB8043AB271554E
SHA-512:	216D3A4B522AB72A40D6F72A2FDB022324E91F286F2247B4A61AC8471235BFFE5ED8C7E6AFEC4019FB2ACD4EE2C5146CC162D9DC2B891300BA79B0F911629E35
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

C:\Users\user\AppData\Roaming\AGYVBigGPY.exe Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	877568
Entropy (8bit):	7.25401903162754
Encrypted:	false
SSDEEP:	24576:0lO/1fBDLs8i4Y77/21nEgEcJCHwpKCfLc:0s/1pRY77/Lnc8HwlLc
MD5:	50AB414BE17F4E03BEE8F9C5CEE06335
SHA1:	D0DEF6E40E7858A1B8C46D46F24A6B29499C7C37
SHA-256:	333B1AE9552E6A65AB7C4EDEE6677746E801EBED73294795B9057E17A0E284E6
SHA-512:	A397E7DCEF69FBD15A51080CA4F6AC2A698C9B880D0773950BD7C7777DFC2C5436A084694A825A60CD638E0B637599EE2C9A08119709FF62BBB89374A92361DD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 24%, Browse Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P......`....... ... ...@....@.. ....................................@.................................0 ..O....@..`]........................................................................... ............... ..H............text........ ...................... ..`.rsrc...`]...@...^..................@..@.reloc...............b..............@..B................d ......H.......T}..TI......e........Y............................................( ...&..(!.....s"........s#........s$........s%........s&...........0...........~....o'....+...0...........~....o(....+...0...........~....o)....+...0...........~....o....+...0...........~....o+....+...0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+...0...........~.....+.."........0..&........(....r'..p~....o0...(1.....t#....+..*...0..&........(....r_..p~....o0...(1.....

C:\Users\user\AppData\Roaming\AGYVBigGPY.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	data
Category:	dropped
Size (bytes):	1624
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC08
MD5:	0D79388CEC6619D612C2088173BB6741
SHA1:	8A312E3198009C545D0CF3254572189D29A03EA7
SHA-256:	D7D423B23D932E306F3CCB2F7A984B7036A042C007A43FD655C6B57B960BB8DF
SHA-512:	53BB3E9263DFD746E7E8159466E220E6EC9D81E9D3F0E1D191E09CD511B7EB93B0BA65D13CE0C97C652ECD0F69BB991E6B1840F961BC65003C4DD7AA93EEDA13
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.4056390622295662
Encrypted:	false
SSDEEP:	3:tvj:tvj
MD5:	02D5A593FEC6C4B98F90CCFF6ADD6E2C
SHA1:	F544B4D3B3717558E22E2B082BDD5018DE8AE765
SHA-256:	134D5CE17F0F33356C65007BB35715CC72F3A22E659E34F957212A7168BC1250
SHA-512:	3FEF07C755A48CA95F7559BB90FBF6AA858E44DDDE1D25A75AEEAF459980F5C656A52DA4F05C6E7BA788940FA49CA958B73E2B120BD1D24A48B9B4B0E47BBA48
Malicious:	true
Preview:	...*J..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	data
Category:	modified
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYk:RzWDI3
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.320159765557392
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
MD5:	BB0F9B9992809E733EFFF8B0E562CFD6
SHA1:	F0BAB3CF73A04F5A689E6AFC764FEE9276992742
SHA-256:	C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
SHA-512:	AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
File Type:	data
Category:	dropped
Size (bytes):	426840
Entropy (8bit):	7.999608491116724
Encrypted:	true
SSDEEP:	12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
MD5:	963D5E2C9C0008DFF05518B47C367A7F
SHA1:	C183D601FABBC9AC8FBFA0A0937DECC677535E74
SHA-256:	5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
SHA-512:	0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
Malicious:	false
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\Documents\20210512\PowerShell_transcript.284992.8sAzw+Dk.20210512063128.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	692
Entropy (8bit):	5.407987213876938
Encrypted:	false
SSDEEP:	12:57DtSA6NeidZO3fBd25orRx2DOzzUjjIneSuxNHwNeWo9Pw6jewGxMKjX4CIymgH:BxSACdZOvBdaUx2DOXUWeSuJWQHjeTKy
MD5:	3A634A38F704AF9AB4E9A667D92D3034
SHA1:	222A8C4D9E823EC6B241850C7CCF2974C0E61AF1
SHA-256:	E8B4E1ADB39E6C39FC0574DAF5EA61431B46E434BEF28A97198C5951C18C14E5
SHA-512:	91B54D26D21D2E6C418D94A4C768B75D36A1175DAE771C0A0C252446E807E99BD60EE5BBEADBB4AB0444D1956DE71F51FB6C54905EB67C9EADEC058A0673DDDA
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512063235..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\AGYVBigGPY.exe..Process ID: 6644..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..********************..

C:\Users\user\Documents\20210512\PowerShell_transcript.284992.9Vv_x1G2.20210512063125.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	690
Entropy (8bit):	5.387679237624884
Encrypted:	false
SSDEEP:	12:57DtSA6N6AidZO3fBd25orRx2DOzzUjjIneSur+WoCdPw6jewGxMKjX4CIymgSsx:BxSABAidZOvBdaUx2DOXUWeSur+WJdHy
MD5:	E259EFE2F9F722D8FAD8C2D100B4F7D8
SHA1:	249522ECDC08701B1AE06169CF01ABD96A6298F0
SHA-256:	3A0910F0E87A2AC0A3E168F00F39B1FA3AB1E24BA7FFCD715912DA0234BB013B
SHA-512:	0B94AEADE994A348C75DB5F8CD4781BEC9539FACF0C76C151BE6DE1955CAAC559B6B48330BABF1D31ED956CB30B895BC8FC75E54A6124A0E843130986D684777
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512063243..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..Process ID: 4708..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..********************..

C:\Users\user\Documents\20210512\PowerShell_transcript.284992.hO0k8c4M.20210512063049.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	862
Entropy (8bit):	5.358854555611145
Encrypted:	false
SSDEEP:	24:BxSACydZOvBdaUx2DOXUWeSuJW8HjeTKKjX4CIym1ZJXguB:BZ8v6UoO+SP8qDYB1Z+g
MD5:	5A7EAF9BC9B5A1A7857562076DDD9A27
SHA1:	AF665A1EFAC71BAA8C9608C49E749232DA05547C
SHA-256:	29F03B82610592E81B95EC8B388AD6D71C2B9628278B70EECA20969667923FEB
SHA-512:	0B2BAA41EA3A6A42597EF0FAE72847ABF7350A899ABD17AA8E11AB3BFD406E9695FC4036B5051E6CEA42983B512632ED53BF4463140506D87DC008DB6BC9A42D
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512063124..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\AGYVBigGPY.exe..Process ID: 5876..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210512063125..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\AGYVBigGPY.exe..

C:\Users\user\Documents\20210512\PowerShell_transcript.284992.nr8pMLKJ.20210512063051.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	862
Entropy (8bit):	5.350964262311637
Encrypted:	false
SSDEEP:	24:BxSA/dZOvBdaUx2DOXUWeSuJWrHjeTKKjX4CIym1ZJXjuB:BZqv6UoO+SPrqDYB1Z9g
MD5:	D6F00C73EE917223FE91D980F9E04494
SHA1:	2AF600781F3C4BB7BDBF700697F0B2446E563876
SHA-256:	48600FFDE10974E8E7F26EC3886BC216AE8F25608E3FD1EB572B3BB3F0FE82D0
SHA-512:	BB1714C33DD95C6215A85CA6BEE33D7EFE887592DDA183E0A1E6838D7484B72CAFDCDBBBF468B94649D8C854AFB941C3E2C3D4D296F7AA9BE327EF8D0CFD1109
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512063126..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\AGYVBigGPY.exe..Process ID: 2104..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210512063126..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\AGYVBigGPY.exe..

C:\Users\user\Documents\20210512\PowerShell_transcript.284992.oeX3hsoM.20210512063048.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2071
Entropy (8bit):	5.327464690880742
Encrypted:	false
SSDEEP:	48:BZFv6UoO+SjXO5ezqDYB1Z3jXO50hZDv6UoO+SjXO5ezqDYB1ZGqA:BZp6UNlOeqDo1ZLO2hZz6UNlOeqDo1Z4
MD5:	A75C3AB8C2111C7C68CA9166B6B23C02
SHA1:	EF6FB863969049D9A608059A22B6DE1C676F7370
SHA-256:	F2835B9FF108B6C211CFC17B854E96141DBA2D96FDFEE3996DB69E78CBF59AA8
SHA-512:	14037BB575607BEC1F6782A5065ACD4A203F22582514B9D5AC4C15D62770998D6B259BF520D2FCBD1ED82FC9A54B38D0BA04A994A428CE9E9C36C8E397D32040
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210512063114..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe..Process ID: 5488..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210512063115..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe..******************..Command start time: 20210512063915..********************..PS>Terminating

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.25401903162754
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Devizni izvod za partiju 0050100073053.exe
File size:	877568
MD5:	50ab414be17f4e03bee8f9c5cee06335
SHA1:	d0def6e40e7858a1b8c46d46f24a6b29499c7c37
SHA256:	333b1ae9552e6a65ab7c4edee6677746e801ebed73294795b9057e17a0e284e6
SHA512:	a397e7dcef69fbd15a51080ca4f6ac2a698c9b880d0773950bd7c7777dfc2c5436a084694a825a60cd638e0b637599ee2c9a08119709ff62bbb89374a92361dd
SSDEEP:	24576:0lO/1fBDLs8i4Y77/21nEgEcJCHwpKCfLc:0s/1pRY77/Lnc8HwlLc
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P......`....... ... ...@....@.. ....................................@................................

File Icon


Icon Hash:	70d8ccd2d6ccf071

Static PE Info

General
Entrypoint:	0x4a2082
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6099070E [Mon May 10 10:12:30 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa2030	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x35d60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa0088	0xa0200	False	0.821009282299	data	7.66159215719	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x35d60	0x35e00	False	0.368324934745	data	5.19988984772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa42e0	0x94a9	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
RT_ICON	0xad78c	0x4872	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xb2000	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xc2828	0x94a8	data
RT_ICON	0xcbcd0	0x5488	data
RT_ICON	0xd1158	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 4294909696
RT_ICON	0xd5380	0x25a8	data
RT_ICON	0xd7928	0x10a8	data
RT_ICON	0xd89d0	0x988	data
RT_ICON	0xd9358	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xd97c0	0x92	data
RT_VERSION	0xd9854	0x320	data
RT_MANIFEST	0xd9b74	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.0.0.0
InternalName	FXAssembly.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Geom3D
ProductVersion	1.0.0.0
FileDescription	GeometRi
OriginalFilename	FXAssembly.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/12/21-06:30:58.816182	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49715	5230	192.168.2.7	79.134.225.71
05/12/21-06:31:10.596014	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	5230	192.168.2.7	79.134.225.71
05/12/21-06:31:25.018858	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	5230	192.168.2.7	79.134.225.71
05/12/21-06:31:38.122656	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49725	5230	192.168.2.7	79.134.225.71
05/12/21-06:32:01.720351	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49726	5230	192.168.2.7	79.134.225.71
05/12/21-06:32:15.474221	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	5230	192.168.2.7	79.134.225.71
05/12/21-06:32:26.930999	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	5230	192.168.2.7	79.134.225.71
05/12/21-06:32:48.787980	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49730	5230	192.168.2.7	79.134.225.71

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 06:30:58.086821079 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:30:58.230679035 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:30:58.231053114 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:30:58.816181898 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:30:58.975986958 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:30:58.977135897 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:30:59.172842979 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:30:59.177062035 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:30:59.322546959 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:30:59.324124098 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:30:59.530989885 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:30:59.657485962 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:30:59.855797052 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:30:59.855914116 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.049459934 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.049767971 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.050853968 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.051115990 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.051256895 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.051403046 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.051767111 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.052685976 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.052742958 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.052867889 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.053277016 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.053433895 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.053596973 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.054292917 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.054467916 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.054598093 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.055284977 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.055593967 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.055622101 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.056200027 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.194266081 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.194540977 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.194603920 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.194674969 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.194694042 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.195782900 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.196319103 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.196455956 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.197699070 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.197850943 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.199152946 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.199263096 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.199323893 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.199448109 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.199470043 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.199474096 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.200005054 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.200119972 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.201483011 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.201638937 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.203311920 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.203594923 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.203903913 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.203922987 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.205699921 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.206407070 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.206943035 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.207770109 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.208364964 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.208719015 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.208739042 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.209036112 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.210536003 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.211755991 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.211779118 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.211838961 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.211843967 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.340907097 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.341697931 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.342142105 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.342258930 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.342504978 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.342662096 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.343385935 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.343470097 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.344639063 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.345073938 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.345360994 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.346088886 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.346431971 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.347409964 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.347713947 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.350450993 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.350615025 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.350811005 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.351110935 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.351134062 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.351718903 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.352113962 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.352211952 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.352830887 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.354094028 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.354219913 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.354240894 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.354324102 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.354338884 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.356944084 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.357347012 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.357585907 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.358544111 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.358695984 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.365883112 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.365915060 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.366096020 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.366435051 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.366525888 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.366552114 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.366940975 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.366961002 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.367712021 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.367841959 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.367878914 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.367950916 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.368201017 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.368666887 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.368874073 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.368900061 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.369071960 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.369477034 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.369689941 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.370115042 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.370245934 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.370270967 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.370455980 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.371031046 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.371090889 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.371766090 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.371867895 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.371893883 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.487083912 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.487551928 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.488600969 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.488625050 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.488655090 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.488769054 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.489557028 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.489990950 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.493016958 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.493783951 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.494049072 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.494816065 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.495636940 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.495728016 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.495750904 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.498645067 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.499380112 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.499398947 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.499416113 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.499839067 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.499862909 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.500669956 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.500875950 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.509572983 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.510634899 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.510656118 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.511013985 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.511120081 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.511708021 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.511902094 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.511919022 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.512078047 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.512300968 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.513499022 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.513725996 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.513725996 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.513742924 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.513829947 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.513839960 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.514559031 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.515096903 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.515355110 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.515367985 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.515444994 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.515544891 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.515667915 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.515892982 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.516663074 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.516729116 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.517436028 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.517813921 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.632347107 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.632368088 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.632702112 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.632755041 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.632780075 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.632782936 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.634363890 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.634536982 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.634701967 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.635921955 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.637634039 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.639811039 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.640333891 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.640501022 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.640788078 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.642884016 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.642935038 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.643440008 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.643906116 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.644084930 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.644172907 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.644407034 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.644579887 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.644812107 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.644823074 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.644996881 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.646729946 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.653938055 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.655769110 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.655865908 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.656343937 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.657788038 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.658020973 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.658271074 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.658529997 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.658628941 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.658641100 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.659729004 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.659888983 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.659984112 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.659997940 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.660191059 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.660598040 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.660804033 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.660815954 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.661004066 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.662303925 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.664009094 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.787287951 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.787487030 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.787653923 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.788506985 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.789554119 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.789742947 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.790215969 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.790235043 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.790370941 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.790393114 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.801778078 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.802651882 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.802923918 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.802930117 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.803076982 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.803165913 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.803184986 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.803345919 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.804106951 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.804482937 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.804641008 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.804845095 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.804857969 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.805042982 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.806097031 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.806212902 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.806238890 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.806324959 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.806942940 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.807145119 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.808156967 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.808182001 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.808275938 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.808291912 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.808893919 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.809343100 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.809603930 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.809886932 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.810612917 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.810748100 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.810764074 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.810957909 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.811892986 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.812160969 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.812251091 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.812984943 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.813112020 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.813128948 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.930800915 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.931786060 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.932024002 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.932168961 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.932717085 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.932876110 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.933816910 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.934330940 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.934696913 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.934777975 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.934792042 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.947010994 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.947684050 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.947901011 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.947925091 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.947957993 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.947963953 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.948574066 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.949280977 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.949429035 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.949903965 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.950385094 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.950475931 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.950491905 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.950505972 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.950551987 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.951636076 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.952279091 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.952902079 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.953044891 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.953066111 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.953089952 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.954021931 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.954261065 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.955061913 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.955471992 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.956957102 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.957279921 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.957568884 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:00.959995031 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:00.978466988 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.046792984 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.078500986 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.078728914 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.078762054 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.078918934 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.080488920 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.080606937 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.081304073 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.082199097 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.093003035 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.093694925 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.093847036 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.093873024 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.095926046 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.096719027 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.096884012 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.097531080 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.097572088 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.097584963 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.097588062 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.097809076 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.097835064 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.098179102 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.098236084 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.098243952 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.099153996 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.099343061 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.099466085 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.099981070 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.100169897 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.100194931 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.100204945 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.102229118 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.102385998 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.103590965 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.104173899 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.104516983 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.104933977 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.104943037 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.222598076 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.223078966 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.223419905 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.223833084 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.226722002 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.227210999 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.238964081 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.239216089 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.240008116 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.240963936 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.241430998 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.245482922 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.246340990 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.246442080 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.246476889 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.246511936 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.247549057 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.247862101 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.248164892 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.248639107 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.249368906 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.249433994 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.249491930 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.249505043 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.249798059 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.250538111 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.250567913 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.250649929 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.250664949 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.250670910 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.251818895 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.252269983 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.252285957 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.252371073 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.252392054 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.252401114 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.254160881 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.254524946 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.366929054 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.369071960 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.369112015 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.369832993 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.370624065 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.371427059 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.371579885 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.387576103 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.387975931 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.388170004 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.389648914 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.391963005 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.391988039 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.392224073 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.392745972 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.393208027 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.393399954 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.393420935 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.395998001 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.396370888 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.398298025 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.398354053 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.398768902 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.399466991 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.400536060 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.400625944 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.400717974 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.400738001 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.400763988 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.401498079 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.401638985 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.402412891 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.402590036 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.403855085 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.455555916 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.513992071 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.514343977 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.515234947 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.515275955 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.515984058 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.531104088 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.531235933 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.534811974 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.536499023 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.536617041 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.536637068 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.536916018 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.537966967 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.538507938 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.539087057 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.541152000 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.541297913 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.541789055 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.541985035 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.546159029 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.546807051 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.546835899 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.546999931 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.547018051 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.547020912 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.547157049 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.547625065 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.646935940 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.649641037 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.661087990 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.661274910 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.661416054 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.661792040 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.662496090 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.662522078 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.684041023 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.684233904 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.684494019 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.685550928 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.685719013 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.685969114 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.686402082 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.686801910 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.687268019 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.688029051 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.688081980 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.688159943 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.688169956 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.690298080 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.691009998 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.691600084 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.691885948 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.692014933 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.692277908 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.692390919 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.692404032 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.805399895 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.807801962 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.808126926 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.808149099 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.808300972 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.812083960 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.832279921 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.832305908 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.832472086 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.833247900 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.833578110 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.834111929 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.834470034 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.834496975 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.834913015 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.837492943 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.837769985 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.837794065 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.841871977 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.841898918 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.841924906 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.842082024 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.953814983 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.954665899 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.954862118 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.954891920 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.955882072 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.977912903 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.979506969 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.979528904 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.979813099 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.979860067 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.980341911 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.980448008 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.981079102 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.981312990 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.982722044 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.982889891 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.982940912 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.983203888 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:01.983342886 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.983417034 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:01.983550072 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:02.159440041 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:03.375617027 CEST	5230	49715	79.134.225.71	192.168.2.7
May 12, 2021 06:31:03.549345970 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:03.550466061 CEST	49715	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:10.442995071 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:10.586575031 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:10.588769913 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:10.596014023 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:10.750201941 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:10.750613928 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:10.937323093 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:10.938926935 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.082984924 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.120220900 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.308093071 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.308716059 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.493372917 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.494441986 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.503540039 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.504053116 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.504141092 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.504959106 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.506037951 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.506160021 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.506742001 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.506870985 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.506958961 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.508006096 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.508038998 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.508183002 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.508496046 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.508548021 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.508569956 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.508598089 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.510920048 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.512382030 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.647857904 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.649481058 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.649585962 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.650424004 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.650774002 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.650814056 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.650860071 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.653851986 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.653940916 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.654169083 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.654237986 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.654297113 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.654469967 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.655819893 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.655846119 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.655899048 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.656730890 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.657241106 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.657315969 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.657330990 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.657849073 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.658153057 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.658217907 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.659274101 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.659385920 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.659758091 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.659840107 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.660362959 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.660420895 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.660671949 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.660753965 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.661242008 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.661407948 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.661472082 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.663005114 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.665036917 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.794548035 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.795207024 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.795278072 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.796514034 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.796607018 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.796689987 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.796797991 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.797656059 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.797792912 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.798463106 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.798612118 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.799822092 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.800097942 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.800246000 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.800340891 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.801022053 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.801249027 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.801294088 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.801331997 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.801656961 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.802509069 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.802690029 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.802732944 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.803056955 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.803195000 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.804311037 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.805283070 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.805314064 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.805396080 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.805406094 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.805809975 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.805876970 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.806006908 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.806149960 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.806782961 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.806952953 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.807286978 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.807360888 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.807774067 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.807842970 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.807895899 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.807928085 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.808212042 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.808418036 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.808814049 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.809258938 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.809345007 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.809499979 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.809757948 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.810285091 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.810359001 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.810381889 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.810859919 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.810952902 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.811352968 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.811778069 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.812366962 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.812412024 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.812488079 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.812494040 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.812943935 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.813095093 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.813328981 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.813540936 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.813728094 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.813802958 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.814007998 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.814027071 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.814074993 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.814852953 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.815931082 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.939915895 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.940468073 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.940776110 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.941067934 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.941219091 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.942312002 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.942331076 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.945260048 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.945580959 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.947005033 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.947045088 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.947129965 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.947742939 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.948345900 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.948399067 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.948430061 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.948781013 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.948889971 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.949598074 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.949685097 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.949749947 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.949799061 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.951086044 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.951328993 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.951365948 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.951426029 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.951448917 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.951481104 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.953135014 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.953231096 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.953299046 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.953403950 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.953473091 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.954571962 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.955039978 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.955141068 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.955358028 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.957959890 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.958091021 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.958117008 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.958152056 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.958164930 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.958184958 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.958247900 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.958266020 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.960138083 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.960206032 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.960335970 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.960453987 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.960697889 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.960783958 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.960804939 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.960933924 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.961869955 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.962138891 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.962332010 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.962548971 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.962650061 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.962716103 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.962784052 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.963346004 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.963629007 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.963723898 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.964015961 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.964210033 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.964692116 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.964764118 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.965485096 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.965612888 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.965742111 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.965936899 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.966376066 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.966447115 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.966944933 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.966964006 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.967029095 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.967046976 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.967453003 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.967832088 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.967895031 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.968544960 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:11.968545914 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:11.968713045 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.065912962 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.068667889 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.083831072 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.085581064 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.085705996 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.085745096 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.086834908 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.086920023 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.089062929 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.089458942 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.091825008 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.091993093 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.092209101 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.092279911 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.092359066 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.092598915 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.093348026 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.093430042 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.093831062 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.093861103 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.093935966 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.093961954 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.094723940 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.094863892 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.096415997 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.096739054 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.096756935 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.096839905 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.097313881 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.098402977 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.099739075 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.099845886 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.101459026 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.101547003 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.101562023 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.101694107 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.102544069 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.102737904 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.103315115 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.103468895 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.103527069 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.103545904 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.104608059 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.104712963 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.105313063 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.105381966 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.106869936 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.107294083 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.107379913 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.107789040 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.108948946 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.109105110 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.109158039 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.109709978 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.109935999 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.110089064 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.110105991 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.110342979 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.110785007 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.111192942 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.111210108 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.111304998 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.111418009 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.111536026 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.111795902 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.111820936 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.111990929 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.112339020 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.112844944 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.113050938 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.113152981 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.114084959 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.114164114 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.229608059 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.229621887 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.229687929 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.229707003 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.229712009 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.234709024 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.234798908 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.235975981 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.236860991 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.236970901 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.238607883 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.238625050 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.238732100 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.238758087 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.238833904 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.239923000 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.240571022 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.241050005 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.241802931 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.241879940 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.242978096 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.244309902 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.245516062 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.245965958 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.246262074 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.247690916 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.247739077 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.247766972 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.248043060 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.248131990 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.248136044 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.248222113 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.249979019 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.250056982 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.250583887 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.250644922 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.252079010 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.252861977 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.254101992 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.254311085 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.254409075 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.254470110 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.255326986 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.255404949 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.255842924 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.255908966 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.256113052 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.256863117 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.257488012 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.257904053 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.375456095 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.376852989 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.379844904 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.379919052 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.380160093 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.380230904 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.380553007 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.380642891 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.382829905 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.382865906 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.383044958 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.383330107 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.383374929 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.383400917 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.384069920 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.384932041 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.385891914 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.385951996 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.385999918 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.386080027 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.387841940 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.387928963 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.389266968 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.391582012 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.391608000 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.391680002 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.391716003 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.392002106 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.392283916 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.393635035 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.394367933 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.394670010 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.394783020 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.395445108 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.396059990 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.396408081 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.396842957 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.397901058 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.397964001 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.398055077 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.398149014 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.401469946 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.402290106 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.402410030 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.402615070 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.403116941 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.403283119 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.403295040 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.403481007 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.403717995 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.521286011 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.523619890 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.523865938 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.525058031 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.525127888 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.525362015 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.525464058 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.528016090 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.528080940 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.528148890 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.528219938 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.528229952 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.528276920 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.530014038 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.530028105 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.530098915 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.530288935 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.531156063 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.531217098 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.531372070 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.535659075 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.535729885 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.536650896 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.536761999 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.537245035 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.537318945 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.538005114 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.538523912 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.538621902 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.538887978 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.539031982 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.539063931 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.540052891 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.540155888 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.541018009 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.542295933 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.542376041 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.542962074 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.544282913 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.547017097 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.547653913 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.547744036 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.547797918 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.547967911 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.547996998 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.548623085 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.548863888 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.668178082 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.668291092 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.668318987 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.668489933 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.668543100 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.668850899 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.668940067 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.670511961 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.670667887 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.671793938 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.672918081 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.673259974 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.673814058 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.673979998 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.674295902 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.674398899 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.674412012 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.674448967 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.674489975 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.675174952 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.675627947 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.676995039 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.679079056 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.679342031 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.680114985 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.680572033 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.680653095 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.680725098 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.680862904 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.682605028 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.683047056 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.683135033 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.683866978 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.684022903 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.684101105 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.686359882 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.686486959 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.686935902 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.687076092 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.687541008 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.687716961 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.691301107 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.691943884 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.692027092 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.692115068 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.692718029 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.692862988 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.693432093 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.693572044 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.814215899 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.814239025 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.814732075 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.814867020 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.815732956 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.820965052 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.821849108 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.821872950 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.822061062 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.822870016 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.822887897 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.823858023 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.823895931 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.824542999 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.824559927 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.824578047 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.824641943 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.824650049 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.825802088 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.825824022 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.826859951 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.826913118 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.827138901 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.827159882 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.827173948 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.827240944 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.827248096 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.828568935 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.828591108 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.828712940 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.828720093 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.830075026 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.830096006 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.831897974 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.832868099 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.832884073 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:12.832993031 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.833000898 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:12.897989988 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:13.092986107 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:13.282145977 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:13.471447945 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:13.471998930 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:13.602159023 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:13.661030054 CEST	5230	49720	79.134.225.71	192.168.2.7
May 12, 2021 06:31:13.661886930 CEST	49720	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:24.184938908 CEST	49723	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:24.331185102 CEST	5230	49723	79.134.225.71	192.168.2.7
May 12, 2021 06:31:24.331332922 CEST	49723	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:25.018857956 CEST	49723	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:25.176373005 CEST	5230	49723	79.134.225.71	192.168.2.7
May 12, 2021 06:31:25.338673115 CEST	49723	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:25.340478897 CEST	49723	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:25.400010109 CEST	49723	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:25.486304998 CEST	5230	49723	79.134.225.71	192.168.2.7
May 12, 2021 06:31:25.486402035 CEST	49723	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:37.679714918 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:37.827189922 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:37.831366062 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:38.122656107 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:38.279764891 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:38.280795097 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:38.481569052 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:38.482203007 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:38.629887104 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:38.865448952 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:38.917526960 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:39.010272980 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:39.010551929 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:39.117068052 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:39.245312929 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:39.364711046 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:39.511914968 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:39.661812067 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:41.977149010 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:42.165818930 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:42.991502047 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:43.161896944 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:44.339778900 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:44.541306973 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:44.662023067 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:44.864484072 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:44.915599108 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:45.109937906 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:45.208659887 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:45.400372982 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:45.476947069 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:45.542561054 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:45.662833929 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:45.678103924 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:45.678359032 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:45.824246883 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:46.042545080 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:46.234390974 CEST	5230	49725	79.134.225.71	192.168.2.7
May 12, 2021 06:31:46.299371004 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:46.330034018 CEST	49725	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:58.103585958 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:31:58.247951984 CEST	5230	49726	79.134.225.71	192.168.2.7
May 12, 2021 06:31:58.251919985 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:01.720350981 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:01.874392033 CEST	5230	49726	79.134.225.71	192.168.2.7
May 12, 2021 06:32:01.931087017 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:02.112303972 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:02.298746109 CEST	5230	49726	79.134.225.71	192.168.2.7
May 12, 2021 06:32:02.299226999 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:02.444336891 CEST	5230	49726	79.134.225.71	192.168.2.7
May 12, 2021 06:32:02.489033937 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:03.399437904 CEST	5230	49726	79.134.225.71	192.168.2.7
May 12, 2021 06:32:03.445038080 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:03.590563059 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:03.787362099 CEST	5230	49726	79.134.225.71	192.168.2.7
May 12, 2021 06:32:03.929475069 CEST	5230	49726	79.134.225.71	192.168.2.7
May 12, 2021 06:32:03.976371050 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:04.123671055 CEST	5230	49726	79.134.225.71	192.168.2.7
May 12, 2021 06:32:04.163701057 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:04.235508919 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:04.426208973 CEST	5230	49726	79.134.225.71	192.168.2.7
May 12, 2021 06:32:04.426672935 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:04.467418909 CEST	49726	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:13.612091064 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:13.756998062 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:13.757097960 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:15.474220991 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:15.630315065 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:15.680234909 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:16.096040964 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:16.286823034 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:16.287018061 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:16.432370901 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:16.477206945 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:16.651977062 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:16.837573051 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:16.981053114 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:17.009562016 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:17.154778004 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:17.155296087 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:17.350632906 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:17.350780964 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:17.545456886 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:17.545655012 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:17.688965082 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:17.743161917 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:17.888721943 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:17.930463076 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:17.996726990 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:18.194657087 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:18.194819927 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:18.391560078 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:18.917098045 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:18.961805105 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:20.068833113 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:20.261094093 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:20.261298895 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:20.463932991 CEST	5230	49727	79.134.225.71	192.168.2.7
May 12, 2021 06:32:20.635195971 CEST	49727	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:26.733402014 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:26.877675056 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:26.877794027 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:26.930999041 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:27.086766005 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:27.134371042 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:27.262936115 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:27.415556908 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:27.462452888 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:27.533401966 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:27.720808029 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:27.922524929 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:28.106262922 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:28.134645939 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:28.235853910 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:28.277626991 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:28.277807951 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:28.420384884 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:28.462568045 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:28.504940033 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:28.698311090 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:30.323601007 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:30.469875097 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:30.470006943 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:30.612503052 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:30.666069031 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:30.746593952 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:31.056602955 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:31.199290991 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:31.400377989 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:31.557075024 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:31.770442963 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:31.964742899 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:31.964910984 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:32.044909954 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:32.087898970 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:32.161098003 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:32.161292076 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:32.357456923 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:32.400127888 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:32.523205996 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:32.588109016 CEST	5230	49728	79.134.225.71	192.168.2.7
May 12, 2021 06:32:32.588203907 CEST	49728	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:40.230478048 CEST	49729	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:40.373722076 CEST	5230	49729	79.134.225.71	192.168.2.7
May 12, 2021 06:32:40.373836040 CEST	49729	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:41.492312908 CEST	49729	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:41.638731003 CEST	5230	49729	79.134.225.71	192.168.2.7
May 12, 2021 06:32:48.591964006 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:48.734880924 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:48.735090971 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:48.787980080 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:48.941518068 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:48.943660975 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:49.087106943 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:49.089548111 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:49.278330088 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:49.403338909 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:49.408063889 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:49.554652929 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:49.556144953 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:49.699959993 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:49.700428009 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:49.851835012 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:49.901844025 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:50.201421976 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:50.245642900 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:53.879348040 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:53.933518887 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:58.305016041 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:58.355760098 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:32:58.881614923 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:32:58.933936119 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:33:03.897178888 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:33:03.963746071 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:33:06.356966972 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:33:06.403208017 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:33:08.906862020 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:33:08.948163986 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:33:13.917412996 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:33:13.966341019 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:33:14.435311079 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:33:14.482105970 CEST	49730	5230	192.168.2.7	79.134.225.71
May 12, 2021 06:33:18.929601908 CEST	5230	49730	79.134.225.71	192.168.2.7
May 12, 2021 06:33:18.982374907 CEST	49730	5230	192.168.2.7	79.134.225.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 06:30:58.013586998 CEST	52816	53	192.168.2.7	8.8.4.4
May 12, 2021 06:30:58.072453976 CEST	53	52816	8.8.4.4	192.168.2.7
May 12, 2021 06:31:10.105428934 CEST	49958	53	192.168.2.7	8.8.4.4
May 12, 2021 06:31:10.165529966 CEST	53	49958	8.8.4.4	192.168.2.7
May 12, 2021 06:31:23.804364920 CEST	50452	53	192.168.2.7	8.8.4.4
May 12, 2021 06:31:23.863307953 CEST	53	50452	8.8.4.4	192.168.2.7
May 12, 2021 06:31:37.596846104 CEST	59730	53	192.168.2.7	8.8.4.4
May 12, 2021 06:31:37.656759024 CEST	53	59730	8.8.4.4	192.168.2.7
May 12, 2021 06:31:57.780992985 CEST	51919	53	192.168.2.7	8.8.4.4
May 12, 2021 06:31:57.839382887 CEST	53	51919	8.8.4.4	192.168.2.7
May 12, 2021 06:32:13.039374113 CEST	64296	53	192.168.2.7	8.8.4.4
May 12, 2021 06:32:13.099052906 CEST	53	64296	8.8.4.4	192.168.2.7
May 12, 2021 06:32:26.642617941 CEST	56680	53	192.168.2.7	8.8.4.4
May 12, 2021 06:32:26.701777935 CEST	53	56680	8.8.4.4	192.168.2.7
May 12, 2021 06:32:37.803754091 CEST	58820	53	192.168.2.7	8.8.4.4
May 12, 2021 06:32:37.860908031 CEST	53	58820	8.8.4.4	192.168.2.7
May 12, 2021 06:32:48.533617973 CEST	60983	53	192.168.2.7	8.8.4.4
May 12, 2021 06:32:48.590641975 CEST	53	60983	8.8.4.4	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 06:30:58.013586998 CEST	192.168.2.7	8.8.4.4	0x4092	Standard query (0)	emedoo.ddns.net	A (IP address)	IN (0x0001)
May 12, 2021 06:31:10.105428934 CEST	192.168.2.7	8.8.4.4	0x8a62	Standard query (0)	emedoo.ddns.net	A (IP address)	IN (0x0001)
May 12, 2021 06:31:23.804364920 CEST	192.168.2.7	8.8.4.4	0x70a9	Standard query (0)	emedoo.ddns.net	A (IP address)	IN (0x0001)
May 12, 2021 06:31:37.596846104 CEST	192.168.2.7	8.8.4.4	0x3e7a	Standard query (0)	emedoo.ddns.net	A (IP address)	IN (0x0001)
May 12, 2021 06:31:57.780992985 CEST	192.168.2.7	8.8.4.4	0x188f	Standard query (0)	emedoo.ddns.net	A (IP address)	IN (0x0001)
May 12, 2021 06:32:13.039374113 CEST	192.168.2.7	8.8.4.4	0xc160	Standard query (0)	emedoo.ddns.net	A (IP address)	IN (0x0001)
May 12, 2021 06:32:26.642617941 CEST	192.168.2.7	8.8.4.4	0xef36	Standard query (0)	emedoo.ddns.net	A (IP address)	IN (0x0001)
May 12, 2021 06:32:37.803754091 CEST	192.168.2.7	8.8.4.4	0x7e6e	Standard query (0)	emedoo.ddns.net	A (IP address)	IN (0x0001)
May 12, 2021 06:32:48.533617973 CEST	192.168.2.7	8.8.4.4	0xfb75	Standard query (0)	emedoo.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 12, 2021 06:30:58.072453976 CEST	8.8.4.4	192.168.2.7	0x4092	No error (0)	emedoo.ddns.net	79.134.225.71	A (IP address)	IN (0x0001)
May 12, 2021 06:31:10.165529966 CEST	8.8.4.4	192.168.2.7	0x8a62	No error (0)	emedoo.ddns.net	79.134.225.71	A (IP address)	IN (0x0001)
May 12, 2021 06:31:23.863307953 CEST	8.8.4.4	192.168.2.7	0x70a9	No error (0)	emedoo.ddns.net	79.134.225.71	A (IP address)	IN (0x0001)
May 12, 2021 06:31:37.656759024 CEST	8.8.4.4	192.168.2.7	0x3e7a	No error (0)	emedoo.ddns.net	79.134.225.71	A (IP address)	IN (0x0001)
May 12, 2021 06:31:57.839382887 CEST	8.8.4.4	192.168.2.7	0x188f	No error (0)	emedoo.ddns.net	79.134.225.71	A (IP address)	IN (0x0001)
May 12, 2021 06:32:13.099052906 CEST	8.8.4.4	192.168.2.7	0xc160	No error (0)	emedoo.ddns.net	79.134.225.71	A (IP address)	IN (0x0001)
May 12, 2021 06:32:26.701777935 CEST	8.8.4.4	192.168.2.7	0xef36	No error (0)	emedoo.ddns.net	79.134.225.71	A (IP address)	IN (0x0001)
May 12, 2021 06:32:37.860908031 CEST	8.8.4.4	192.168.2.7	0x7e6e	No error (0)	emedoo.ddns.net	79.134.225.71	A (IP address)	IN (0x0001)
May 12, 2021 06:32:48.590641975 CEST	8.8.4.4	192.168.2.7	0xfb75	No error (0)	emedoo.ddns.net	79.134.225.71	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Devizni izvod za partiju 0050100073053.exe PID: 4504 Parent PID: 5716

General

Start time:	06:30:43
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'
Imagebase:	0x260000
File size:	877568 bytes
MD5 hash:	50AB414BE17F4E03BEE8F9C5CEE06335
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.255288442.0000000002A3B000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.256690894.0000000003A11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 5488 Parent PID: 4504

General

Start time:	06:30:45
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe'
Imagebase:	0x1110000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5304 Parent PID: 5488

General

Start time:	06:30:46
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5876 Parent PID: 4504

General

Start time:	06:30:46
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Imagebase:	0x1110000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 1744 Parent PID: 4504

General

Start time:	06:30:46
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp2011.tmp'
Imagebase:	0xbe0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2148 Parent PID: 5876

General

Start time:	06:30:46
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5852 Parent PID: 1744

General

Start time:	06:30:47
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 2104 Parent PID: 4504

General

Start time:	06:30:47
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Imagebase:	0x1110000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: Devizni izvod za partiju 0050100073053.exe PID: 5932 Parent PID: 4504

General

Start time:	06:30:48
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Imagebase:	0x2a0000
File size:	877568 bytes
MD5 hash:	50AB414BE17F4E03BEE8F9C5CEE06335
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 5340 Parent PID: 2104

General

Start time:	06:30:48
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Devizni izvod za partiju 0050100073053.exe PID: 6164 Parent PID: 4504

General

Start time:	06:30:49
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Imagebase:	0x430000
File size:	877568 bytes
MD5 hash:	50AB414BE17F4E03BEE8F9C5CEE06335
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Devizni izvod za partiju 0050100073053.exe PID: 6196 Parent PID: 4504

General

Start time:	06:30:50
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Devizni izvod za partiju 0050100073053.exe
Imagebase:	0x580000
File size:	877568 bytes
MD5 hash:	50AB414BE17F4E03BEE8F9C5CEE06335
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.541194418.0000000003D8D000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.546573646.00000000056B0000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.546929623.0000000005950000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.546929623.0000000005950000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.503765658.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.546313038.00000000055C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.546313038.00000000055C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.551440197.0000000006890000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.551440197.0000000006890000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.552438629.0000000006A20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.552438629.0000000006A20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.546995313.00000000059E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.546995313.00000000059E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.551688994.00000000068C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.551688994.00000000068C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000003.297298308.0000000004098000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.551733160.00000000068D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.551733160.00000000068D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.551056353.0000000006730000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.551056353.0000000006730000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.547173286.0000000005A80000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.547173286.0000000005A80000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.546044032.0000000005580000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.546044032.0000000005580000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.546082364.0000000005590000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.546082364.0000000005590000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.535153965.0000000002D8C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.545285946.00000000053A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.545285946.00000000053A0000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6792 Parent PID: 3292

General

Start time:	06:31:07
Start date:	12/05/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xeb0000
File size:	877568 bytes
MD5 hash:	50AB414BE17F4E03BEE8F9C5CEE06335
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.373412048.0000000004761000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.364891578.000000000378B000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.383604898.000000000525A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 24%, Metadefender, Browse Detection: 48%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 4708 Parent PID: 6792

General

Start time:	06:31:14
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x1110000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6076 Parent PID: 4708

General

Start time:	06:31:15
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6092 Parent PID: 6792

General

Start time:	06:31:15
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AGYVBigGPY' /XML 'C:\Users\user\AppData\Local\Temp\tmp864D.tmp'
Imagebase:	0xd90000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4428 Parent PID: 6092

General

Start time:	06:31:15
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 6644 Parent PID: 6792

General

Start time:	06:31:17
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\AGYVBigGPY.exe'
Imagebase:	0x1110000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 1880 Parent PID: 6644

General

Start time:	06:31:18
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 4608 Parent PID: 6792

General

Start time:	06:31:18
Start date:	12/05/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x140000
File size:	877568 bytes
MD5 hash:	50AB414BE17F4E03BEE8F9C5CEE06335
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5356 Parent PID: 6792

General

Start time:	06:31:23
Start date:	12/05/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x3c0000
File size:	877568 bytes
MD5 hash:	50AB414BE17F4E03BEE8F9C5CEE06335
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 900 Parent PID: 6792

General

Start time:	06:31:26
Start date:	12/05/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x600000
File size:	877568 bytes
MD5 hash:	50AB414BE17F4E03BEE8F9C5CEE06335
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000002.383744500.0000000003EC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000002.357286802.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Devizni izvod za partiju 0050100073053.exe PID: 4504 Parent PID: 5716 Devizni izvod za partiju 0050100073053.exeCOMMON

Executed Functions

Function 024D1117, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 024D1197

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 43804d5a2ee165f95ec8073afb48760291f821af6b8818fb41aa905ae894ee9d
Instruction ID: 1137f167a7061e2cc04274833cba57e3c4675fcbee95ea14f2ba97dab5425d86
Opcode Fuzzy Hash: 43804d5a2ee165f95ec8073afb48760291f821af6b8818fb41aa905ae894ee9d
Instruction Fuzzy Hash: 9721BF75509384AFDB138F25DC41B52BFB8AF0A210F08849AED898B263D3759818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 024D17DD, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 024D1849

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 6d82d6222fe56af67961055604d43a602224b85d45af337b0ba70c576a0bf01f
Instruction ID: 1d5196674a8aa98554cf1153ad2615db01f7a1a8d8a393d4ed31a06b8eb44c4d
Opcode Fuzzy Hash: 6d82d6222fe56af67961055604d43a602224b85d45af337b0ba70c576a0bf01f
Instruction Fuzzy Hash: E01193754097C49FD7128B11DC41B52FFB4EF06210F0984DBED848B263D275A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 024D114E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 024D1197

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: d1fda6ae08454fe8b6a002b8251a9ee9ab21f236534fa2812d3b7aad71c55844
Instruction ID: b0e1ff89b1ed41a359386b6c1e62b33add66616d743aa651bfcb5495da76a88c
Opcode Fuzzy Hash: d1fda6ae08454fe8b6a002b8251a9ee9ab21f236534fa2812d3b7aad71c55844
Instruction Fuzzy Hash: 3C1170755003449FDB21CF55E985B6AFBE8EF08220F08C46ADD898B652D375E458CF71

Uniqueness

Uniqueness Score: -1.00%

Function 024D180E, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 024D1849

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a52e36924ebc244ea0add34964d0080206f7e63de50b0c5bc0f66b059036c610
Instruction ID: 2f6b1a686a95350a4574b7d4f717b4c32b9db4d54dfb1a37d97ff8e0e0eafb3d
Opcode Fuzzy Hash: a52e36924ebc244ea0add34964d0080206f7e63de50b0c5bc0f66b059036c610
Instruction Fuzzy Hash: F7018F31540344DFEB20CF56E885B66FFA0EF08720F08C49AED894B616C375A459CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05BD19A6, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

5#l, xrefs: 05BD1A12

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID: 5#l
API String ID: 0-1725415433
Opcode ID: c2b9845f89dab3d60a801d5ecd2011704b53acfde5bf5fe0f8bb4225db2fbaab
Instruction ID: 90346cbf9fc22fca2721273a3bcfc397767c42f3756835324cf98ac3a228b2b6
Opcode Fuzzy Hash: c2b9845f89dab3d60a801d5ecd2011704b53acfde5bf5fe0f8bb4225db2fbaab
Instruction Fuzzy Hash: D4614770D59219CFCB04CFE8D580AADFBB2FF49310F10A55AD016BB254E778A842CB24

Uniqueness

Uniqueness Score: -1.00%

Function 025AE7F8, Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2983bdcd40e22fc94f33cf0e76d3ef3b2d44d0469313083d23209c8ee50854e4
Instruction ID: 026b8a026a200f9fec6fac745f1859821d73e263c914695fcc91a670ac294cb7
Opcode Fuzzy Hash: 2983bdcd40e22fc94f33cf0e76d3ef3b2d44d0469313083d23209c8ee50854e4
Instruction Fuzzy Hash: 00D12674E16209DFDB04CFA4D5A2BDDBFB1FB89311F209469E506BB284DA715980CF28

Uniqueness

Uniqueness Score: -1.00%

Function 025A15A0, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8f96f584435dd81e4b594baa4476e24d3e625a242889a96402cb4fc53c7b68
Instruction ID: f493e4e1704ac9435bd80c61d9d71ddd859a6d134eab9d6d3172b827961f393b
Opcode Fuzzy Hash: fb8f96f584435dd81e4b594baa4476e24d3e625a242889a96402cb4fc53c7b68
Instruction Fuzzy Hash: B4B15471D056198FCB14CFEAC95199DBBB2FF88310F94D92AC419BB698DB309902CF18

Uniqueness

Uniqueness Score: -1.00%

Function 025A19E7, Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6760a0e4e8d799b56b162cda509bff5c68a977264722df58ac11dead7509f1
Instruction ID: 8e4fa4c4f65371f3ebf0569dec32eea643d61937ede086fd43798a04ea3baf7e
Opcode Fuzzy Hash: cb6760a0e4e8d799b56b162cda509bff5c68a977264722df58ac11dead7509f1
Instruction Fuzzy Hash: 94B154B0D016098FCB04CFA9D5919DDBBF2BF49324F64D65AD419BB398E7309A01CB68

Uniqueness

Uniqueness Score: -1.00%

Function 025A10F0, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c849e2e1ae93de6605c66e6b3218675708c936626a8b531e3c62fa8e64e377e
Instruction ID: 35833ef80f0897b8695e215c7af65c4e12627409d89bc3956eb94b60fce15763
Opcode Fuzzy Hash: 8c849e2e1ae93de6605c66e6b3218675708c936626a8b531e3c62fa8e64e377e
Instruction Fuzzy Hash: C681F2B4E05209DFCB48DFA9D59199DBBF2FF89300F20956AD409AB364DB309A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025A10E1, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75dbaf2e16841040289465b15a94ddfc46fdb56c6256e2bf518fe9beb15caacc
Instruction ID: fff2b8bad57c2e8f025339f3d535e815d1c464e32f41184228798341b6d2f166
Opcode Fuzzy Hash: 75dbaf2e16841040289465b15a94ddfc46fdb56c6256e2bf518fe9beb15caacc
Instruction Fuzzy Hash: B58101B4D05209DFCB08DFA9D59199DBFB2FF89300F24956AD40AAB364DB349A41CF14

Uniqueness

Uniqueness Score: -1.00%

Function 025A2918, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d844fa41e4914c54add4c2615596434c6240fb8f66dbc346d2f30f29b18777
Instruction ID: 5e93c7c81b467a32ddb8d13408eab73b51bb950ac3d943dfd2bad673a25622b4
Opcode Fuzzy Hash: 90d844fa41e4914c54add4c2615596434c6240fb8f66dbc346d2f30f29b18777
Instruction Fuzzy Hash: C271F274E01209DFCB08CFE5C551AAEBBB2BF88300F10856AD815BB364DB359A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025A2915, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47daa315a8a3abdd863ca66147d74c15cef78c0096eb4a47b4801a1eaa1bfde0
Instruction ID: ecd28fa792ea10c584062a5e12133128fb2dcc0501ee9e2f29f7ae420b9bcd07
Opcode Fuzzy Hash: 47daa315a8a3abdd863ca66147d74c15cef78c0096eb4a47b4801a1eaa1bfde0
Instruction Fuzzy Hash: 1C71D274E01209DFCB08CFE5D991AAEBBB2BF89300F10856AD815BB354DB359A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025AEE60, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0356391fedd1f62cac916ff1cb141da7a5c349ee6b7d2614c98155fe3d7723ef
Instruction ID: b06722fdaeef89f23450e7b1a07b12e4edcda9935d7ca5c21a9e2dfb3a4fc700
Opcode Fuzzy Hash: 0356391fedd1f62cac916ff1cb141da7a5c349ee6b7d2614c98155fe3d7723ef
Instruction Fuzzy Hash: 1A61BF74E052089FDB04DFA5D5A5AAEBFB2FF88301F20846AE806A7394DB365941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025A0CA0, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3984f6740fb64ee9e05533f34bf27de2952864703008fa82a14147f2e0f6dd71
Instruction ID: 899c8b04b116db5ce5c7be931dda0c2f017821fb9ba564c8656a849ee9d59a3a
Opcode Fuzzy Hash: 3984f6740fb64ee9e05533f34bf27de2952864703008fa82a14147f2e0f6dd71
Instruction Fuzzy Hash: 167190B4D00208DFDB14DFA9D980A9DFBF2BF88304F208169D819AB365DB75A946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025A0C9F, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3748324fe2e9fe1221f261124dcf799c4997354986a3dfaf4a1e4319df6e0311
Instruction ID: f07237e9fc69139e53b1041e3e2b908dc722120d7c5418eac4cb7467e2f77f99
Opcode Fuzzy Hash: 3748324fe2e9fe1221f261124dcf799c4997354986a3dfaf4a1e4319df6e0311
Instruction Fuzzy Hash: A461AFB4D002189FDB14DFAAD980A9DFBF2BF88304F208169D819AB365DB755946CF14

Uniqueness

Uniqueness Score: -1.00%

Function 025AE430, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e2b4d9de0a0eac38631384c8b8e8110c81adb0d84eb838a8c14f3f40e803c7
Instruction ID: 6bf3825acff2d7e3857b6ff5aff8594865020b798eae3238a8526f42eccebce2
Opcode Fuzzy Hash: a5e2b4d9de0a0eac38631384c8b8e8110c81adb0d84eb838a8c14f3f40e803c7
Instruction Fuzzy Hash: A3413870D16209DFCB44CFA5E5A2ADEBFF6FB8D211F10942AD005B6250E7319901CF28

Uniqueness

Uniqueness Score: -1.00%

Function 025A30F8, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbacbeaec6e9ac5f14e87f9283eb30af3113934ce62bef8b323be215f21303e1
Instruction ID: 57e6f1678168c3abc4e3772375d3b07b7723b78d9c5563f1f8a545e4ceec64f1
Opcode Fuzzy Hash: bbacbeaec6e9ac5f14e87f9283eb30af3113934ce62bef8b323be215f21303e1
Instruction Fuzzy Hash: C55125B1D052099FDB08CFA9C8556AEFFB2BF89304F14D4AAD415AB260D7349A41CB68

Uniqueness

Uniqueness Score: -1.00%

Function 025A08F7, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c81ee8a9c5377fda54c4aa05a8683a32393a972a170947e07f8bf4899a61e3c
Instruction ID: cfae6cecae63456f2344a08e9958d9b4467518ee65d7044124e85da4fdb6f92d
Opcode Fuzzy Hash: 4c81ee8a9c5377fda54c4aa05a8683a32393a972a170947e07f8bf4899a61e3c
Instruction Fuzzy Hash: D131B7B1D016199BEB08CFAAC85469EFBF7BF89300F14C52AD814BB254D7751946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 025A39EF, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f62e24c60aafe7cce280c480a8af891000b524421b34368d1b6894b827acca5
Instruction ID: ce25448d7e2f45ca10a7651789649d79116e3b1220d0b6b33662b5991751e9b8
Opcode Fuzzy Hash: 5f62e24c60aafe7cce280c480a8af891000b524421b34368d1b6894b827acca5
Instruction Fuzzy Hash: E721E4B1E016588BDB18CFAAD8547DEFBF2AFC8300F14C16AD409A6264DB741956CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05BD0230, Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

\NG, xrefs: 05BD1295
>,, xrefs: 05BD01B2
\NG, xrefs: 05BD1262
! `, xrefs: 05BD0104

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID: ! `$>,$\NG$\NG
API String ID: 0-96232990
Opcode ID: 6de177a1aa5e0abfc368b78c406755cad7304a1d0450cf39400a8508e0575220
Instruction ID: 95d8a90f06a14734b053d9361065a8532d9898e9ba9e932bae3ff53d1156c2cb
Opcode Fuzzy Hash: 6de177a1aa5e0abfc368b78c406755cad7304a1d0450cf39400a8508e0575220
Instruction Fuzzy Hash: E5513574D4522ACFCB24DF68C944BE8FBB2BB49311F1084EAD51AA7640E7356AC1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B599, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C2B60D

Strings

8<?r, xrefs: 00C2B625

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: 8<?r
API String ID: 544645111-3749652874
Opcode ID: ede93684d43e4c9ca22d6d41f66fb3920b94e9d2daf28d1794bad16d0b1276f0
Instruction ID: a0e44bcf28cf983aaf6e96684deeb69307aafef09b76cc90df738aa265d4c3a3
Opcode Fuzzy Hash: ede93684d43e4c9ca22d6d41f66fb3920b94e9d2daf28d1794bad16d0b1276f0
Instruction Fuzzy Hash: 3721AE725093809FDB228B25DC40BA2FFB4EF0A310F0884DEED858B562D265A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B5D2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C2B60D

Strings

8<?r, xrefs: 00C2B625

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: 8<?r
API String ID: 544645111-3749652874
Opcode ID: af71de5aca0bb5f9dcf5cb12298d6513d6ee1e5cf5991a25bbef0a2597a49219
Instruction ID: 447bc9f9cd08f74273c94ecdff7a9d73d811237a8fc18ceaa9360d003452ab8d
Opcode Fuzzy Hash: af71de5aca0bb5f9dcf5cb12298d6513d6ee1e5cf5991a25bbef0a2597a49219
Instruction Fuzzy Hash: D20184755007409FDB248F1AE885B66FFA4EF08720F18C4AEED854BA51D375E818DF62

Uniqueness

Uniqueness Score: -1.00%

Function 05BD1171, Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

\NG, xrefs: 05BD1295
\NG, xrefs: 05BD1262

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID: \NG$\NG
API String ID: 0-3226677374
Opcode ID: 19d7cadc086a689b4d2ef9500729009684a6c0ed61d5e6fb52185f8804309f70
Instruction ID: 1705815ab7efa3e4da0138e2934d7c8ac5a0d1630eb0f6b2c46e48b8d66c4e8d
Opcode Fuzzy Hash: 19d7cadc086a689b4d2ef9500729009684a6c0ed61d5e6fb52185f8804309f70
Instruction Fuzzy Hash: C5317A30D5922ACFCB24CF54D999BA8FBB2FB45301F1055EAC00AB6641E7356B80CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05BD118C, Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

\NG, xrefs: 05BD1295
\NG, xrefs: 05BD1262

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID: \NG$\NG
API String ID: 0-3226677374
Opcode ID: 7e50b8b35e727bf00ba51d5eab88c23f98b95b4c7ef524372bdbe1a5bb021b8c
Instruction ID: 6b5d33bfca14567d0834b5d94fb6573b5f6a8e9abd8f66d03794315484254d95
Opcode Fuzzy Hash: 7e50b8b35e727bf00ba51d5eab88c23f98b95b4c7ef524372bdbe1a5bb021b8c
Instruction Fuzzy Hash: D7318A70D5522ACFCB20CF54D999BA8FBB1FB49301F1054EAC00AB6641E7356B80CF24

Uniqueness

Uniqueness Score: -1.00%

Function 05BD03B6, Relevance: 2.5, Strings: 2, Instructions: 23COMMON

Download Yara Rule

Strings

\Goa, xrefs: 05BD03F0
\Goa, xrefs: 05BD03FA

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID: \Goa$\Goa
API String ID: 0-4160621046
Opcode ID: 64374d5be797b93e37db4befc95c9610d86ada7ff3dc4e2406aa2304ff791656
Instruction ID: c8200e1ffbfdaf541fbe0af11a64f43dfc9fc960d46a83d08fae046fe62773fa
Opcode Fuzzy Hash: 64374d5be797b93e37db4befc95c9610d86ada7ff3dc4e2406aa2304ff791656
Instruction Fuzzy Hash: CAF0E275886228CFEB60DF50C945BE9BBB1FB19300F1080D9C419AB290D332AAC6CF10

Uniqueness

Uniqueness Score: -1.00%

Function 024D0DB7, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 024D0E6F

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0fbf3540e6d747a0c9c8bb3ce1da80d13f4c003590c75cf9cbb44d221c464088
Instruction ID: 61775c0026e9b94f89cb855e847ee6ac48770c0baf4ae2323a13393a85aa2b6a
Opcode Fuzzy Hash: 0fbf3540e6d747a0c9c8bb3ce1da80d13f4c003590c75cf9cbb44d221c464088
Instruction Fuzzy Hash: 3E31B4725047846FEB22CF65DC45FA7BFE8EF05310F0885AEE9849B152D335A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00C2AAB1

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d14df6a97575142fa844a259de4647ff88253e346328ffadba541c6f7edaaaab
Instruction ID: fb3765bf2dd4ebe710b932fcc387e588c83ee147a4f90f60dd07d30567da7ffc
Opcode Fuzzy Hash: d14df6a97575142fa844a259de4647ff88253e346328ffadba541c6f7edaaaab
Instruction Fuzzy Hash: A731D472504384AFE7228F25DC45FA7FFECEF09710F0884AAED808B152D264A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 024D0B14, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 024D0BB5

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6e66f9aaaeaecfabed150a395d50cc183fe0a02ae65aaecb740a6f6f81e85ae6
Instruction ID: 755b272e13dd116192afaba705cc851076a634ee09ee325b2ec750e3651166be
Opcode Fuzzy Hash: 6e66f9aaaeaecfabed150a395d50cc183fe0a02ae65aaecb740a6f6f81e85ae6
Instruction Fuzzy Hash: C6317C71504384AFE722CF65DC44F66BFE8EF49624F0884AEE9858B252D375E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BB16, Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,6C25E77C,00000000,00000000,00000000,00000000), ref: 00C2BBC0

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 855ade9a4e1055b4a675ce9c8e85563a2e70dca86e207cccbaeac59d81a1b83c
Instruction ID: bdcfbb6c3146c23b6965d131b6fa8bd786b72094b8d98e03f93294fdcdbc44bf
Opcode Fuzzy Hash: 855ade9a4e1055b4a675ce9c8e85563a2e70dca86e207cccbaeac59d81a1b83c
Instruction Fuzzy Hash: 9D31C8715093806FEB228F25DC45F97BFA8EF06310F08849FE945DB152D724A908C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 024D0346, Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 024D03D2

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 66c18404d896a422ac1a02f3cf99c0db6fba9085d77b2014d65ce88f78c5a1b6
Instruction ID: 0b440a65ebd22f54d16d32a18e3700205631fb14d90473cd105d8801af54f6a5
Opcode Fuzzy Hash: 66c18404d896a422ac1a02f3cf99c0db6fba9085d77b2014d65ce88f78c5a1b6
Instruction Fuzzy Hash: 6A314E6150D3C45FD7138B259C65A52BFB89F07214F0D84DBD884CB2A3D269A849C762

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,6C25E77C,00000000,00000000,00000000,00000000), ref: 00C2ABB4

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6fc87f7e37ac4f290a77f4d7a3ca670296430bb7faf7c097e2cb36071b5069bd
Instruction ID: fa269181f1d1a334ee7a36e4ca62403f5f9e3532bb904289a71d7febb40c870c
Opcode Fuzzy Hash: 6fc87f7e37ac4f290a77f4d7a3ca670296430bb7faf7c097e2cb36071b5069bd
Instruction Fuzzy Hash: D231A4725093846FE722CB25DC45FA2FFE8EF06710F08849EE985CB153D264E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B788, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00C2B7F8

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ee1375447f9b2aa0594bed19bbccba229f77baa08f6c68446fda55533482aecd
Instruction ID: 71ce5026133bcc31af1d09051c25aa01576d29e3468e694893869266373cef67
Opcode Fuzzy Hash: ee1375447f9b2aa0594bed19bbccba229f77baa08f6c68446fda55533482aecd
Instruction Fuzzy Hash: 2431E5729093849FD712CB15EC857A2BFA8EF46320F0880EFDC448B692D3356909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B916, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00C2B9BD

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: abbd2dc9d109a58bcd35be80d8b1eaec6cb97278d093071640d4f8ea380bf74e
Instruction ID: 9bc8cde6a2e8ffd140cc4e626e45c015336beb0229dd02b48c5b6a6bd57e6d26
Opcode Fuzzy Hash: abbd2dc9d109a58bcd35be80d8b1eaec6cb97278d093071640d4f8ea380bf74e
Instruction Fuzzy Hash: 49319171509784AFE722DB25DC85B56FFF8EF06310F18849AE984CF292D375A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 024D1448, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,6C25E77C,00000000,00000000,00000000,00000000), ref: 024D14DC

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: ed9b160066ad70925c61a715873061cc880f799208f05ca81685cbf9de8a7f99
Instruction ID: b74d4ce10828bfaec7f8facf247f646e01581bab6170f33d721938d1b8728be1
Opcode Fuzzy Hash: ed9b160066ad70925c61a715873061cc880f799208f05ca81685cbf9de8a7f99
Instruction Fuzzy Hash: 0D2107725093806FE7128B25DC55BA6BFB8EF46324F0884EBED88DF193C2289549C771

Uniqueness

Uniqueness Score: -1.00%

Function 024D0596, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 024D0633

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: d47c76da997ed75fdf9bd3563e4060e11c9202a0c9b73a8f9463685dd16d8e8c
Instruction ID: 77382245ff4072b2bbbaae87953c9e09fe8c9c4e172a3eea05409e3758ab7063
Opcode Fuzzy Hash: d47c76da997ed75fdf9bd3563e4060e11c9202a0c9b73a8f9463685dd16d8e8c
Instruction Fuzzy Hash: D5216D72504344AFE721CF25DC45FA7FFA8EF45710F0884ABED44DB292D264A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 024D0A32, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 024D0ADE

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: e45338ea6afbabc84790a47bb98131fa902f0ba658be6110213942e04da2f73a
Instruction ID: 37cdecacb0e3e9237a2ffd3f4c01a5bbee1584d5ffdfadbc66147bec2c08486e
Opcode Fuzzy Hash: e45338ea6afbabc84790a47bb98131fa902f0ba658be6110213942e04da2f73a
Instruction Fuzzy Hash: 23318E714093C06FD7138B25DC51B62BFB4EF47620F0A84DBE8849B553D228A919D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 024D094E, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,?), ref: 024D09F2

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 5dd2a53bc8f4d9734070d100b474d071307c4c717189b072c87b0eabfaf6fa2d
Instruction ID: dc7d2d25cd3700c2093871fc7a294cbbcc95df82c68ad211d61b577aacffea62
Opcode Fuzzy Hash: 5dd2a53bc8f4d9734070d100b474d071307c4c717189b072c87b0eabfaf6fa2d
Instruction Fuzzy Hash: 1C313A7540D3C45FDB138B749855A92BFB4AF57310F0E84DBD9848F1A3D2255819C772

Uniqueness

Uniqueness Score: -1.00%

Function 024D0DF2, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 024D0E6F

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3dcfb6857f05f42593bb06e8038c23cc29738bf5267d8bc4b3074a747b93ba64
Instruction ID: cd73f73e8dad9a5e3e8e1eac2f6bf25eeeac88928dd8756c51ba7f396a9b1135
Opcode Fuzzy Hash: 3dcfb6857f05f42593bb06e8038c23cc29738bf5267d8bc4b3074a747b93ba64
Instruction Fuzzy Hash: DC21B072500204AFEB219F65DC45F6BFBACEF08320F04886AED45DB251D274A448CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 024D0C0C, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,6C25E77C,00000000,00000000,00000000,00000000), ref: 024D0CA1

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 46a587a696cfd7a17d47694ee11bdeb1c4b61de3817127b333a99eb85f172f48
Instruction ID: 51fa98b9d74d48bd2e772889cb78d9d635349baa65472d449a1aac495b330938
Opcode Fuzzy Hash: 46a587a696cfd7a17d47694ee11bdeb1c4b61de3817127b333a99eb85f172f48
Instruction Fuzzy Hash: 2E21F8754097806FE7128B25DC41BA2BFACEF4B720F1884DAED848B293D2645949C771

Uniqueness

Uniqueness Score: -1.00%

Function 024D0ECD, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 024D0F54

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b416e5fed3b512edc4cf8843bb8a2e2b9707add5a8a7d6586258a1c134c4f3ca
Instruction ID: 9ce02342b8fd85e9896dd6549a49c961511694ceefc614655749cfaf7f05a452
Opcode Fuzzy Hash: b416e5fed3b512edc4cf8843bb8a2e2b9707add5a8a7d6586258a1c134c4f3ca
Instruction Fuzzy Hash: D021AE765093C09FD712CB25DCA5B92BFB4AF07210F0D84DADC858F2A3D265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 024D0B36, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 024D0BB5

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 39d16b89f660eab1c7ea53d3b0d1366dc7b8a209f470c1f4cd4980b656cac2ed
Instruction ID: ec7e16439d516168d81486d4d81f13b0aa979ca3b8b1e3edc8337be15f1332a0
Opcode Fuzzy Hash: 39d16b89f660eab1c7ea53d3b0d1366dc7b8a209f470c1f4cd4980b656cac2ed
Instruction Fuzzy Hash: 8021AE71504244AFEB21CF65DD45B66FBE8EF08724F18846EE9858B251E371E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 024D0CDC, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,6C25E77C,00000000,00000000,00000000,00000000), ref: 024D0D6D

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 326f11166c2af7b0a05f587d61d4b480ec4203365f2187a6964539b00d945bae
Instruction ID: ab1c4f0c0747f68e7bb8bbe4d01bd1854828e5f8d414767039b6f520afb7da80
Opcode Fuzzy Hash: 326f11166c2af7b0a05f587d61d4b480ec4203365f2187a6964539b00d945bae
Instruction Fuzzy Hash: 30219072409380AFD7228F65DC45F56BFB8EF4A314F08849FE9849B153C265A409CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00C2AAB1

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7858a3ed0a481d689e1498e2ada72db62cdd3514719a197549cedf716b62d2e3
Instruction ID: f651a785621ecb2626754e024bf3f4104ae6909013209b736504fbe4b22c2c8a
Opcode Fuzzy Hash: 7858a3ed0a481d689e1498e2ada72db62cdd3514719a197549cedf716b62d2e3
Instruction Fuzzy Hash: 82219F72500604AFE7219F26ED85F6BFBECEF08710F14845AED459A641D674E908CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 024D05C2, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 024D0633

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 51851fe118085071bf345338487438f19bb190c2528a49405859cbc932990203
Instruction ID: bb6adacd36c3bf990392b5326615f128c1b1721ec677e1f487f78fe6bede2021
Opcode Fuzzy Hash: 51851fe118085071bf345338487438f19bb190c2528a49405859cbc932990203
Instruction Fuzzy Hash: 43218E72500204AFEB20DF69DC45F6AFBA8EF88B10F14886BED44DB241D274A5098B75

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B94A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00C2B9BD

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 704884cb72ee5f27f2bc8b88a6692801a8d5d76cfad977083a909f62c54c7c53
Instruction ID: 71d9d7d51d2841c424ffbc1ba4ade2b7f97a03f52efb1a8a25cb0288774aa87a
Opcode Fuzzy Hash: 704884cb72ee5f27f2bc8b88a6692801a8d5d76cfad977083a909f62c54c7c53
Instruction Fuzzy Hash: C721A171500244AFE720EF2AED85B66FBE8EF08320F18846AED85CB641D775E944CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BB56, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,6C25E77C,00000000,00000000,00000000,00000000), ref: 00C2BBC0

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 9bb0db5e550a1838350d0d784fd41e0f28b08f336490edb7556a4d239130b23e
Instruction ID: 6a8e3b785bf3deb6797b148b08196312900a049cfb1921fd0b13824557ed4888
Opcode Fuzzy Hash: 9bb0db5e550a1838350d0d784fd41e0f28b08f336490edb7556a4d239130b23e
Instruction Fuzzy Hash: 37119371500204AFEB218F66EC85FA7FBECEF08311F14846AED45DB541D674A9048B71

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,6C25E77C,00000000,00000000,00000000,00000000), ref: 00C2ABB4

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 04e6ee4117bf1611c1afcee22cc708f4a34480910478d148aa3944f545af4990
Instruction ID: 1f53965ffffa409c1ebe0afed225f2aa66bd149949e73b782ae2d3c294a6ad4e
Opcode Fuzzy Hash: 04e6ee4117bf1611c1afcee22cc708f4a34480910478d148aa3944f545af4990
Instruction Fuzzy Hash: 70218175500204AFE720CF16EC80F66FBECEF08711F14846AED45CB651D260E904CA72

Uniqueness

Uniqueness Score: -1.00%

Function 024D1299, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,6C25E77C,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 024D130A

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 806c9dda5905284ea26d6eb903c290883ed9ab0762f329f902d9849f649c9695
Instruction ID: 970345f1ec203e2ebec5bc55e70423f7d626b20e1ba7af9aaa7e5e64b0554574
Opcode Fuzzy Hash: 806c9dda5905284ea26d6eb903c290883ed9ab0762f329f902d9849f649c9695
Instruction Fuzzy Hash: 422150715093845FDB12CF65DC85B96BFE8AF06210F0984EBED89CF263D275A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B0B5, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00C2B131

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 838c141b7e62294a33a1178392fddf3648d7aa5d313782e8cdcbabfe804ab02b
Instruction ID: 52c6db8ffc3528818661a27fe9c68eaed27870a40477132ab1b1a3a678e890f8
Opcode Fuzzy Hash: 838c141b7e62294a33a1178392fddf3648d7aa5d313782e8cdcbabfe804ab02b
Instruction Fuzzy Hash: 4221C0715083805FD7228B25DC85B62BFB8EF06310F08809AED84CB293D325A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 024D15CD, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 024D1641

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f0678dedfc88eb3ea5fcb22c924873994b37361e10a4c9a332017fe2b700faa1
Instruction ID: fbb9e09fa69e42c266ce93f8e89d921b2394865b2e9875600e431fef631614bb
Opcode Fuzzy Hash: f0678dedfc88eb3ea5fcb22c924873994b37361e10a4c9a332017fe2b700faa1
Instruction Fuzzy Hash: E6218C714093C09FDB138B25DC44A52BFB4EF07610F0D85DBED848F263D225A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 024D1486, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,6C25E77C,00000000,00000000,00000000,00000000), ref: 024D14DC

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 4f20d415cd64b326058d66290405a9ad24db1fb6c2b4321beac685dfc53e08fc
Instruction ID: ed3cb5ae8badb296068d1b615bbf10e2930ea184b1d3ea8efc897c816f16685d
Opcode Fuzzy Hash: 4f20d415cd64b326058d66290405a9ad24db1fb6c2b4321beac685dfc53e08fc
Instruction Fuzzy Hash: 2B110671500200AFEB10CF2AEC85BABFBD8EF08320F04846BED49DB241D278A444CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C2A58A

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa0a1f9f564b282769e43a5577982871812b927081e3d7af787359c84e292de3
Instruction ID: 1aa97a8860f9e94ab2f144ce8e4d3467cc739248116e963374719bedac207bb8
Opcode Fuzzy Hash: fa0a1f9f564b282769e43a5577982871812b927081e3d7af787359c84e292de3
Instruction Fuzzy Hash: 3B118471409780AFDB228F55DC44A62FFF4EF4A310F0884DEED858B552C275A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 024D0D0E, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,6C25E77C,00000000,00000000,00000000,00000000), ref: 024D0D6D

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c37ba037ea1d37990222b90303574ae4515fdfb6fab376cb93b9fd7682bc1c64
Instruction ID: a128679210032bf19116ea69c64830f1b38eeff66e7ada4af625224637b203e4
Opcode Fuzzy Hash: c37ba037ea1d37990222b90303574ae4515fdfb6fab376cb93b9fd7682bc1c64
Instruction Fuzzy Hash: 8D118271500204AFEB218F55DC45BAAFBA8EF48721F14846BED459B251C275A445CB71

Uniqueness

Uniqueness Score: -1.00%

Function 024D04E8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 024D0547

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9273b2b30ca39897ac49dd2e77fbd214a33250d677cc5643776027b60a009086
Instruction ID: 9999e9f1b1064f3ebf117d537a8b491b9820a27c44659136c7327062c5e54052
Opcode Fuzzy Hash: 9273b2b30ca39897ac49dd2e77fbd214a33250d677cc5643776027b60a009086
Instruction Fuzzy Hash: E711B2715093849FDB21CF25DC95B57BFE8EF06220F0884AEED45CB252D238E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 024D038A, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 024D03D2

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 93ec0ce39469a9d5c6dad0da3cd1a70e7b7660eb317d60f13358f6668901f938
Instruction ID: 02b9c3b072126cb6669f57376cb61297460f41b01f69f47ede36d122a6611146
Opcode Fuzzy Hash: 93ec0ce39469a9d5c6dad0da3cd1a70e7b7660eb317d60f13358f6668901f938
Instruction Fuzzy Hash: 96113C71A046408FDB20DF29E885B57FBE8EF44720F08946ADD49CB742D374E455CA71

Uniqueness

Uniqueness Score: -1.00%

Function 024D0C4E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,6C25E77C,00000000,00000000,00000000,00000000), ref: 024D0CA1

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ad79f6ed8ca8f6d2954f1921cbd6e8989214c8af582ecad322bd7d9feac3691f
Instruction ID: 17b9f63d5efdc516d2bdb9c9345e7474917d6373ba26d442e9fc5386d1a2373c
Opcode Fuzzy Hash: ad79f6ed8ca8f6d2954f1921cbd6e8989214c8af582ecad322bd7d9feac3691f
Instruction Fuzzy Hash: 9D01D671500304AFE720CB16DD85B67FB98DF08721F14845BED459B241D274A448CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 024D12CA, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,6C25E77C,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 024D130A

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 8fc20fae382b5404aa172d5bbfaf8a619865a24d26895c6ef4600e15bf93aa59
Instruction ID: 3e626513a276943aeabe325d1e17f70cd43fa92cee4edc50f47a761d10aaa9f2
Opcode Fuzzy Hash: 8fc20fae382b5404aa172d5bbfaf8a619865a24d26895c6ef4600e15bf93aa59
Instruction Fuzzy Hash: C7115E756042448FEB20CF69E885756FBE4EF04620F0884ABDD4DCB652D375E458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 024D050A, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 024D0547

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d4719b8da2c41d5c58483a08822e3dcab9d49d88ffd9a655ce343c12dcab0ef5
Instruction ID: 9d147c3d683d2eb62c8d1ec4e2405ee6f5157332a57e1f18d250ee6ad8210a8d
Opcode Fuzzy Hash: d4719b8da2c41d5c58483a08822e3dcab9d49d88ffd9a655ce343c12dcab0ef5
Instruction Fuzzy Hash: 94014C71A042449FDB20CF29E895766FB98EF04720F0894AADD49CB742D275E444CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00C2A926

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1cf358e8b5f902d3350c90d8433401881b69e63dde78343c157c4f9125d6a60c
Instruction ID: 7c3ae707a864461f82c74c8606d25d4f3f695553a21c4a3d818e3248792ee45b
Opcode Fuzzy Hash: 1cf358e8b5f902d3350c90d8433401881b69e63dde78343c157c4f9125d6a60c
Instruction Fuzzy Hash: 421182354097849FD7218F15DC85A52FFB4EF06320F09C4DAED854B662C375A958CB62

Uniqueness

Uniqueness Score: -1.00%

Function 024D0A8E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 024D0ADE

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 004d6e7c26786ba4ef7c426ace4f8eb7297f34b8fadeb432191349a0357f5b38
Instruction ID: ceeb679e89191c8c4a893506b434da8593cef230f6dd1c76b9a38e68f27d2102
Opcode Fuzzy Hash: 004d6e7c26786ba4ef7c426ace4f8eb7297f34b8fadeb432191349a0357f5b38
Instruction Fuzzy Hash: FD017171500200AFD710DF26DC86B26FBA8FB88B20F14856AED089B641D235F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 024D0F1A, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 024D0F54

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ffdd52a34300388667d300dd8179796e6463b44c577f3193d46707f351f6c5b4
Instruction ID: 4e2287630d913a915effd6193319dfeecc5c55045f0dcb5ca39c993847d613fa
Opcode Fuzzy Hash: ffdd52a34300388667d300dd8179796e6463b44c577f3193d46707f351f6c5b4
Instruction Fuzzy Hash: DF015E71A042449FDB20CF29E885766FB98EF44720F1894AFDD4ACB746D2B4E444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A350, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00C2A3A4

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: adf455f3c96086211dd1a3e792b86dfda19b50a63d008dd8e5074d36859851f6
Instruction ID: 9b3e35afe3826d0f8335740f9aa84b7d3b77b63ac0541c8cf27e7e576f0f6484
Opcode Fuzzy Hash: adf455f3c96086211dd1a3e792b86dfda19b50a63d008dd8e5074d36859851f6
Instruction Fuzzy Hash: F401A1714493849FD712CF15DC84B52FFA4DF06220F0980DAED858B262D279A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B0E6, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00C2B131

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: f72f47b79c5c4a001c942add6420f2d3833f908451d2b017801b50f307ee975b
Instruction ID: 0351bd11a0404c0b7fe23aff01d205ac2857afaaa56dbb56ea98be7b61ce5633
Opcode Fuzzy Hash: f72f47b79c5c4a001c942add6420f2d3833f908451d2b017801b50f307ee975b
Instruction Fuzzy Hash: DB0192715006049FDB20DF1AE985B26FBE4EF08720F08845ADD498B742D375E914CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C2A58A

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f2fbeeecb004adb5a4f45767c6147fb659a198c191ce71bcd766d4b6c252ba78
Instruction ID: f3d1d9d38b51f23ffdc967b833f9bd45c644b83f9ad482d6de0fd3826e5be8c4
Opcode Fuzzy Hash: f2fbeeecb004adb5a4f45767c6147fb659a198c191ce71bcd766d4b6c252ba78
Instruction Fuzzy Hash: 0F016D314007409FDB218F55E844B56FFE0EF08720F08C8AADE898AA16C275A418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B7C6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00C2B7F8

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d0c122d34a39ce6b4045789d4f8c5b8908c40b8bcb2035f4440222a8f9d5e3f0
Instruction ID: 52af7310ca9b97980a45480aaa9e66b6e68ed186f58d800d5742724ee5d1db14
Opcode Fuzzy Hash: d0c122d34a39ce6b4045789d4f8c5b8908c40b8bcb2035f4440222a8f9d5e3f0
Instruction Fuzzy Hash: D101A7719043408FDB10CF1AE885766FB98DF44720F18C4AADD498F642D375A944CF71

Uniqueness

Uniqueness Score: -1.00%

Function 024D09BA, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,?), ref: 024D09F2

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 85d9cc66970b3079db3410cd15f878bb95a517830c9c60659783c0a3117fb692
Instruction ID: 55a705f2259b942fd15bb40f161d4c469cadc07eaa6813b94a2d595e425e2184
Opcode Fuzzy Hash: 85d9cc66970b3079db3410cd15f878bb95a517830c9c60659783c0a3117fb692
Instruction Fuzzy Hash: 8C01BC719002408FDB20CF65E885B66FBA4EF08320F08D4ABDD488B302C375A449CB72

Uniqueness

Uniqueness Score: -1.00%

Function 024D1606, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 024D1641

Memory Dump Source

Source File: 00000002.00000002.251914556.00000000024D0000.00000040.00000001.sdmp, Offset: 024D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0d455d7203351fd1f835e6f8be12ca0e6544889adeca7f12925cf7903c0404fe
Instruction ID: f8db4bab93706e2829ccd21d7cd1af457fc1f88621533402c15db6e9d117b520
Opcode Fuzzy Hash: 0d455d7203351fd1f835e6f8be12ca0e6544889adeca7f12925cf7903c0404fe
Instruction Fuzzy Hash: 48018B35804340DFDB208F55E884B66FFA0EF08B20F0CC49AEE894B612D375A459CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00C2A926

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: df4bb96d1fcad4795a7bb9663af54305b07ae6ef7a788175653235b964dcf831
Instruction ID: d8c6f3a98d84449c79d54d2539158d40fa42d0ebd64cdc9ad9d0b4c9f807ce50
Opcode Fuzzy Hash: df4bb96d1fcad4795a7bb9663af54305b07ae6ef7a788175653235b964dcf831
Instruction Fuzzy Hash: BC01D635400744CFDB209F06E885752FFA0EF08720F08C4AADE854B652C375A458DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00C2A3A4

Memory Dump Source

Source File: 00000002.00000002.251536585.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e94440d3e32c42b5ca0001aff7e734e468cb617005943801b9a0ed388226369f
Instruction ID: 32bc773c9d8915408cf002c5569c77dce14edce7d844f9242a4d4dbafb923dec
Opcode Fuzzy Hash: e94440d3e32c42b5ca0001aff7e734e468cb617005943801b9a0ed388226369f
Instruction Fuzzy Hash: 40F0AF34944344DFDB20CF16E985766FFA0EF08720F18C4AADD494BA62D279E508CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 025ADC60, Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

7Mf@, xrefs: 025ADCB9

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID: 7Mf@
API String ID: 0-1904315430
Opcode ID: 82ed0f93f80f4d5fb8d558d50473335c299ae7cb667b4e55d0fff447095a6884
Instruction ID: 8879e4a517bc6a16eb77cc11004be219ea5ae88844b3b58176f7f6c386879c67
Opcode Fuzzy Hash: 82ed0f93f80f4d5fb8d558d50473335c299ae7cb667b4e55d0fff447095a6884
Instruction Fuzzy Hash: 49313CB4D06209EFDB04EFE1C5656AEBFB1FB49300F60989AC401B7654D7744A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 05BD1707, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

MD{q^, xrefs: 05BD176B, 05BD1770

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID: MD{q^
API String ID: 0-436025121
Opcode ID: 9a703103abd8962f2519ed44a9d3d3d083fa5884b3ae1622cc2e4384c668e595
Instruction ID: f70b216a2c2236c257a67042aa86489b04c0448759feb194cfd2b6888dd1ecda
Opcode Fuzzy Hash: 9a703103abd8962f2519ed44a9d3d3d083fa5884b3ae1622cc2e4384c668e595
Instruction Fuzzy Hash: 6321BEB0D09249EFDB44DFA9D5429AEFFB1EF46300F2084AAD402E7251DB349A05CB29

Uniqueness

Uniqueness Score: -1.00%

Function 05BD1718, Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

MD{q^, xrefs: 05BD176B, 05BD1770

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID: MD{q^
API String ID: 0-436025121
Opcode ID: 4e5f519c7e41bc4be9a059b6a12d8684848cfb8b906f2c99fb244740d8dc4d50
Instruction ID: bfacb50df8211bcfd62051511951cef4746aac6ae91e003ec8df34dccbfa9fbb
Opcode Fuzzy Hash: 4e5f519c7e41bc4be9a059b6a12d8684848cfb8b906f2c99fb244740d8dc4d50
Instruction Fuzzy Hash: ED11C1B0D15209EFDB44CFA9D5429ADFBB1FF49300F2084A6D406A7250DB306A00CF18

Uniqueness

Uniqueness Score: -1.00%

Function 025A854E, Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

6&h, xrefs: 025A84DF

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID: 6&h
API String ID: 0-3242544348
Opcode ID: b6c7bb746d6183ae1e2e00bf18f7e12d97ed7c9c41c2bdaa1a7f226e838d8d27
Instruction ID: 2f9d5eef9f8f9ee78081813e6333fcce7a4711d7783a029d4726fd5ada6ce54c
Opcode Fuzzy Hash: b6c7bb746d6183ae1e2e00bf18f7e12d97ed7c9c41c2bdaa1a7f226e838d8d27
Instruction Fuzzy Hash: 6FF0D0B4D19359EEDB21CF60D852BAEFA71BB45310F0058D6D00AB7241C7345981CF6E

Uniqueness

Uniqueness Score: -1.00%

Function 025A7FF6, Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

<, xrefs: 025A803F

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 396477e791233f7224725c47c12343be7151c9e86b82affb4cf61aa7aedd8077
Instruction ID: 2362493eb1fc57591f8f2e9e1dcee368a81577dd717f0169549f2af8acd11ad5
Opcode Fuzzy Hash: 396477e791233f7224725c47c12343be7151c9e86b82affb4cf61aa7aedd8077
Instruction Fuzzy Hash: 2B0119749403188FDB28DF25CC5A7EDBBB1FB49700F1446D9D14AA6291D7381A81CF49

Uniqueness

Uniqueness Score: -1.00%

Function 025A2039, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

%F{q^, xrefs: 025A2088, 025A208D

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID: %F{q^
API String ID: 0-448185126
Opcode ID: 5e34c6381426b81b18c8d7a0637458192e011dab65c9b14db4c8009a0bc04eb9
Instruction ID: 5b2cec769625e794c60f17ea04127fd6e3c31320d455eaf22ad91fce7fea4fcc
Opcode Fuzzy Hash: 5e34c6381426b81b18c8d7a0637458192e011dab65c9b14db4c8009a0bc04eb9
Instruction Fuzzy Hash: 4101F670905329CFDBA4DB24DC81B9DBBB2FF89200F1085E9E409AB264CB306E85DF41

Uniqueness

Uniqueness Score: -1.00%

Function 025A7FB6, Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

<, xrefs: 025A803F

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 3fc026e2d393270180cbe190ef13dbe9a1ae0a2e49f3bc11ab4a3d3031c07d0d
Instruction ID: adcd03a278f903ef934b0ecfd5d53be4152fa5855eab3a7972d3f9435d67163c
Opcode Fuzzy Hash: 3fc026e2d393270180cbe190ef13dbe9a1ae0a2e49f3bc11ab4a3d3031c07d0d
Instruction Fuzzy Hash: 1C01AF74E44328CBDB29DF259C5A7EDBBB1BB48700F0086D9D1497A2A1C7741A85CF89

Uniqueness

Uniqueness Score: -1.00%

Function 025A9418, Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

ntin, xrefs: 025A943F

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID: ntin
API String ID: 0-3077571345
Opcode ID: 8cb9683e9ee68993318fd5c7768803a91c3d2b87bf814ad1b003cecc492e3e3e
Instruction ID: 9972f110d845730a5b11c5dd36bcef74909adb0e82936ad185457122ccd1d592
Opcode Fuzzy Hash: 8cb9683e9ee68993318fd5c7768803a91c3d2b87bf814ad1b003cecc492e3e3e
Instruction Fuzzy Hash: 16E0EEB4D492299FDF00CFA8C881B8EBBF0BB08300F019494D009AB381C334A900CF21

Uniqueness

Uniqueness Score: -1.00%

Function 025A2B90, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df191efbe87ee3bf8cc0b485b8407805f09f153879d15152f97112b20dfda34
Instruction ID: 08b2acfe53f00dd47e14412818f633bab1ddff49a1c1c90d3f822086706bacf6
Opcode Fuzzy Hash: 7df191efbe87ee3bf8cc0b485b8407805f09f153879d15152f97112b20dfda34
Instruction Fuzzy Hash: F5B1F770E1021ADFDB14DFA8D881ADDBBB2FF88300F108529E515AB355DB30A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C22477, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251524507.0000000000C22000.00000040.00000001.sdmp, Offset: 00C22000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682529785fef2f3cb3202e73a172a2b7d94ccc03ebb2150885302d17ab44f95a
Instruction ID: eee99fa212722802bb8c81c7c9d5db0544ef3b93f1085caf5af7b0ce75aa8115
Opcode Fuzzy Hash: 682529785fef2f3cb3202e73a172a2b7d94ccc03ebb2150885302d17ab44f95a
Instruction Fuzzy Hash: 6E61E87564D3F26FCF13AA2478B45A47F629B62325B4584FBD484CFCE3D604884B8366

Uniqueness

Uniqueness Score: -1.00%

Function 025A0448, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558561e6636fa822c963874fc4c8677d10bddff6e76c4fb21abb055940628fd3
Instruction ID: 00d7099e85adcd39bd0110c9b244eb14bce1c31f28d06ffa1cd1fa3e4e3ce317
Opcode Fuzzy Hash: 558561e6636fa822c963874fc4c8677d10bddff6e76c4fb21abb055940628fd3
Instruction Fuzzy Hash: 3491E474E11218CFDB14CFA9D8A5BADBBF2BF49314F10816AD409AB3A0DB319985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025A0439, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad51111ce76acc7099a2e577e5eead4743dcb5e7947f6dca3d08ed1ff8d84b2c
Instruction ID: b68297bd3283d64cae66f7787d61f696c78fbac89876e31eaf83028ba4f54040
Opcode Fuzzy Hash: ad51111ce76acc7099a2e577e5eead4743dcb5e7947f6dca3d08ed1ff8d84b2c
Instruction Fuzzy Hash: 0A710574D11218CFDB54CFA9C8A5BADBBF2BF49314F1085A9D409AB3A0DB309985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025ADA78, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f8e6bf80c67e70f30ff68b5af8427a48b38cccf1142fef740fc7642fbb8d17
Instruction ID: 56f190694df8f5ed2c1dd4243ea4611ca5095843bc048b9a888e8f6a262de3d5
Opcode Fuzzy Hash: 05f8e6bf80c67e70f30ff68b5af8427a48b38cccf1142fef740fc7642fbb8d17
Instruction Fuzzy Hash: EF311571D2A209DBCB00EFA8E5526EEBBF4FB49311F14682AD416F6610D73199018F68

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A884, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46a68e9935273fd1f63312f8af322b0da0f27e1f129da8a5b8be1f36f39405e
Instruction ID: 62fd728fdf00c954efcf80aa33a74585ab8aa88d08d743b9b6ab1021baf33cca
Opcode Fuzzy Hash: a46a68e9935273fd1f63312f8af322b0da0f27e1f129da8a5b8be1f36f39405e
Instruction Fuzzy Hash: 1C216DB6508304BFD310CF0AEC45E67FBE8EB88620F14C96EFD4897211D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A9B0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93e8f26ead1f1a023d9e83bbac93318d8a9f6d5d89abb441757e89aafe00c92
Instruction ID: d8c07f7bb492f7c3a1fc50ab0a0f3db3d5aaf6f8645fe78ebcf7ef0aa59e195d
Opcode Fuzzy Hash: c93e8f26ead1f1a023d9e83bbac93318d8a9f6d5d89abb441757e89aafe00c92
Instruction Fuzzy Hash: 92216DB6508304BFD350CF0AEC45E67FBE8EB88630F14C96EFD4997211D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A758, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e0fc7738c09083545b7b9ec100aae3e38fa174c66729a5da74d09fe0083942
Instruction ID: 4171d4baa233a5e8abd7d63fcf802b5a38032ebda3d0f2aea95eca8d36a67d3d
Opcode Fuzzy Hash: c1e0fc7738c09083545b7b9ec100aae3e38fa174c66729a5da74d09fe0083942
Instruction Fuzzy Hash: 102160B6504304BFD310CF0AEC45E67FBE8EB88620F14C96EFD4997211D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A40C, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2ede720e743549104e7f796cf6eabf20748954989c374b142afff5586df2d5
Instruction ID: 480f94c6d6f58a3d7638d4cf7b1afac5d2c0f5dc5f6e98872c5682f8f3ab9465
Opcode Fuzzy Hash: ae2ede720e743549104e7f796cf6eabf20748954989c374b142afff5586df2d5
Instruction Fuzzy Hash: 0821A1B6544304BFD7118F06EC45EA7FFA8EB89630F14C96FFD489B211D275A8148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AB28, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d804f70b95343abe255b4a0f1b32fa8c62d5880f68f365101032df5b999ed059
Instruction ID: 651930c88ca81c1e4953b1b1c29c16b1b32f4bc839e8de7d4dcac84c285b9069
Opcode Fuzzy Hash: d804f70b95343abe255b4a0f1b32fa8c62d5880f68f365101032df5b999ed059
Instruction Fuzzy Hash: D8312BB550E3819FD302CF259850956BFF4EF8A614F0989DEF8C8DB252D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A623, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c90f3c697a7651413a11715858c8708a75605c9d339e66316c6241804c6fb09
Instruction ID: 7e0155c5babc04161c59d20362bf4f377d25ebb19eaf50b751dd7807a6eee257
Opcode Fuzzy Hash: 7c90f3c697a7651413a11715858c8708a75605c9d339e66316c6241804c6fb09
Instruction Fuzzy Hash: 8121C1B65083447FD7108F06EC45E67FFA8EB89630F08C96FFD485B211D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A1FC, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae042be8d72cd358028089b49c83abe9d351b27d2b4cd31291bfe70eb7ecb0b
Instruction ID: 38ffcdcb2a94ed538fc71f52e886aeadb089f208ad857ea2fe65b008c5657974
Opcode Fuzzy Hash: 7ae042be8d72cd358028089b49c83abe9d351b27d2b4cd31291bfe70eb7ecb0b
Instruction Fuzzy Hash: 2711C0B6504204BFD7108F06AC45E67FFA8EB88A30F08C96AFD485B201D236B8148BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A8A2, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbd025703acb845b55fe116a2c85c38e30cf11257431759d9801e195cb698eb
Instruction ID: 8d14cec90b7393675d4dc96f1fa8913d177b0a39c4eac5da083e096b47e72a4b
Opcode Fuzzy Hash: 4fbd025703acb845b55fe116a2c85c38e30cf11257431759d9801e195cb698eb
Instruction Fuzzy Hash: 43213EB6544304AFD310CF0AEC41A57FBE8EB88630F14C92EFD4897311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A9CE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc0e946f635583bd227faac05196f2bd27193488f63e23be9139eb02f11aa99
Instruction ID: acc0068bb9fa53e4869b149bb76c405468cbe915fd70e74b4c7a9a078cb24c92
Opcode Fuzzy Hash: 0dc0e946f635583bd227faac05196f2bd27193488f63e23be9139eb02f11aa99
Instruction Fuzzy Hash: 0F213BB6644304AFD350CF0AEC41A67FBE8EB88630F14C92EFD4897311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A776, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30847fca74220ee1a761b45e1172dbc9615ad5567395a70132c533b928a6223c
Instruction ID: 71dfd551dd32ab949e77cdb48e40b094ac2205766d4a743c41b383ca3c169109
Opcode Fuzzy Hash: 30847fca74220ee1a761b45e1172dbc9615ad5567395a70132c533b928a6223c
Instruction Fuzzy Hash: 12213BB6644304AFD310CF0AEC41A67FBE8EB88630F14C92EFD4997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 025AC618, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bdc100c754543e699c49fa203f3560ac6da933f19f350528b59beaf4e9b5a0
Instruction ID: 02159cbd7f629827b46bd458c917a486c2ce424c53a50c2b9bc46eab55518ac3
Opcode Fuzzy Hash: c4bdc100c754543e699c49fa203f3560ac6da933f19f350528b59beaf4e9b5a0
Instruction Fuzzy Hash: 4D3104B4D04209CFCB04CFA9D595AEDBBF1FB88301F10956AD815AB350DB34AA40CF58

Uniqueness

Uniqueness Score: -1.00%

Function 025A32C0, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d9ac9f2bcde3a30ee86531093f81338b4c59be172cf68d9b713ba8792cae2c
Instruction ID: b63e08066f983ed661e4ec692c32e42758f134daa781367b1eab975371cdcfaa
Opcode Fuzzy Hash: 48d9ac9f2bcde3a30ee86531093f81338b4c59be172cf68d9b713ba8792cae2c
Instruction Fuzzy Hash: 403125B4D04209DFDB44CFAAC581AAEBBB1FF89300F51849AD815AB724D734AA41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C80844, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251704193.0000000000C80000.00000040.00000040.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d853c2ae0a280cf9a27cb77056ed89d2a419d623d5b44c50ad9eae9186954dc
Instruction ID: 9ec968d181b27fc8cc0b2e1a364b893fb85f614bd776888f78519f59b0218d7e
Opcode Fuzzy Hash: 9d853c2ae0a280cf9a27cb77056ed89d2a419d623d5b44c50ad9eae9186954dc
Instruction Fuzzy Hash: 8C218E365086C08FD707CB24D890B55BBB1AB57308F2985EAD8944B2A3C37A9D16CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A432, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27834a2609d77e9a23fbb4792b078893c8210a704735084770c4bbb09c7f11b
Instruction ID: f1fe0c1621364ceb90223fc57afab8acbf043fa41d979fc8bd8b31732151b3f0
Opcode Fuzzy Hash: c27834a2609d77e9a23fbb4792b078893c8210a704735084770c4bbb09c7f11b
Instruction Fuzzy Hash: F3119076544204BFD6108F0AEC41E67FBA8EB88730F18C96AFD485B311D276B5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A64A, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341d9a328707dabd2cb7e5f99af6de5e830586e73849eb99b06ead901e79a271
Instruction ID: 85ee548fcba2b78f19ccdf9798371d0f713362deab5429892a8f28bb616d345c
Opcode Fuzzy Hash: 341d9a328707dabd2cb7e5f99af6de5e830586e73849eb99b06ead901e79a271
Instruction Fuzzy Hash: 3611B276544204BFD6108F0AEC41E67FBE9EB88630F18C96BFD485B311D276B5148BE2

Uniqueness

Uniqueness Score: -1.00%

Function 025A32D0, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35da021c8844e604d88d4de0af211bc5435a948d203c1eb57028fd1fb71e9dde
Instruction ID: 938b22ac42779f0d31011dcd1fd4ce67689bf18f37405dc4a51920308f4b41b8
Opcode Fuzzy Hash: 35da021c8844e604d88d4de0af211bc5435a948d203c1eb57028fd1fb71e9dde
Instruction Fuzzy Hash: 5121E2B4D14209DFDB44CFAAD581AAEFBB1FF89304F10859AD815A7314D734AA41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 025A0006, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f03ae46a2ee30dd2f16b5fdfa353cb7ce21567d151245889e6deaa02ab231c
Instruction ID: 78aa19312008a50d2b347a73766c22a860102a5afba5e6a9fca9d676d74e0fe4
Opcode Fuzzy Hash: 13f03ae46a2ee30dd2f16b5fdfa353cb7ce21567d151245889e6deaa02ab231c
Instruction Fuzzy Hash: 0311273144E3C09FC71387B498266A87FB0AF47215B5E81EBC8C5CB1E3C628195ED766

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A6A0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd7dbf434aa59132e67aa91ecf604b4a8a4cd19b2a5b6ec53f47a005c4431ef
Instruction ID: ec23cfa2509fd229e0119c3e672d06cd768e242540bdb336505e724b1a2281a6
Opcode Fuzzy Hash: 1fd7dbf434aa59132e67aa91ecf604b4a8a4cd19b2a5b6ec53f47a005c4431ef
Instruction Fuzzy Hash: 9E2151B550D3806FD302CF15DC51957BFF5EF8A620F0989DAF8889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 025AB018, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb7a8e3488f77d2ccdbb1b166369c41fc65a63893a73f4fa05e29a488f914ca
Instruction ID: fa9e0e850524f313f5f09ccd96a424925ec5a8caa47a64be3a64a72a70f3d29f
Opcode Fuzzy Hash: aeb7a8e3488f77d2ccdbb1b166369c41fc65a63893a73f4fa05e29a488f914ca
Instruction Fuzzy Hash: 322145B4E15209DFCB04CFA5C5926AEFBB6FB99300F2084AAC911A7354E7345B41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 025A33C0, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6e8d4d3843191264e21a3befd0db17d8d2fc2cc672efd59905dec963b08492
Instruction ID: ecd3d99b433a48d97bd5b97e04fc1a4bf807d46d4cf0b6f79b91e8df4a088926
Opcode Fuzzy Hash: ef6e8d4d3843191264e21a3befd0db17d8d2fc2cc672efd59905dec963b08492
Instruction Fuzzy Hash: 29214870E04209EFCB05CFA9C5869AEBFF1FF89304F1189AAC415AB221D334AA05CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A21A, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c73c06a5793bd4f7907d89ed6c4f1e7a3d4317c8189e38f4f24ad28d2432f64
Instruction ID: 5f453a3ec5bbd7dc95d52cc68e2bf027c7d8b4a260dd46efe82607c3402d4924
Opcode Fuzzy Hash: 0c73c06a5793bd4f7907d89ed6c4f1e7a3d4317c8189e38f4f24ad28d2432f64
Instruction Fuzzy Hash: 96118676644204BFD6108F0AEC41E67FB99EB88730F18C56BFD095B601D276B5149BF1

Uniqueness

Uniqueness Score: -1.00%

Function 025A2F18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd8b4cf0e7d8452d982df7d770327a76463396bf102eccda766feb743287ad7
Instruction ID: b8124c0edcfe66c7bffe2f170f43d3caa3686f3c7873e3267ed50f170cb00c43
Opcode Fuzzy Hash: 1fd8b4cf0e7d8452d982df7d770327a76463396bf102eccda766feb743287ad7
Instruction Fuzzy Hash: 06214A70D0420A9FDB00EFA8D941AEEBFB1FF89310F65456AD504B72A5D7305945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 025A4DEF, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1264f8ba562bb00445d28878a7ba47ad636c00c58e7223b38f2e882b241fa20
Instruction ID: 63b1c7c13266a2929caba674abfd50171add8db75b2e6ce738b59a72294a189b
Opcode Fuzzy Hash: c1264f8ba562bb00445d28878a7ba47ad636c00c58e7223b38f2e882b241fa20
Instruction Fuzzy Hash: 66210470D15219DBCB04CFE9C595AAEFBF2FF99300F10C9AAD416AB214D3B09A10DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00C8087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251704193.0000000000C80000.00000040.00000040.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e44a87c4ead07c812c914ee11a769c68e0fceeb8ccb9180edad6d1d3cd1436
Instruction ID: 72d9916f7c1a59ede490f76ac188c523ea2a65ba7678ebce4b426b4b5648c4ab
Opcode Fuzzy Hash: e4e44a87c4ead07c812c914ee11a769c68e0fceeb8ccb9180edad6d1d3cd1436
Instruction Fuzzy Hash: 7511E134204280DFE755DB14D940B26BB95EB8871CF38C9ADE9494B683C37BD847CB95

Uniqueness

Uniqueness Score: -1.00%

Function 025A4ED8, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831360f47914ccc010a64a455d56766d2cf5e0ed7f059235e8ae69482b150c63
Instruction ID: 1bd6bdd01921316bda061cd8d5855d84805b207257c18e40919f8c104cf67718
Opcode Fuzzy Hash: 831360f47914ccc010a64a455d56766d2cf5e0ed7f059235e8ae69482b150c63
Instruction Fuzzy Hash: 6F214434A01208DFCB05CFA8C585A5DBFF2EF89300F19C09AD8159B365D7309A10CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AB69, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4982c2978f3fc2d0a6ba0083be4afbfe7874f9528c69d373755974f619a195
Instruction ID: 0265613691fb9e2b0390e8c8caa48f73afaa515cf776bf08ca7b2bd84af78ec7
Opcode Fuzzy Hash: 0f4982c2978f3fc2d0a6ba0083be4afbfe7874f9528c69d373755974f619a195
Instruction Fuzzy Hash: 5711A4B5908301AFD350CF19E881A5BFBE4FB88660F04896EF99897311D375E9148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 025A00A9, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7998dc186dc000f358d701400b93676fc9c3d67fa19cc02d2dac77f55e36a87
Instruction ID: 9e0a76c27cbe84561a5eac923c37c30aab386f2c249cdba42c7788192c89e8a6
Opcode Fuzzy Hash: a7998dc186dc000f358d701400b93676fc9c3d67fa19cc02d2dac77f55e36a87
Instruction Fuzzy Hash: 6C21723091134EEFCB14EBA8E855AADBF71FF41304F148169D542A72A4DB712E05DF91

Uniqueness

Uniqueness Score: -1.00%

Function 025A2F28, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fb70b2658e6a9a6cce59e474b4869790b309be94e2c71406f9166cae7d778e
Instruction ID: 3b9aea2fc8567bcf564857961a3f04b61e8114580d30e417010ac5e79fe85f77
Opcode Fuzzy Hash: 18fb70b2658e6a9a6cce59e474b4869790b309be94e2c71406f9166cae7d778e
Instruction Fuzzy Hash: B311C8B4D0021A9FDB50EFA8D941AEEFBB1FF88310F214569D504B7354D7706985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 025A4EE8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d75e286827dbec24eb2eb7433b90f5e12db4c7222d9d927b12178c53b650a9
Instruction ID: 82cca9230fc1e0c4e5a15114b0b103227bc09878b19207b8680981e18185dab1
Opcode Fuzzy Hash: 78d75e286827dbec24eb2eb7433b90f5e12db4c7222d9d927b12178c53b650a9
Instruction Fuzzy Hash: E6112538E00108EFCB04CFA9C595A5EFBF2FB88300F14D49AE519AB365DB70AA10CB44

Uniqueness

Uniqueness Score: -1.00%

Function 025A0EE1, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d531c9ccf0401cb29336b1fddd03c80a3498e037501d8cf0d0ad4ef631150ff
Instruction ID: cd5c23f8fec7b487f96ad5fbb94cc7f52fce8954a5873a7d8530564ef26b3a84
Opcode Fuzzy Hash: 3d531c9ccf0401cb29336b1fddd03c80a3498e037501d8cf0d0ad4ef631150ff
Instruction Fuzzy Hash: 821148B4D14209DFCB04DFA5D851BAEBFB2FF85300F1081AAD805633A5DA354A10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 025A00B8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449e0fb59b01bbaf0fda9258ec4c43400456194650f6071ab8c7745e6814ad06
Instruction ID: 26555ee2fb6971784ee0feca4ee427a8caea08d81dc6b99682366bec45edffc8
Opcode Fuzzy Hash: 449e0fb59b01bbaf0fda9258ec4c43400456194650f6071ab8c7745e6814ad06
Instruction Fuzzy Hash: D811007491120EEBCB14FFA8E855AADBB71FF80304F108169990297294DB716E05EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A178, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c43436c0f8b7cb1100de12d0df34b25a58f43dfea86631ccc06184bcf33147
Instruction ID: ca65c988c23afdbc3b49a205229e3277d83b9bd3b08154c04fc8407e4af6eafe
Opcode Fuzzy Hash: d6c43436c0f8b7cb1100de12d0df34b25a58f43dfea86631ccc06184bcf33147
Instruction Fuzzy Hash: 5A01D47240D3C06FD3124B25AC55AA2BF78DF47620F0984CBED849F193D21A6909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05BD18CC, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98e6dca0f177b0c85f1fd64434213bc04fb3754f2bf9e76ac80f3d0c579b0ae
Instruction ID: 8ec9c4aa273758874a63b0177c78bcf5ce49b5bb466500bbc98b00a9c3d731d3
Opcode Fuzzy Hash: a98e6dca0f177b0c85f1fd64434213bc04fb3754f2bf9e76ac80f3d0c579b0ae
Instruction Fuzzy Hash: D2014CB4D052088BDB18CFABD8407ADFFF2EF89304F14D2AAC81867255EB321402CB54

Uniqueness

Uniqueness Score: -1.00%

Function 025A0B38, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c1825c260022031b99467010684d7d405c36343dcfda4d638cea5bd92ce267
Instruction ID: 1b170ad749aea4fcf12b858968eec771d0b994b2c8d3ccafccaf41288f226549
Opcode Fuzzy Hash: 97c1825c260022031b99467010684d7d405c36343dcfda4d638cea5bd92ce267
Instruction Fuzzy Hash: D6112774D16248DFCB05DFA8D665AADBFB1FF4A304F1084AAD805AB2A1E3305E44CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00C805D0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251704193.0000000000C80000.00000040.00000040.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec06014a012a29501b89871d5c8e537ad836a51151dd2e2f1c890ff912069fa
Instruction ID: 301751ada3c6d22f95b13745ca547ed864d8f1c243d41e0b6d1b16d5c85fdc43
Opcode Fuzzy Hash: 6ec06014a012a29501b89871d5c8e537ad836a51151dd2e2f1c890ff912069fa
Instruction Fuzzy Hash: 95018B765093805FD711CF1AEC41863FFA8DF86620749C49FEC498B612D125B504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 025A0B48, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8707c530159e77cee87c2ceacbdb48012dacb5f060271e23ffd3962c0b74b171
Instruction ID: 67c7914607227d7f5631df1a17f28eac8f081d60fcddc06e378d06ac9c30332e
Opcode Fuzzy Hash: 8707c530159e77cee87c2ceacbdb48012dacb5f060271e23ffd3962c0b74b171
Instruction Fuzzy Hash: 0A110974D1520CDFCB14DFA8D6557ADBBB1FB49305F1084A5D805A7350E7305E41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05BD17E0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5adfe01a58a1d8a82802ed86990a54479a06c4b577aaa7a243ebbc707e6f50
Instruction ID: 2d76af49389be0616db8a9ee19d2deaa83c59d08b0840f550f0242b38cf15a68
Opcode Fuzzy Hash: 2a5adfe01a58a1d8a82802ed86990a54479a06c4b577aaa7a243ebbc707e6f50
Instruction Fuzzy Hash: 27F06D70A0A348AFCB15DFB8D44426DBFB5EF45201F1042EAC848A7291EA329E54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 025A9E86, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcab99732e6d73eeaf4d7c820b2f681183b1e9e71b8d76fd9395e315e1a8e9f9
Instruction ID: 784a9f8cda2d24b74a818e75a9c584f405d0f12b5ff9fddf51cd6b536113ca3c
Opcode Fuzzy Hash: fcab99732e6d73eeaf4d7c820b2f681183b1e9e71b8d76fd9395e315e1a8e9f9
Instruction Fuzzy Hash: D6115A30910218CFEB10DB68D955B99BFB2FF55200F1084D9A40EA7358CF365EC28F50

Uniqueness

Uniqueness Score: -1.00%

Function 025A9BC0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3302c5174cc17538e6ef4f249a7319fa09cbcd0ea998ea7b5d059452373e94ff
Instruction ID: 314890b455129fb874cb90b7aa594277d13098a9b4c356ef0c4b8a2529016f3a
Opcode Fuzzy Hash: 3302c5174cc17538e6ef4f249a7319fa09cbcd0ea998ea7b5d059452373e94ff
Instruction Fuzzy Hash: 5C01F470906348DFD704DFA8D15529DBFF2EF86300F10849BE4409B261D6345945CB11

Uniqueness

Uniqueness Score: -1.00%

Function 025A0878, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17bc9c1ce4a0189a81810bd9a0c003f782e9b713bf837174dc7a36dc1e600b2
Instruction ID: fd432ec2601732bfdb84317f64bf14fd52bbad12312e6c94ef78210391ba282a
Opcode Fuzzy Hash: f17bc9c1ce4a0189a81810bd9a0c003f782e9b713bf837174dc7a36dc1e600b2
Instruction Fuzzy Hash: F5F06D30910648EFCB14EBA0E956B9DBB31EB41304F1542A5D8016B3A1DB711E94DBE6

Uniqueness

Uniqueness Score: -1.00%

Function 025A9BD0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b56c5ca9c00f910c790e315169362edf83df1d305ce5e845cd4739ce8618c9
Instruction ID: 11cf5e708b9ebcd50fcebbf082dcf3a17b3fa042e99791a99a723d2e84561647
Opcode Fuzzy Hash: f2b56c5ca9c00f910c790e315169362edf83df1d305ce5e845cd4739ce8618c9
Instruction Fuzzy Hash: 38F09070E05308DFD704DFA8E1567ADBBF6EB89300F10845AE804A7264DB305952CB54

Uniqueness

Uniqueness Score: -1.00%

Function 025A03D1, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95771509df5a24bad1d9a076dc7cc9d70844170048656a67b5ae41c1252a021
Instruction ID: fd10aff313968dc8094c1d0fc5a71cfaa8395aaadad5c0585a09fb9f2dd98316
Opcode Fuzzy Hash: b95771509df5a24bad1d9a076dc7cc9d70844170048656a67b5ae41c1252a021
Instruction Fuzzy Hash: 0B01F274A15248EFCB01DBA8D585A9DBFF0BB09200F1585EAD8049B3A2D330AE05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05BD0BF1, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb070d87c10b5c969b14fed610420aac7ae853b5edf272645cafe244a69455cc
Instruction ID: a15273da5e28da24629e95a7b5ce41de73275067f7813a62f7e8bebdeb139264
Opcode Fuzzy Hash: fb070d87c10b5c969b14fed610420aac7ae853b5edf272645cafe244a69455cc
Instruction Fuzzy Hash: E301E47594022CCFCB60DF51CD44BE9FBB9BB08300F1496DA8919B7240E730AA85CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00C80938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251704193.0000000000C80000.00000040.00000040.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction ID: f32f9202a6873c50e1461aa2db7a10cd35e88b47803d654f91eb9dc52701cb5e
Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction Fuzzy Hash: 94F01D35204644DFC306DF00D540B15FBA6EB89718F24C6ADE9591B752C337E913DB85

Uniqueness

Uniqueness Score: -1.00%

Function 025AA144, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85ea1a1b13f9a04f1f0ba032321844a2f78fd5188c2a51aa5f7340704462e93
Instruction ID: 5d100d184ba671c802f74c200ff5913b63329b23491f6a3f51d68399da657508
Opcode Fuzzy Hash: e85ea1a1b13f9a04f1f0ba032321844a2f78fd5188c2a51aa5f7340704462e93
Instruction Fuzzy Hash: F801E470A11309CFDB04DFA8D6A59ADBFF1FF49301B204099E809AB394DB759941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05BD0B14, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d30c324fe47ca5459eb60d18ed3e275b200f935c663f566e6e1a70f19051a33
Instruction ID: 14a29382d011d108737113133fba2a69a6ef7b076176547e972008ee9154cc9e
Opcode Fuzzy Hash: 1d30c324fe47ca5459eb60d18ed3e275b200f935c663f566e6e1a70f19051a33
Instruction Fuzzy Hash: AA019075845228CFCBA0DF54C888BD9BBB5FB08304F1080DAE419A7251EB31AB85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 05BD0EE2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6be17859208c2848466ba1aaa0fda7050ea706f033bbe6655f051d0645400a8
Instruction ID: 6ee25fdf08cd354144515a6bf6dfca32fd9adf959af9a2575839e28ae07ef331
Opcode Fuzzy Hash: e6be17859208c2848466ba1aaa0fda7050ea706f033bbe6655f051d0645400a8
Instruction Fuzzy Hash: 2001D274840668CECB65DF50CC48BEAFBB1FB49305F5081DAD848BB240D771AA89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 025A0888, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9999e5d99903b18da88a541cfbc0073b29619d5d664a57476dade0815bba3ee1
Instruction ID: b64b337a6d109c9cb889fe8a298fe894200490fbdb057e4c07a5254143806c22
Opcode Fuzzy Hash: 9999e5d99903b18da88a541cfbc0073b29619d5d664a57476dade0815bba3ee1
Instruction Fuzzy Hash: A2F03034910209EFCB04EBA4E956BEEBB31EB80305F2041B9D8012B391DB716E95DB99

Uniqueness

Uniqueness Score: -1.00%

Function 025A3B5B, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96621435fd9fdcb85542c84193a11d2d8b83c1ea39ac56a958b89771962bee3
Instruction ID: 512af1786f6d77700e25c2efe97211b61bfcda42bc6d6140f6610852c233931c
Opcode Fuzzy Hash: f96621435fd9fdcb85542c84193a11d2d8b83c1ea39ac56a958b89771962bee3
Instruction Fuzzy Hash: D7F04474E042998FCB50CF98D58199CBBB2FF88314F15D5A5D40AAB268C630BE88CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00C805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251704193.0000000000C80000.00000040.00000040.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4419d93b1db6ce444239643e3a503ec7950077d69386c6619017de78759eac4
Instruction ID: c22e8b362559cba2097eed128a82ec95958e0bb68dd3482e95bd3994c9b34a7c
Opcode Fuzzy Hash: c4419d93b1db6ce444239643e3a503ec7950077d69386c6619017de78759eac4
Instruction Fuzzy Hash: 34E092766006044BD750DF0AEC81456FBD8EB88630718C47FDC0D8B701D139B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 025A9AE9, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178b7c8416a144645eccc83b0eaa77a7db092e2472928364aa0acc905a7f4243
Instruction ID: 68c6cabcae18bd1be7f897d40327615415959260344448731db429df4843fb6a
Opcode Fuzzy Hash: 178b7c8416a144645eccc83b0eaa77a7db092e2472928364aa0acc905a7f4243
Instruction Fuzzy Hash: 8BF06D3091A348AFCB11DBB8D85479DBFF4AF46200F1401EAE844D7361E2345914CB55

Uniqueness

Uniqueness Score: -1.00%

Function 025A1FAF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5baec93e46976c4be4984e3041957f8d1787cb4edc5161ed04497b3fd652d0
Instruction ID: 60203f5d111812a39a07f49af7b76256b3d1470f05d14b39fcbed4b3dfa6e3cf
Opcode Fuzzy Hash: 3a5baec93e46976c4be4984e3041957f8d1787cb4edc5161ed04497b3fd652d0
Instruction Fuzzy Hash: 5BF02075409B9CAFEB10CF30C882A89BFA6BF02240F101ADAA04B6F251C7309A01CF02

Uniqueness

Uniqueness Score: -1.00%

Function 05BD0E22, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd48431327a03b6cdd269b0d9216d2f5bd48bdd0ec6a866e14dfbceae6afa4f
Instruction ID: fa80bcccad9716b8c1a2d8d7354ac34ec149540277a33912aa6e704c1e928871
Opcode Fuzzy Hash: ecd48431327a03b6cdd269b0d9216d2f5bd48bdd0ec6a866e14dfbceae6afa4f
Instruction Fuzzy Hash: 43F05E359402189ED720CE50CC41BC9B7B5FB48700F104296A249EA1C2D371AA81CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A82F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39a96c04385585a39c0ad081d237a26e652684137193f7c2ecc094d52fca33e
Instruction ID: 62040f5a17572b969bd7478e489b0738cf0565ec72149dbf4767d815b0ade314
Opcode Fuzzy Hash: b39a96c04385585a39c0ad081d237a26e652684137193f7c2ecc094d52fca33e
Instruction Fuzzy Hash: C8E048B25413046BD2609F0ABC86F53FB58DB54A30F14C56BED085B742D175B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A1AC, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85a0a7fe7ffea0cc76fcc1cef297c58bc7c6d13611c0a7447d4fbf4309793a6
Instruction ID: 1088e2b7ea82077913e47d317ec77158f3b9dfb589e75dfc5ccb1bce992a6e88
Opcode Fuzzy Hash: e85a0a7fe7ffea0cc76fcc1cef297c58bc7c6d13611c0a7447d4fbf4309793a6
Instruction Fuzzy Hash: 4FE0D8715402046BD2209F06AC82B63FB58DB44A30F44C467ED081B701D175B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A95B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31654742c9d2cdc72ea6385525dca14c1deb64a0482451471d717bba8a04ad40
Instruction ID: 64b64ae536ee49d47c44186321d6fda59d8abc60f2f44908a58847a0f977820c
Opcode Fuzzy Hash: 31654742c9d2cdc72ea6385525dca14c1deb64a0482451471d717bba8a04ad40
Instruction Fuzzy Hash: D9E0D8725403046BD2609F06FC82F53FB58DB54A31F04C46BED081B701D175B5148AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A3C3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e5e2530e52728c6d1c1b8215f4ab14b046b875e4f7d5961d59aa3fb2fc55c1
Instruction ID: 1e98adedf95f1a19f0be03b3a5ebbb324df0cb8fc36fd84ba97548939f1f0649
Opcode Fuzzy Hash: 45e5e2530e52728c6d1c1b8215f4ab14b046b875e4f7d5961d59aa3fb2fc55c1
Instruction Fuzzy Hash: C2E048715412046BD2609F06AC86B53FB5CDB44A30F54C567ED085B742D175B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00C3ABCB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30925976a04954b153143240065ef74effcb9eca967202d826f7edb2dccdb6d
Instruction ID: 16282126139690a68b23ffc176139d303d6036fd642f28fa5954a2dc30436f37
Opcode Fuzzy Hash: d30925976a04954b153143240065ef74effcb9eca967202d826f7edb2dccdb6d
Instruction Fuzzy Hash: A9E0D8725403046BD2209F06BC82B53FB58DB44A30F04C467ED081B742D175B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A5DB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f85a3e10c5bedd42168140c6a064bd9474dded899b298ced066551505bae89
Instruction ID: 3063679f9faebab3b6643ed9eb95800cb5deb8df735a1f6e3bde6e63c7ca13a2
Opcode Fuzzy Hash: 56f85a3e10c5bedd42168140c6a064bd9474dded899b298ced066551505bae89
Instruction Fuzzy Hash: 45E020715403046BD2209F06FC82B53FB5CDB48A30F44C467ED081B701D1B5B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A703, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251549631.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173ab55fc4d3edd03aa07697e7ff48e191c7f0db38c7a2a8ab81286a9be2eba5
Instruction ID: 635f32b2de6ccff5971fac0dc1b983abc9f76891e35cb5931fff11d6fc49802d
Opcode Fuzzy Hash: 173ab55fc4d3edd03aa07697e7ff48e191c7f0db38c7a2a8ab81286a9be2eba5
Instruction Fuzzy Hash: 0EE048729413046BD2609F06AC86F53FB58DB58A30F14C56BED085B741D1B5B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 025AF748, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a9bacb731c68c647bd66703cafcfed3fe11cf125331ac1398c7cc8186930a2
Instruction ID: 0116669b497ea04cf20ec39750ee147845a69b1d2f3ab1f7c3d8405e2bfb87d2
Opcode Fuzzy Hash: 56a9bacb731c68c647bd66703cafcfed3fe11cf125331ac1398c7cc8186930a2
Instruction Fuzzy Hash: EBE03970D14208DFCB40EFA8D90566EFFB0FB48302F1081AAD819A3390DB715901CF88

Uniqueness

Uniqueness Score: -1.00%

Function 05BD0784, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670daeddb735df602ce01ffe0b6d10191dac07027b56bf5289c0fad5eccebd5d
Instruction ID: f403ebeeaf0040a882e53c9625c9cf13d75d98198e4c6b3314ad78b47001bfda
Opcode Fuzzy Hash: 670daeddb735df602ce01ffe0b6d10191dac07027b56bf5289c0fad5eccebd5d
Instruction Fuzzy Hash: 77F0927A805229CFDBA0DF24C8487DCBBB5EB0A710F1484D9859DA6291E730ABD5CF14

Uniqueness

Uniqueness Score: -1.00%

Function 05BD15F1, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea1fddcc23ca19b4bf6e5b05ccbb22a63c5cc611bf4ebfd7c0b72667f887612
Instruction ID: 9f6857c1fd1c6f15b8a6afede9a464dad26a0db4de21309564eab2c69ee55a3f
Opcode Fuzzy Hash: cea1fddcc23ca19b4bf6e5b05ccbb22a63c5cc611bf4ebfd7c0b72667f887612
Instruction Fuzzy Hash: 2FE0867041A3889FD7119F789A0535CBF70AB42201F6501EBC84497292E6355958C796

Uniqueness

Uniqueness Score: -1.00%

Function 025AA0CC, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7841127a70810757404d058cf71a25d9119594cb10f979043b20a94e1c3f3633
Instruction ID: e2f2cebaf608748862d66503108852f8afa6f8572d34c986dd1bfebdb5546742
Opcode Fuzzy Hash: 7841127a70810757404d058cf71a25d9119594cb10f979043b20a94e1c3f3633
Instruction Fuzzy Hash: 89F0A474912219CFDB94DF28EDA5B8CBFB6FB48200F1085D9E40AA3264DB745E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 025A1DD0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e7e612d3fc002f6518e3180a399b11a1a6df4ffc747fa487c513d5f4fcd614
Instruction ID: 06220256168afc9c1970b413570476c55b88682b88d457a398ed902fbc76aca5
Opcode Fuzzy Hash: 12e7e612d3fc002f6518e3180a399b11a1a6df4ffc747fa487c513d5f4fcd614
Instruction Fuzzy Hash: 85E086704193058FD301AB749C1938C7FB4DB06A11F0401A6A405C31B2EA34184AC7D9

Uniqueness

Uniqueness Score: -1.00%

Function 05BD1833, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5db89ce979102b93774fe772aab60610e995fe1c47252473f60f9ce4eb408b1
Instruction ID: 200ff375de85cd7c48b259040eb78628c8eb9f9b14346b4e55d95eb2b1fa3ee2
Opcode Fuzzy Hash: e5db89ce979102b93774fe772aab60610e995fe1c47252473f60f9ce4eb408b1
Instruction Fuzzy Hash: AFE0867051A3449FC705AB785804769BF74DB02201F5045EAC80497291E6315A54C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 025A01DF, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c904aa29ca4d23f5c21306d1de7821ec4b3b64d9533e7fdc73eeba8478e1a346
Instruction ID: 400d5d161d3d88e4bfa3353061bd7e083e6e42f6278d1c4eb854a72e6c0b60e2
Opcode Fuzzy Hash: c904aa29ca4d23f5c21306d1de7821ec4b3b64d9533e7fdc73eeba8478e1a346
Instruction Fuzzy Hash: 11E01A34919208DFCF14DFA8E545BACBFB0EB45301F2081AAC84593390D7715A94CB45

Uniqueness

Uniqueness Score: -1.00%

Function 05BD1007, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d1c1089d5a59e7089bf884789ce6f61f518265a7340f3bbf91ca4affbb3fa8
Instruction ID: e25434fdcc7876e2b975381b0d1e6c61bce784af3dc3ddbac37630add31963b7
Opcode Fuzzy Hash: d1d1c1089d5a59e7089bf884789ce6f61f518265a7340f3bbf91ca4affbb3fa8
Instruction Fuzzy Hash: 0DF0F83494522A8FCB61DF68DC05BACFFB1BB49301F1090EA941DA2251EB305EC09F55

Uniqueness

Uniqueness Score: -1.00%

Function 025A3E42, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f46fbca5f9e272b85e273b2ecf95f1afa34210f969d4f2c88b57ca632ffb45e
Instruction ID: 67db0f9dbeba6dec53a1a4f217a68bdf91b8374498ac687ec18514bb1681fcab
Opcode Fuzzy Hash: 8f46fbca5f9e272b85e273b2ecf95f1afa34210f969d4f2c88b57ca632ffb45e
Instruction Fuzzy Hash: 61F02B78A01258CFCB54CF94CA84ADDBBF2EF89321F6454A9E805B7314CB35AE85CE14

Uniqueness

Uniqueness Score: -1.00%

Function 025A22EA, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0f82756a96646d5571f2863ff95665671b96d844e8fad9c420e124b40ba20d
Instruction ID: 6c957c810c575babb452feb9f97fff6c3142010342037ced42e496ae583e5d6e
Opcode Fuzzy Hash: bb0f82756a96646d5571f2863ff95665671b96d844e8fad9c420e124b40ba20d
Instruction Fuzzy Hash: 23E03970D05119DFFB14CB60C801F8EB6B2BB00310F81959A980CAB290D774AE41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 025ADF40, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 511318caa1f0ca7e11fa4c46a455b69c46b44e7da17af523860b350a9935000e
Instruction ID: 21a8a81b550086aabc8e92e706e6004fb37b373cf7fdd66a31c9d3f52d65d00b
Opcode Fuzzy Hash: 511318caa1f0ca7e11fa4c46a455b69c46b44e7da17af523860b350a9935000e
Instruction Fuzzy Hash: 7BE012B4D05208DFCB40EFA8D9457ADBBF0FB48301F2086EAD828A3351E7305A00DB85

Uniqueness

Uniqueness Score: -1.00%

Function 025A0070, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca883f3383b098374fc074cb055292d506eca5eaab7adb2a67a3e7cbbe0b71cf
Instruction ID: 71113ce937d259322ffc47f62e05aef5f174d98476567d60b140b7a58dd9f42b
Opcode Fuzzy Hash: ca883f3383b098374fc074cb055292d506eca5eaab7adb2a67a3e7cbbe0b71cf
Instruction Fuzzy Hash: 9CE0EC35811208EFCB14EFB4E90A75C7B75BB04306F1081AAD80593390DB316A54CA96

Uniqueness

Uniqueness Score: -1.00%

Function 05BD0F6E, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b39ca7b033575675396320f56dfd7d4df052ac4095095bf6fb1cb71ac3de459
Instruction ID: 67f18b163ba3bae0da894705d68e8b2d39880b3b3711ae53cbf3b77974b66f68
Opcode Fuzzy Hash: 1b39ca7b033575675396320f56dfd7d4df052ac4095095bf6fb1cb71ac3de459
Instruction Fuzzy Hash: 6BE0C275A00228CFDF20DFA0C940BDDBBB2FF49300F24819AD459A7255D3329A96CF00

Uniqueness

Uniqueness Score: -1.00%

Function 025AE2D0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfce5794a1567da02e9f5b4cd693a4e34e01464d8773df1edfd249eae6ab757
Instruction ID: 2bdea38e9ebbd732ed1728ee8933b56878184374db12f64c42c05bbcfaf0ed10
Opcode Fuzzy Hash: 4dfce5794a1567da02e9f5b4cd693a4e34e01464d8773df1edfd249eae6ab757
Instruction Fuzzy Hash: D2E0EC70D053089ECB54EBB995063ACBFB4AB45305F6041EAC84492250E6359650CB45

Uniqueness

Uniqueness Score: -1.00%

Function 025A9AF8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb208212e2b8638eafdd2725c6f130385ce30142d39d7718787c9d4d2dcd114
Instruction ID: 9fd6fac13b8a222e1b8f62e37c695ed3e0b8a856a6137e29643f64901ebbc245
Opcode Fuzzy Hash: acb208212e2b8638eafdd2725c6f130385ce30142d39d7718787c9d4d2dcd114
Instruction Fuzzy Hash: BDE0BD74E05208EFCB50EFA8D54979CBBF4AB48205F2041AA980897360E630AA54CB45

Uniqueness

Uniqueness Score: -1.00%

Function 05BD032D, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a286169848321f340a138c3663787ec48de1bbe5362e2167b751ffb86f6a6c3
Instruction ID: 9188c4da4f40c3c1f7ba9a330d34b5c2dfecd90422eb36e3ce4bb69abfe34e07
Opcode Fuzzy Hash: 8a286169848321f340a138c3663787ec48de1bbe5362e2167b751ffb86f6a6c3
Instruction Fuzzy Hash: 3EE0E575E102199FCB25CFA4C841B9CFBB1FB48300F20849AD928AB355D372AA828F40

Uniqueness

Uniqueness Score: -1.00%

Function 025A0A06, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cd5d9c9284f03b11b471c58c5ab67d9ef71f9058edb636b6eb8068c61a1149
Instruction ID: 3fbd3778456d6d63b5fefda08c4d5988d9fc05b8104acac6b96c45aad492c89c
Opcode Fuzzy Hash: 22cd5d9c9284f03b11b471c58c5ab67d9ef71f9058edb636b6eb8068c61a1149
Instruction Fuzzy Hash: 58D05E6086F7889ED7028760A5A4BEF3E687B07204F059995D0815B592C3A8054CC706

Uniqueness

Uniqueness Score: -1.00%

Function 025AE318, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2893c8d253bfec048640a412e011a7f697bbef52f7c1df74f1846c1b11830be8
Instruction ID: f1dae6b02f1b6dac36e5d4439fa2d3593d88eba8b5f621963420998d59013f38
Opcode Fuzzy Hash: 2893c8d253bfec048640a412e011a7f697bbef52f7c1df74f1846c1b11830be8
Instruction Fuzzy Hash: 35D017B0D11208EFCB54EFA8D50679CFBF4AB44200F1041EA880893390EA30AA10CB85

Uniqueness

Uniqueness Score: -1.00%

Function 025AE3F0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3878f08f3caf765c946a90d4735c7ea25aa35bea7e097bc7dfa811b1e938cf
Instruction ID: b5f9bdacd6aa2395fbbb02f3dd553ec367336fa610e01537cc59e60825d171b7
Opcode Fuzzy Hash: ec3878f08f3caf765c946a90d4735c7ea25aa35bea7e097bc7dfa811b1e938cf
Instruction Fuzzy Hash: 7BD05EB0D0530CEFCB54EFB8A5053ACBFF4AB44201F1042FAC84493390E6385650CB85

Uniqueness

Uniqueness Score: -1.00%

Function 05BD1600, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095d47e6e399afc136ac3852771dfe71ffde07ed3d836a6823b3ac65796e01d2
Instruction ID: 341cbf745c7e802234c2baf3bb275b67a5f6cc160a708223e2f1eb9369e9d8d6
Opcode Fuzzy Hash: 095d47e6e399afc136ac3852771dfe71ffde07ed3d836a6823b3ac65796e01d2
Instruction Fuzzy Hash: 64D09EB4916208DBCB54EBB8A50576DBBB4AB41705F6001F9C90452250E6325594CB95

Uniqueness

Uniqueness Score: -1.00%

Function 025A1DE0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e7156bc930e6073691fcc2097ee47b532eb232537091e068066becf44d781d
Instruction ID: e222cc5d90b07cbbcc5af4ca9e2b476cbde1dbe0c21e01c992f9820dacdd1844
Opcode Fuzzy Hash: 14e7156bc930e6073691fcc2097ee47b532eb232537091e068066becf44d781d
Instruction Fuzzy Hash: F8D0C9B0425308DBC350BFB4ED0E75DBBA8EB0AE06F1041A5B809C3270DF315999CA99

Uniqueness

Uniqueness Score: -1.00%

Function 00C223F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251524507.0000000000C22000.00000040.00000001.sdmp, Offset: 00C22000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47478c627193d738696ed558c0533ef2b6481764d36a4267ff9a74cd037e61f
Instruction ID: f552ea6fbec5e407b2dac16f95bec3cd97d78e7bb0ab6f06dfa4ef00586319ae
Opcode Fuzzy Hash: d47478c627193d738696ed558c0533ef2b6481764d36a4267ff9a74cd037e61f
Instruction Fuzzy Hash: 4CD05E79205A915FD3269A1CE1A8B953B94AB51B04F4644FEEC008BA63C368DA81E610

Uniqueness

Uniqueness Score: -1.00%

Function 025A9299, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909b6652e6394e8c6961d24226b3382ad863ea87e5b9249efeeac77ae7f0f44e
Instruction ID: f21f92b77d20850b14138965ddcafe2a78e00cd441e43747b8301562aedd8ad6
Opcode Fuzzy Hash: 909b6652e6394e8c6961d24226b3382ad863ea87e5b9249efeeac77ae7f0f44e
Instruction Fuzzy Hash: F7E0E2B4D05318ABDB84CBA4854478EB6F1BBA5310F2090A9C00967200DB305A49CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00C223BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.251524507.0000000000C22000.00000040.00000001.sdmp, Offset: 00C22000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccf9e60dcba62b9e2473946cb5290fa17806a499300a18f80a9246ae706f6ef
Instruction ID: 7fce73f5b49b937cf200756a86bc055801f5c522b8670046eb8bdaed5d0b3524
Opcode Fuzzy Hash: cccf9e60dcba62b9e2473946cb5290fa17806a499300a18f80a9246ae706f6ef
Instruction Fuzzy Hash: 79D05E382002814BC729DB0CD1D4F5937D8AF81B00F0644FDAC108B672C7A8DDC1C600

Uniqueness

Uniqueness Score: -1.00%

Function 025A84A2, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561e8af2b34077d6204f26f6fef1632b303fe62e0f3faa0657dcc07e6b2ef2c0
Instruction ID: 0440be9d65bfdcb86b874907bd4edb6e7310970a9bc3c45747e5ad5f6f79dcd6
Opcode Fuzzy Hash: 561e8af2b34077d6204f26f6fef1632b303fe62e0f3faa0657dcc07e6b2ef2c0
Instruction Fuzzy Hash: 56D0C774D052589FCF54CF94D451B9EF775BB45300F4154D6C409E7144D7349645CF16

Uniqueness

Uniqueness Score: -1.00%

Function 025A9FE8, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6a24bc91dcda0dd6a9dda7e7579834ac20eb56fb98f687c4eea8a062632681
Instruction ID: b965ffa483a7ce68e93b0a69b272c62acc5eda30288324043eae88b18998f624
Opcode Fuzzy Hash: 8a6a24bc91dcda0dd6a9dda7e7579834ac20eb56fb98f687c4eea8a062632681
Instruction Fuzzy Hash: CCD05E30912359CFCB14DF95D04168CBFF1FB44300F6088C9A40297294D7318B81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 025A8581, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9892a3c255f4f920677ef118663bff3486293385f48fee658cd35c7bb564482
Instruction ID: 4d0a8d5e4f187401776d557cd05c024a6d956462ca3ec32d5aa358be0e03c495
Opcode Fuzzy Hash: a9892a3c255f4f920677ef118663bff3486293385f48fee658cd35c7bb564482
Instruction Fuzzy Hash: ACD0C9B4D0939ADFDB10CFA0C841B9EF7B5AB49300F105496810AFB240D730AA40CF29

Uniqueness

Uniqueness Score: -1.00%

Function 025A465D, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb1c20d8b39999bd3ff81b4989c24b724e79cdaa10d3afd41c204345eeb58fc
Instruction ID: ac743ca33ff3882bb40c888b540ec6ccb2e21f9e1a2bf9d883e35d7f8c452f95
Opcode Fuzzy Hash: 5cb1c20d8b39999bd3ff81b4989c24b724e79cdaa10d3afd41c204345eeb58fc
Instruction Fuzzy Hash: B4D06CB5501364CFC7548F20D995A98BBB2FB4A31AF6004A8F40A9B220CB32D981CF00

Uniqueness

Uniqueness Score: -1.00%

Function 025A8677, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498f6228192a825fdb671088a6dd3ba0ddf9e51532b69f375d875ebda497b330
Instruction ID: ddff8cbe5c4f2725cd0da69aaac8885abbc3c58a29ee5cc60ff4cd8cd9c01c2c
Opcode Fuzzy Hash: 498f6228192a825fdb671088a6dd3ba0ddf9e51532b69f375d875ebda497b330
Instruction Fuzzy Hash: B7D0C9B4C04219DBCF14CFA4D950BAEF775BB08300F005099801663241CB305901CF06

Uniqueness

Uniqueness Score: -1.00%

Function 025A72E9, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f628c0c64792b14dd3b32ae4848286b35c50eddac40836954b9910cd9aa94a
Instruction ID: 4323a2e09584357625c55841e032e3d0200371f5985ac09df4d2e284cc1e5aae
Opcode Fuzzy Hash: e9f628c0c64792b14dd3b32ae4848286b35c50eddac40836954b9910cd9aa94a
Instruction Fuzzy Hash: 64D05E3481631EEFCF50DF20D981A8CF7B2FF40300F0044988849AA154D7345A82CF56

Uniqueness

Uniqueness Score: -1.00%

Function 05BD08E7, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8770ed4708b7dc1b247c48f177ef292986275e859203b70ef61541c43e97aa4b
Instruction ID: 83623f7b0f25ad9103bd708c8092a926db94650f6088f6aaaebf0f47162f81ea
Opcode Fuzzy Hash: 8770ed4708b7dc1b247c48f177ef292986275e859203b70ef61541c43e97aa4b
Instruction Fuzzy Hash: 29D01774818215DFDB21CF28C84979CFFB0FB19301F0006D9E149E7220E73445808F21

Uniqueness

Uniqueness Score: -1.00%

Function 025A86BA, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7443db4491e5218e3aa0a292c41239ef85dd0e924a19d95d1031522db3a8c9c
Instruction ID: 046b3ae6c69c5555451b0085529bac753a3ad9786df0f19b4a6f034d73715a60
Opcode Fuzzy Hash: f7443db4491e5218e3aa0a292c41239ef85dd0e924a19d95d1031522db3a8c9c
Instruction Fuzzy Hash: 39C002B4D483589ADB50DFA4D451BAEB7B5AB49300F206495911AA7640DB305A41CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 025A7949, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a9c07ee4924acac7cd8bafe0898d92c7a4ff7924891369decae7f4e80fb66f
Instruction ID: bfb55d8beeba71e9ba2beded85514e8abb144d6f58da635a71f6488d2d47ee43
Opcode Fuzzy Hash: 42a9c07ee4924acac7cd8bafe0898d92c7a4ff7924891369decae7f4e80fb66f
Instruction Fuzzy Hash: 84C012B4C042089FCB00CFA4C412BAEFBB5BB48300F009095C409B3240E7305A00CB26

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05BD0006, Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

\NG, xrefs: 05BD1295
>,, xrefs: 05BD01B2
\NG, xrefs: 05BD1262
! `, xrefs: 05BD0104

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID: ! `$>,$\NG$\NG
API String ID: 0-96232990
Opcode ID: dea26c440b2d591a281f0c005902e90642789aa862b2dcac9c4842e55a87dcea
Instruction ID: 152d47d7a12a5ae56a048b80de4298750cf7becabc9f4775fe82455787d8fc5b
Opcode Fuzzy Hash: dea26c440b2d591a281f0c005902e90642789aa862b2dcac9c4842e55a87dcea
Instruction Fuzzy Hash: BB718A71D0925A8FDB29DF69CC54799FFB2BF8A301F0580EAC409AB261E7341A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05BD0070, Relevance: 5.2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

Strings

\NG, xrefs: 05BD1295
>,, xrefs: 05BD01B2
\NG, xrefs: 05BD1262
! `, xrefs: 05BD0104

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID: ! `$>,$\NG$\NG
API String ID: 0-96232990
Opcode ID: a73231177c6ad4b01f59e5a3cb8682daaa56fe877664f3f3d978c4aeb068e379
Instruction ID: afb87419540d0ee84ace0e20f452017c294b1df45769f77c6ee963ef9a7e7706
Opcode Fuzzy Hash: a73231177c6ad4b01f59e5a3cb8682daaa56fe877664f3f3d978c4aeb068e379
Instruction Fuzzy Hash: 34514971D4562ACBDB28DF6AC8447ADFBF2BB88301F1080FAC41DA6250E7315A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025A6770, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

TV, xrefs: 025A68CA
TV, xrefs: 025A68BA

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID: TV$TV
API String ID: 0-2708382173
Opcode ID: 6b4a71fde6133e6497b1e1f654c8c8932a87339164151a383f950a2fe6a42f7c
Instruction ID: 6c9ec3f07b3f1ef9a0ba2392437d40c55556323b86e800430bed9c2fb756b587
Opcode Fuzzy Hash: 6b4a71fde6133e6497b1e1f654c8c8932a87339164151a383f950a2fe6a42f7c
Instruction Fuzzy Hash: 0D51E174D1520A9FCF04CFA9CA919AEFBF5FB88300F18996AD415BB210D3389A05CF58

Uniqueness

Uniqueness Score: -1.00%

Function 025A676F, Relevance: 2.6, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

TV, xrefs: 025A68CA
TV, xrefs: 025A68BA

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID: TV$TV
API String ID: 0-2708382173
Opcode ID: 1dd8576c3d6898bbb0183701763ff38df4e7e89f7e2c97a9c66764b5df7ad7df
Instruction ID: 2457a3b2ea66c2910a7d38247c17874ac6fd6a5a913614ed30b354f4cc379f4d
Opcode Fuzzy Hash: 1dd8576c3d6898bbb0183701763ff38df4e7e89f7e2c97a9c66764b5df7ad7df
Instruction Fuzzy Hash: C551E175D1520A9FCF04CFA9CA919AEFBF5FF88200F18996AD415B7210D3389A05CF58

Uniqueness

Uniqueness Score: -1.00%

Function 025AB2A0, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

^UT, xrefs: 025AB37E

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID: ^UT
API String ID: 0-245339993
Opcode ID: 33bc7179dd1b38945cfd244d9cc0e3a054d4a21251a83ab66dd853b95f576627
Instruction ID: 06f8f668c17945ca1fab468a9269ba1e04fa6cf0d0b56e02b823fd38883abe7c
Opcode Fuzzy Hash: 33bc7179dd1b38945cfd244d9cc0e3a054d4a21251a83ab66dd853b95f576627
Instruction Fuzzy Hash: 05A14770D012099FCB04CFAAD5925AEFBF2FF59318F10955AD411AB398D7309A42CF99

Uniqueness

Uniqueness Score: -1.00%

Function 025A6271, Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

-IJ@, xrefs: 025A63EE

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID: -IJ@
API String ID: 0-1881012399
Opcode ID: 55ae1f1e5b7da7359eb74d75962cfa56a78557b69a86b0d54077802c8bcdb3c7
Instruction ID: 66797be1561b737af1daeef962f129dd5cd039e6f20c575b86c7fb55b737b67f
Opcode Fuzzy Hash: 55ae1f1e5b7da7359eb74d75962cfa56a78557b69a86b0d54077802c8bcdb3c7
Instruction Fuzzy Hash: EE5107B4D05209DFCF04CFA9C5915EEBBB5FF49300F28955AD411AB214D734AA41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 025AC7B0, Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770ac8293328c62e1fe152e9d2ae9c5ba619a2ab761e4de67d8f5d26f7c5e39a
Instruction ID: f3ea5a7db5d35e03a1f68a3f11106030619b12b93d33843b56e5b20c80e789de
Opcode Fuzzy Hash: 770ac8293328c62e1fe152e9d2ae9c5ba619a2ab761e4de67d8f5d26f7c5e39a
Instruction Fuzzy Hash: D6E12774E04218DFCB14CFA9C591AACFBB2FF89305F20819AD815AB359D730AA42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025AA530, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1250142822a85d321bf4c04980e2183211e3651f838c6582ff8638bf4628503
Instruction ID: 8d09c7f919897efaf0a987b02d55291aab9b21b2b2bd1e1ccd1833e49f158111
Opcode Fuzzy Hash: d1250142822a85d321bf4c04980e2183211e3651f838c6582ff8638bf4628503
Instruction Fuzzy Hash: 5DD12574D04218DFCB14DFA9C5919ACFBB2FB89304F2481AAD815AB359D730AA42DF94

Uniqueness

Uniqueness Score: -1.00%

Function 025A556B, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1f36f2b6dda79f779aaa78a0200292809a04acbee3ec64fa60b2e999c7da92
Instruction ID: 607fae3962e7bfa7b7c6867807f92d3f3117fe3e7d0859fa779f53e1a25df62c
Opcode Fuzzy Hash: 7d1f36f2b6dda79f779aaa78a0200292809a04acbee3ec64fa60b2e999c7da92
Instruction Fuzzy Hash: C661CE74E15209DFCB44CFA9C185A9DFBF1FB49310F54D9AAE815AB224E334AA40CF64

Uniqueness

Uniqueness Score: -1.00%

Function 025A5578, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c48f9e3b0dd97794964da234fe042a8fdcd6c7354fa82e85e1c4ac85c3c8294
Instruction ID: 2bf419c70f2f7f8cb7bb8447c295fa8594f6e1eed004d20572f249fa8f47ae08
Opcode Fuzzy Hash: 6c48f9e3b0dd97794964da234fe042a8fdcd6c7354fa82e85e1c4ac85c3c8294
Instruction Fuzzy Hash: E561DE74E15209DFCB44CFA9C185A9DFBF1FB49310F54D9AAD815AB220E334AA40CF64

Uniqueness

Uniqueness Score: -1.00%

Function 025AB748, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3d6412730c7e55c385376a3340b0b4f7ec06076bf85cdda8e87341623ddf1a
Instruction ID: 2dc6593724ce0fff3416f4769fcb7712715b74c6b7f2cd076c2f7326747ca091
Opcode Fuzzy Hash: 8e3d6412730c7e55c385376a3340b0b4f7ec06076bf85cdda8e87341623ddf1a
Instruction Fuzzy Hash: 55516B70D0520A8FCB04CFA9C552AAEFBF1BF59314F509A5AC411BB399D3749A01CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 025A5FD0, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450c5d76fadcf2cdf4d8cea691b3b088de7782bba0108cad422450241075f855
Instruction ID: d8e808bc52796d3fea807bb22ebddadb18ec02e81d1ac1059e3cd3648017b87c
Opcode Fuzzy Hash: 450c5d76fadcf2cdf4d8cea691b3b088de7782bba0108cad422450241075f855
Instruction Fuzzy Hash: 67510674D1521A9FCF40CFA8D5928AEFBF5FB48310F149556D815A7251D330AA80CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 025A5FE0, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d94ed2167c51a448ea78b3817093bc7b03376f8e88b3eb1d044661bd5c15db2
Instruction ID: b3487b1794cd8cf89e98c12b2a34ee7643f32542216cb13580b26491ad296013
Opcode Fuzzy Hash: 6d94ed2167c51a448ea78b3817093bc7b03376f8e88b3eb1d044661bd5c15db2
Instruction Fuzzy Hash: 9151F274D1521AEFCF00CFA8D5929AEFBF5BB48300F149956D815BB201D330AA80CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 025A13DF, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec21d2e18860adc7cb6940ebef236e8589c91cb8f4f619a768cf3d5a043dc6d
Instruction ID: b10a83fb1ac4ea785673a723c2e11f37f72322fbc1bbc37fb6c7a9d2040d817e
Opcode Fuzzy Hash: 7ec21d2e18860adc7cb6940ebef236e8589c91cb8f4f619a768cf3d5a043dc6d
Instruction Fuzzy Hash: C35123B4D04609DFCB04CFA9D491AAEBBF1FF89310F108969D419BB254D7309A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 025A6560, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6731023dd64d4cd0ef74572d37458f91a8e5d9aa491c1d2fa0150727b337fa77
Instruction ID: 40b7376ac900cb26b7718dd5b8972dec5c4d8a29c4c27137ab20213dfa7ddc5c
Opcode Fuzzy Hash: 6731023dd64d4cd0ef74572d37458f91a8e5d9aa491c1d2fa0150727b337fa77
Instruction Fuzzy Hash: 14418770D0520A9FCF04CFAAC5925AEFFB5FF89310F58856AC511AB258E7349A41CF98

Uniqueness

Uniqueness Score: -1.00%

Function 025A6570, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822a779a67ad64e882b4a56190dd720a3b4404c6594608562c23a4c8855094d9
Instruction ID: 0e0a1cec873bc29ee56a1cb788259b1e2767ba0a7308d6d77873de105b3359c2
Opcode Fuzzy Hash: 822a779a67ad64e882b4a56190dd720a3b4404c6594608562c23a4c8855094d9
Instruction Fuzzy Hash: F8411470D0520A9FCF04CF9AC5925AEFBB6FF89300F54986AC511AB258E7349A41CF98

Uniqueness

Uniqueness Score: -1.00%

Function 025AF150, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fc7c43f39ea82b1b266e0ca3f7e6613b19886867b90ce96e9f46e95e48710f
Instruction ID: 8d103d813cc681ee36fcf6a9004f799c3c205739a011e49a7ff5ec30abb3f67c
Opcode Fuzzy Hash: 02fc7c43f39ea82b1b266e0ca3f7e6613b19886867b90ce96e9f46e95e48710f
Instruction Fuzzy Hash: EE414474D15209DFCB04DFA5D5966AEBFF2FB88300F20D8AAC401A7254E7399A41CF98

Uniqueness

Uniqueness Score: -1.00%

Function 025A69A0, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502b3a13877b6a44d2fac5c7d0374b514ee6cd2c25f0c518ea43d214d274cd72
Instruction ID: 093ddbeaa5069a274257216ed3afba25359d055be13beb9fece2f09814c9b98f
Opcode Fuzzy Hash: 502b3a13877b6a44d2fac5c7d0374b514ee6cd2c25f0c518ea43d214d274cd72
Instruction Fuzzy Hash: 7831D8B4D0520ADFDF08CF99C5925AEFBB6BB88300F24C569C416B7254D7349A81CF99

Uniqueness

Uniqueness Score: -1.00%

Function 025A699F, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d028e1a7c3cfc93694042ab51cd83c06e9636d3245e98979190fb918bb15f1
Instruction ID: f2804dae1575dc282583ac36f4e77081a6cb5fe810034282ebdce914e62c552c
Opcode Fuzzy Hash: b1d028e1a7c3cfc93694042ab51cd83c06e9636d3245e98979190fb918bb15f1
Instruction Fuzzy Hash: 4C31D774D0520ADFCF08CFA9C5825AEFBB2BB89300F24C56AC416B7254D7349A81CF99

Uniqueness

Uniqueness Score: -1.00%

Function 025A6B11, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50c3030b2a15f4bd6b3b71c1c00b61d448bcad0cc76cbdca28ae2e709754050
Instruction ID: 260ff2e1f89fdf2b540feb079c7a1dd9576b673558f341cf949cae47cee15259
Opcode Fuzzy Hash: a50c3030b2a15f4bd6b3b71c1c00b61d448bcad0cc76cbdca28ae2e709754050
Instruction Fuzzy Hash: 3B31F971E016188FEB18CF6BD84469EFBF3AFCA310F19C1AAD848AA255D7300945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 025A1E1F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29dd5ba1749ca06a55f62f07e11122814615b0f11248af948cfabbf7e25a574
Instruction ID: d59716e5b0812028f2c75efebe2bd276a0071343a23665e394df45b6c5d63ba2
Opcode Fuzzy Hash: e29dd5ba1749ca06a55f62f07e11122814615b0f11248af948cfabbf7e25a574
Instruction Fuzzy Hash: E011F8B1E05A189BEB18CFABD94169EFAF3BFC9300F18C17AD808A6264DB700545CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05BD1C58, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0764dc185327a1eb80ac9038edb32e94c1fdf2aff88a40b11419dfbb93f58c07
Instruction ID: 144069aa90d8640dc2ce8731a03e4b818dc0533cdb878c208f9bd21ec3bf19f0
Opcode Fuzzy Hash: 0764dc185327a1eb80ac9038edb32e94c1fdf2aff88a40b11419dfbb93f58c07
Instruction Fuzzy Hash: 6D111670D442199ECB14CFA9C949BEEFAF1BB49301F145069E005B7251E3345540CF78

Uniqueness

Uniqueness Score: -1.00%

Function 05BD1C57, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80068db7d35dc1b7c96d96c24c6d16770886f15d5279adf40b80a36a911c250b
Instruction ID: 5259f0bf3d6417f2b93ae9c3c2aca828e870a3f0a3e3d336a92d47744fc9d69f
Opcode Fuzzy Hash: 80068db7d35dc1b7c96d96c24c6d16770886f15d5279adf40b80a36a911c250b
Instruction Fuzzy Hash: 6F11F570D492599ECB14CFA9D949BEEBFF0BB4A301F1850AAE405B7291D3345A84CF68

Uniqueness

Uniqueness Score: -1.00%

Function 025AC030, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eba4d4ed3ff674e505d187921d466d993d962d8b2916e70df49f512bb2d26d8
Instruction ID: 2f5295d392684cf7a19c45759f1582984d0b07afb391e86d00cfd54f79866f6c
Opcode Fuzzy Hash: 9eba4d4ed3ff674e505d187921d466d993d962d8b2916e70df49f512bb2d26d8
Instruction Fuzzy Hash: E911DBB1D05609CBDB18CFABD5412AEFBF3BFC9201F24C57A8818A7255DA3446119F44

Uniqueness

Uniqueness Score: -1.00%

Function 025AAAC8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.252327982.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f6da783c80ecdd4acc0f07adf253c0368e3c89cbf13d4a81efb2b51b5131c
Instruction ID: c448e36d3edd66144798900a4d4d5887a0e2c9ec52b8ae357ae0c480841626fc
Opcode Fuzzy Hash: 975f6da783c80ecdd4acc0f07adf253c0368e3c89cbf13d4a81efb2b51b5131c
Instruction Fuzzy Hash: 731117B1E05609CBDB18CFAB99016AEFBF7BBC8200F24C57E8818A7254D7344602DF44

Uniqueness

Uniqueness Score: -1.00%

Function 05BD01E4, Relevance: 5.1, Strings: 4, Instructions: 108COMMON

Download Yara Rule

Strings

\NG, xrefs: 05BD1295
>,, xrefs: 05BD01B2
\NG, xrefs: 05BD1262
! `, xrefs: 05BD0104

Memory Dump Source

Source File: 00000002.00000002.264750900.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false

Similarity

API ID:
String ID: ! `$>,$\NG$\NG
API String ID: 0-96232990
Opcode ID: cd16e13da94a64358b0f79952d605196706a821418ddc433ea4410c2f01ab6ed
Instruction ID: 069084faaa56377a0f9800284cff56aa04b5283d065bcba9cea803c11d0433be
Opcode Fuzzy Hash: cd16e13da94a64358b0f79952d605196706a821418ddc433ea4410c2f01ab6ed
Instruction Fuzzy Hash: CC414370D4522ACFDB64DF68C845BE8FBB2BB89301F1054EAC11AB6640E7346A85CF95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 5488 Parent PID: 4504 powershell.exeCOMMON

Executed Functions

Function 031C2EA0, Relevance: 4.6, Strings: 1, Instructions: 3346COMMON

Download Yara Rule

Strings

, xrefs: 031C402B

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5b3ee03d9d2ca127d1674cb413182edfe361504fba942d883a64a7729194ad37
Instruction ID: ce863aa0303f539f34e09d9b6183b292111c3a3f89a65be7b713b2b1e913d07b
Opcode Fuzzy Hash: 5b3ee03d9d2ca127d1674cb413182edfe361504fba942d883a64a7729194ad37
Instruction Fuzzy Hash: 80731834A10268CFDB65DF20D855BADB7B2BF49305F1484A9E40AA7250EF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 031C8D53, Relevance: 1.1, Instructions: 1058COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbb57e94377ecddd5ab8465fc659fbe53136c27b2c8fed765e4a093229b62fb
Instruction ID: c7c721aa926149d5fb7ee9be3c19a69ae2bdbdef2c48a8106b074cc5c676c8d7
Opcode Fuzzy Hash: ddbb57e94377ecddd5ab8465fc659fbe53136c27b2c8fed765e4a093229b62fb
Instruction Fuzzy Hash: C6B21574A11329CFDB64DF24C894B99B7B2BF89305F1444E9D40AAB790EB399E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 031C0040, Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6819b70d9b3d6f820739ff7d2041757dfbe8a5cc834ec0e2ce8582242ea5bc3f
Instruction ID: ffebfa4ab1437542c2fd4820256ec4cd5709846fc0c8f3d4f1c253aeaffa0936
Opcode Fuzzy Hash: 6819b70d9b3d6f820739ff7d2041757dfbe8a5cc834ec0e2ce8582242ea5bc3f
Instruction Fuzzy Hash: A7525934A00259DFDB14DF64C944BEEBBB6AF8C304F1481A9E949AB260DB74DD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031B95C0, Relevance: .6, Instructions: 610COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5045ef8db91cb55034526df9a60422379694561572812b98fd897fb1e1196dc
Instruction ID: 60fd5bcb0e5353fe96a6b2d701de8cd1450eae2f3aa6a8ec02dedaf6cd72f961
Opcode Fuzzy Hash: b5045ef8db91cb55034526df9a60422379694561572812b98fd897fb1e1196dc
Instruction Fuzzy Hash: 43328234A00209CFDF18DF75C890AEEB7B6BF89344F188569E9059B391EB35D942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031BC348, Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456f316d61e010648bb3c30b9a87294b62ecb6fc34dbcacd923eb609022642e6
Instruction ID: c5aeffc6c45aa593e10934da78d63d2964ab08040bafb14f14ee5c2183618efa
Opcode Fuzzy Hash: 456f316d61e010648bb3c30b9a87294b62ecb6fc34dbcacd923eb609022642e6
Instruction Fuzzy Hash: C82281347006059FCB14EF69D894AEEB7F6EF88304F188969E4059BB64DB74ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031BF690, Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead20ca7bac972fbcd340b7644bf1cc6b8b2b265d48fa8410d6ea85efb3e9af7
Instruction ID: 66960e99400339ad7880664e1b92b0c880d341a51c944c3cd6fe080ec3e2b546
Opcode Fuzzy Hash: ead20ca7bac972fbcd340b7644bf1cc6b8b2b265d48fa8410d6ea85efb3e9af7
Instruction Fuzzy Hash: 2E126C34A003499FCB05DF75C890AAEBBB2FF89304F1985A9D8499F356DB34E946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 031CEE30, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be3b35482d97b193ae33863b48c6810529fbf9e54811842b573adccca48741b
Instruction ID: 602314637e96f0995f2b31e87eff135ac65ca7693b44de0e770075910eb9b6ee
Opcode Fuzzy Hash: 5be3b35482d97b193ae33863b48c6810529fbf9e54811842b573adccca48741b
Instruction Fuzzy Hash: 6EC1AF31E1075A8FDB10CF65C85079AF7B6FFD9304F24869AD508AB241EB70A986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031BDAB0, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac752c65ff7083ab4f5043b7de9a05b93a3c32dd7f1f4e0e7634b319937748d
Instruction ID: a0773cb34f302be58a718b6fdda66a78a65c85d0b548bfa994acf2a371a2ad0a
Opcode Fuzzy Hash: 6ac752c65ff7083ab4f5043b7de9a05b93a3c32dd7f1f4e0e7634b319937748d
Instruction Fuzzy Hash: 60A1F1347042009FEB28EF719850BAB7AF79FC9244F188869C5068F795EF78D90587A1

Uniqueness

Uniqueness Score: -1.00%

Function 031BB9B8, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ed557cef70cd4765b0b113ced918610245ffd7f1c0f9a2f8d12dfd3af5e1ac
Instruction ID: 18ea281c1022e475e3f4bf05761abe9de910d63816592e19cc1d8053bd225022
Opcode Fuzzy Hash: 83ed557cef70cd4765b0b113ced918610245ffd7f1c0f9a2f8d12dfd3af5e1ac
Instruction Fuzzy Hash: F7C1BC74E00219CFCB14DF65C880ADEBBF2AF89344F1485A9D409AB764EB74AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031C7F62, Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9384719a79119e018f1aabd8ec9a9faf7b3f1cb2bd2858223ec01ecb3fd1971f
Instruction ID: 44bcf198e68caaa6b01a47b563e235429b015b508ede1ea6ec38e9b860ba8ac1
Opcode Fuzzy Hash: 9384719a79119e018f1aabd8ec9a9faf7b3f1cb2bd2858223ec01ecb3fd1971f
Instruction Fuzzy Hash: DB723DB4A016298FCB64CF28DD84B9ABBB1BB49305F1041EAD90DA7350EB346EC5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 031BA478, Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7277e70044f0158ac45e38fc56101fddec1debf3c05dd9c7666386ae6544fd
Instruction ID: 37197273936384f02e362b8b95fb0821bb15baa40fb9235231d519d482d6daa2
Opcode Fuzzy Hash: 9f7277e70044f0158ac45e38fc56101fddec1debf3c05dd9c7666386ae6544fd
Instruction Fuzzy Hash: D6124D74A01218DFDB64DF65D894BEDBBB1BF48345F0481AAE809AB3A0DB349D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 031B7D18, Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568b2a044c24c420cf4f6c4460b1296e7f1b612d928e94de68ad1f46fe471980
Instruction ID: 84393c983fccf3e96dd95b4cbf4e57e5ee2b16ad056dd1a97f80ce1ec737c161
Opcode Fuzzy Hash: 568b2a044c24c420cf4f6c4460b1296e7f1b612d928e94de68ad1f46fe471980
Instruction Fuzzy Hash: 30D1A034A002059FDB24EFA9C880BEEB7F6FF88740F14852AE515AB794DB349C45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 031CF290, Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0201da5c3ade9552d300f712a37bcec62c9d53992affe001cc243d0c94d71e1
Instruction ID: fa6d5d048b799c38fc17c770a44286e168ce394252242844366d10f02905617a
Opcode Fuzzy Hash: a0201da5c3ade9552d300f712a37bcec62c9d53992affe001cc243d0c94d71e1
Instruction Fuzzy Hash: CDE17E34A102598FCB04DFA9C894AAEBBF6FF49340F158569E905AB395D730ED42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031C73FA, Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7688ac89fd46e1b801a26b3d974d6a05ab657434bb4c846df4f286b784f073
Instruction ID: af8e0e70a43dd09314f45dd4202014dda5909f77f48b5c4f6ea4b82eaa0a48ed
Opcode Fuzzy Hash: bc7688ac89fd46e1b801a26b3d974d6a05ab657434bb4c846df4f286b784f073
Instruction Fuzzy Hash: FA02BFB4A112298FDB65DF24C984B9DB7B5BF48304F1081EAE509A7250EB74AFC1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 031B95B1, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10446cce6b03932e13eca329c9b84ce2f51fb64daebac32d9f1e6cef78813a1e
Instruction ID: 4a035ef8263459b8ad457e9eabdb4a59bebe48d388879a3e9bca77889149f8bf
Opcode Fuzzy Hash: 10446cce6b03932e13eca329c9b84ce2f51fb64daebac32d9f1e6cef78813a1e
Instruction Fuzzy Hash: 33C14B34B002098BDF18DF75C5906EEB7B6BF89304F1945A9DA069B395EB35E942CB80

Uniqueness

Uniqueness Score: -1.00%

Function 031CAB50, Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbff34059e4ae87319df70720e0c7ee14c8459bb35adab0df269a92ff07eb5ab
Instruction ID: 49e70fc5461535ed3f36081ac7e9c2c7ae6e02a3c04bed410cf39f4d96d5fab8
Opcode Fuzzy Hash: bbff34059e4ae87319df70720e0c7ee14c8459bb35adab0df269a92ff07eb5ab
Instruction Fuzzy Hash: 58D13934A10258CFDB25DF64C994BADBBB2FF89304F1481A9D4099B395DB319D86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031CB620, Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905477b1cb9fa80219ca51b2cc5b28ba69cee8dc8c22a161fc0f7775c8e52d12
Instruction ID: dd7894553c21f2f9b1bfa3a40118f17fe443198f039b1c3cfd7466f24d863f06
Opcode Fuzzy Hash: 905477b1cb9fa80219ca51b2cc5b28ba69cee8dc8c22a161fc0f7775c8e52d12
Instruction Fuzzy Hash: F0A18E34A182549FCB14DF69C854AAABBF6EF8D310F19C0AAE945DB7A1DB30DC05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 031B1448, Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb25602b927d5455e0d7e103dba9c02731586fb230e1daa33d38b8d4fc104790
Instruction ID: 7890a04e257375113bac3114ea8982dfc5df0fd5f66299a962d9cc323533e0ef
Opcode Fuzzy Hash: cb25602b927d5455e0d7e103dba9c02731586fb230e1daa33d38b8d4fc104790
Instruction Fuzzy Hash: 31B18A31A00309DFCB14CF99C594ADEF7F2FF89314F1A856AE809AB651E774A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031C0007, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f7f0ad30897d5428e9d6d6722c09afaa1fd2eee441c3ba6701185cbcb904db
Instruction ID: f0083c13e120e0c6869135de535932f989014c4bd33a4fcf6749e77960b59b66
Opcode Fuzzy Hash: 46f7f0ad30897d5428e9d6d6722c09afaa1fd2eee441c3ba6701185cbcb904db
Instruction Fuzzy Hash: 43B16835A00259DFCB15CF64C984AD9BBB6FF8D300F058599E948AB221DB70EE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031BC338, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a9146d874e701d57480344e11547005e49a0f528e2cad5d951582428557eae
Instruction ID: 889420bc03b134a92a7dcb71ebd91ad62a24c4eb5adcbfaa0e21a9dfb65653de
Opcode Fuzzy Hash: 74a9146d874e701d57480344e11547005e49a0f528e2cad5d951582428557eae
Instruction Fuzzy Hash: 839180346002059FCB14DF69D890AAEBBF6FF89344F184969E402DB765EB70ED49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031CE760, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8713550125d44471d981f324e403998c8ff0ae17b5c8ef83dd0b0c5522b8233a
Instruction ID: 9e51a30156ad14375436f89fca7ff67106138ce8ae63304184d2dae61e03aac2
Opcode Fuzzy Hash: 8713550125d44471d981f324e403998c8ff0ae17b5c8ef83dd0b0c5522b8233a
Instruction Fuzzy Hash: EBB14774A00219CFDB14DF65C840B9EBBB2FF89300F1585A9D908AB355DB70AE85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031C24C8, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d9c3e400729e4a03968731aa263fe668a942d1004094c9d88d415b74949af0
Instruction ID: 69b971b5019dcd602051886c4842070a9df353afe7cc7d5a0c3c10201cba1800
Opcode Fuzzy Hash: 06d9c3e400729e4a03968731aa263fe668a942d1004094c9d88d415b74949af0
Instruction Fuzzy Hash: 2E71FF35B107148FCB14EB75D891AAEB3E6AF88204F14847DDA06EB790EF75DC068790

Uniqueness

Uniqueness Score: -1.00%

Function 031CA5C3, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b737cc879d5a00ab7e6384fc26fff78bceb8d4dbfb808514082e30fba2d635
Instruction ID: d8985e4e809759ef00e101d3805dd6879319dedb23bf0bb3c162ca5ceb873565
Opcode Fuzzy Hash: 01b737cc879d5a00ab7e6384fc26fff78bceb8d4dbfb808514082e30fba2d635
Instruction Fuzzy Hash: 6281E2347102189FDB15EF74C851A6EB7B3EF88254F18842EE9029B395EF79DD018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 031B5150, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049d75007ba584d14276a0a5b3cc6e3d949c347e4cb2c7b8f0290475ac464f80
Instruction ID: 04c54803d70de1f4db884e695216698f6038f61a692df4f6475301e4104d73e9
Opcode Fuzzy Hash: 049d75007ba584d14276a0a5b3cc6e3d949c347e4cb2c7b8f0290475ac464f80
Instruction Fuzzy Hash: F991AE34B002058FCB08DF75C490AAEB7B7AF8A305B148569D5069F7A0EF74ED06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 031BAFFF, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44690aa4715056e7be10e2a6518ba899ae9731fc2f51b1dc817adb6644bd2c52
Instruction ID: 2fc5227378248a8090b6ffe6336c065085e814d81ed642c9173be49429c37d1e
Opcode Fuzzy Hash: 44690aa4715056e7be10e2a6518ba899ae9731fc2f51b1dc817adb6644bd2c52
Instruction Fuzzy Hash: 70B11934A04258CFDB64DF24C898BADB7B5AF48305F1584E9E40AAB7A0DB349E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 031BB55B, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e7609eb62059e6ca77d1f62748f1e9b2e1a4428781046fb30db504fd285769
Instruction ID: 699f7c9cceb0a2fb78bec6cff8ac60ea66a3bc7a941201e5b7e63cfc74087196
Opcode Fuzzy Hash: 55e7609eb62059e6ca77d1f62748f1e9b2e1a4428781046fb30db504fd285769
Instruction Fuzzy Hash: BC817934B002049FCB04DF69D490A9DBBF2BF89344F1981A9E9059FBA1DB71EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031C1C60, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940aaf348166707a5f0f5be3d50dd14850e18521df344842d10315ffb670fa75
Instruction ID: c7fd0bba89b5d11246169b989f08800cd19c9cb0aede1a49efad432bb637558e
Opcode Fuzzy Hash: 940aaf348166707a5f0f5be3d50dd14850e18521df344842d10315ffb670fa75
Instruction Fuzzy Hash: FA81A070B102499FCB04DFA5D855AEEBBB2FF88344F14852DE802AB354EB789D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031BB9BA, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd4049b21c7c1422a781658f563d84f808d9e6478485934297289fe02b73e6a
Instruction ID: 7f3cc76d5f52ea86ff18ceb13915c89d80440f793d47ec97cc1ee8fe524488fb
Opcode Fuzzy Hash: ebd4049b21c7c1422a781658f563d84f808d9e6478485934297289fe02b73e6a
Instruction Fuzzy Hash: 2951BA70A002199FCB14DF75C880AEEBBF2AF89344F1884A9D405AB754EB34AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031CAB40, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbec25f86f234c09742d8c18f8c4dabc2819e8652fc1fb4e066df96b874ba33
Instruction ID: dd55dd53a35b49961cc7b365e5c357f556e532912e8b1f55f2b284b308a8f0eb
Opcode Fuzzy Hash: fdbec25f86f234c09742d8c18f8c4dabc2819e8652fc1fb4e066df96b874ba33
Instruction Fuzzy Hash: E0515D34A10298CFDB25CF68C950BADBBB2BF98204F1885ADD409EB355EB309D46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 031C15D8, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5386848177a84ddba7e462393c5abf75f63018896830f5114431931f1380c25
Instruction ID: fa654f59e973d909ec1f499f00cd327d60abe6d511a0ea7e922dacc653f98712
Opcode Fuzzy Hash: c5386848177a84ddba7e462393c5abf75f63018896830f5114431931f1380c25
Instruction Fuzzy Hash: 5441CE35B002549FCB14EB79C4806AEB3F2EFC8211B58887DC50AAB765DB71EC09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031BDF2F, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747aef989aa9a53478c79284e70a0f5b984c3759f02c142d7f1420421477afe1
Instruction ID: 8f39ca9fdd5c11807b760a595eb817ddd2088b792c20a7f6ccf7e0e17e3deb22
Opcode Fuzzy Hash: 747aef989aa9a53478c79284e70a0f5b984c3759f02c142d7f1420421477afe1
Instruction Fuzzy Hash: 4A515B746012049FCB54EF78D440A5E7BF2EF8A211F2484BDE506EB394DB369C018B95

Uniqueness

Uniqueness Score: -1.00%

Function 031BDF40, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc4c2a8bb9a296c517ed98d275e59b9e6c32a5b937f00f8af8067c2971bcb73
Instruction ID: 370a4190de045b947df84f754782e23a010d38de89afb06181659f30c12de5bb
Opcode Fuzzy Hash: 4dc4c2a8bb9a296c517ed98d275e59b9e6c32a5b937f00f8af8067c2971bcb73
Instruction Fuzzy Hash: 97415CB4A012049FCB54EF78D440A5E7BF6EF89215F24847DE506EB394DB359C018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 031C2830, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97dd561de2f79a8bbb35a361ee40bdbd8f25a02edd96a6e1835055e2e31a23de
Instruction ID: a56c2318dfd67754867a218beae076f94441ef41a0ab42c7e3b388ce1069b14f
Opcode Fuzzy Hash: 97dd561de2f79a8bbb35a361ee40bdbd8f25a02edd96a6e1835055e2e31a23de
Instruction Fuzzy Hash: C231CE39B102558BCF24DA35C9447BEB7E6BB88280F08483DD806D7380EB38D946C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 031C2820, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193675abb3368faf8a1022a6c8c977e13cf409283d0705a705a6132f39f78f87
Instruction ID: 36d9cbdffea61110d253381c6deffaa36456bdb5d93accba2227122e8768280c
Opcode Fuzzy Hash: 193675abb3368faf8a1022a6c8c977e13cf409283d0705a705a6132f39f78f87
Instruction Fuzzy Hash: 6631AD39B106558BCF24DE35D9456BEB7E6BB98280F09482DD906D7280EB38DA46C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 031CF280, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897e9a647e8a9507ee986716b0d2681c9321840f0e834b0f2d0093fa395187ea
Instruction ID: 622e9ca03b7c540da02aebb421973cbab7c89b49bf40d619fad777c89df26eb3
Opcode Fuzzy Hash: 897e9a647e8a9507ee986716b0d2681c9321840f0e834b0f2d0093fa395187ea
Instruction Fuzzy Hash: 99412874A102599FCB44DFA9C584AAEBBF2EF4C310F1991AAD815EB391D3309941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031C21C8, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3938166e610bad305ee2ee0233ff5ae2e7cb1c31a17d26e2a580f969c7400412
Instruction ID: ba352aaa3b6900f68fc99c9edc9fd8ebc11cb244e98d5f85a00655c68be27fe7
Opcode Fuzzy Hash: 3938166e610bad305ee2ee0233ff5ae2e7cb1c31a17d26e2a580f969c7400412
Instruction Fuzzy Hash: E931BE31A102499FCF14CFA4D4407EEBBB6EF89344F24882EE501AB750EB719946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031CA850, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e05e93d43ebec0943c63259c6c645e7eb7e8bdfb9eeac9fc95e9c6c8031aa4
Instruction ID: a3609660e6ffc52493db4905d79c54375d0cc5308e126ec3a068ef4f8ff6d3b2
Opcode Fuzzy Hash: 22e05e93d43ebec0943c63259c6c645e7eb7e8bdfb9eeac9fc95e9c6c8031aa4
Instruction Fuzzy Hash: 6131D0357201148FCB19EB39C951A2EB7E6AF8C654B15446DD502CB3A0FF34CE0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 031B1439, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae467c7a9c576c0c2250c2746e55ba614da83bf47850e7bf8e4f87998f22ec4
Instruction ID: 66196f76a924a1355382d07818c41b64a37c51213f665554645c8a05d7dc4fc4
Opcode Fuzzy Hash: aae467c7a9c576c0c2250c2746e55ba614da83bf47850e7bf8e4f87998f22ec4
Instruction Fuzzy Hash: 28418C30E00615DFCB19CF65C590A9EFBF2BF89304F1A856AD846AB351E770B941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 031C15C8, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c761530af8ae3901fcc8803a175d5ee743a11200494e6d23d7a16a95b543333a
Instruction ID: 2c8a88f7481c3b75a1fa4912bbc879237b0857a9473e5f379c5ac96d9000725f
Opcode Fuzzy Hash: c761530af8ae3901fcc8803a175d5ee743a11200494e6d23d7a16a95b543333a
Instruction Fuzzy Hash: 4E31BC35B006649FCB24EB79C440AAEB7E6AFCC210F5885BDC905AB751EB71EC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031BBAC1, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57190ff604b4a8e98d7a7ac636956b35de2a4ecdd4b7148c879c225d1405eea
Instruction ID: 8347d9ea4e42df57c35af7dd939e2edc6adc03455b7016099aebf2c11e72a7be
Opcode Fuzzy Hash: e57190ff604b4a8e98d7a7ac636956b35de2a4ecdd4b7148c879c225d1405eea
Instruction Fuzzy Hash: 2841C470A002099FCB14DFA1C980BDEB7B2BF89304F148569D405AFB58EB70AD89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031C29E0, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f13d7235ba61f6dd0cbadfb51fe2b8979cfae48b25c91fb610db9f1d639ab52
Instruction ID: 1925a8cd4f6e03dccec6d83f3518d29f1bc07cdeb2137b297097a6679a20ae38
Opcode Fuzzy Hash: 8f13d7235ba61f6dd0cbadfb51fe2b8979cfae48b25c91fb610db9f1d639ab52
Instruction Fuzzy Hash: 5931AE35B102058FDF24DF68C440BAAB7A2EF88754F28847AD909DB750D731DD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031CE75C, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8496d0f81dd425f6167026f9462c18a6c4cd6b76c0ee34d31566a93ef9c8522
Instruction ID: 58eb4f4fed931227d4dd651e7c5e9e1c3308b3ad29309d22e9ea196a53b5487e
Opcode Fuzzy Hash: f8496d0f81dd425f6167026f9462c18a6c4cd6b76c0ee34d31566a93ef9c8522
Instruction Fuzzy Hash: 8641F574E103299FDB24CF65C844B9DFBB1FF89301F1582A9D449AB250DB70A985CF61

Uniqueness

Uniqueness Score: -1.00%

Function 031CB0F0, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba2d8d4aa46d38a6da69a9d3c28f59cc5bf732c3cd800f21b59e659a1d11f12
Instruction ID: 246ea1dd3f213c2e83092fa977eb70958a173988c44e12ac7a41e947a18806f1
Opcode Fuzzy Hash: 1ba2d8d4aa46d38a6da69a9d3c28f59cc5bf732c3cd800f21b59e659a1d11f12
Instruction Fuzzy Hash: D2310175B142158FCB24DF68E8417AAB3E6EF88354F19807AD80ADF390DB35D941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031C2081, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be6835e5edda25c6b8f5709207d95cdca79bf650d664d3118a400066745fcf5
Instruction ID: dd97642f27969f8995dcbc1e99aabe57659f65f2b4220ae6d0df0fb9d6a931e5
Opcode Fuzzy Hash: 6be6835e5edda25c6b8f5709207d95cdca79bf650d664d3118a400066745fcf5
Instruction Fuzzy Hash: D721AD747002548FCB04EF39C884A9A7BF6EF89350F1644AAE504CF3A1DB34DC058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 031C06DE, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15b8db9f33ea0c21c000e818f24c911f3e8d7e26d33783e42105aec24790199
Instruction ID: 365dc0d5f306a392b7fa5ae9d62427a2db68a48a256cda49a1b5dd98970b1690
Opcode Fuzzy Hash: c15b8db9f33ea0c21c000e818f24c911f3e8d7e26d33783e42105aec24790199
Instruction Fuzzy Hash: F0313F34A00219DFDB15DF64CA45BEDBBB2BF8D300F104598E989AB261D775AE80CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031B4350, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef8a1787b6184596626b5cd05a8e81edd32c19e717933a8a6ef5ac4a2b9cd51
Instruction ID: 89262ffa3dddefc4793f837a79742a062cf75d043744564da5b9a6ba88fbfa7c
Opcode Fuzzy Hash: 8ef8a1787b6184596626b5cd05a8e81edd32c19e717933a8a6ef5ac4a2b9cd51
Instruction Fuzzy Hash: 5921C5746042544FC301DB29C8E08AABBB4FF4A304B5944D6D445CB763D735AC06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031C2098, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3261ccaecb52e6d5fb3aa08d61793db1b8310dd945cf2dd303286341a4a577
Instruction ID: ac820a59dad0a6bd1c5aaf2e10ddce408d69f8f3c81d77962c67a8d854d823b3
Opcode Fuzzy Hash: dd3261ccaecb52e6d5fb3aa08d61793db1b8310dd945cf2dd303286341a4a577
Instruction Fuzzy Hash: 2A216A747102148FCB44EF29C880A9E77E6EF89794F158469E509DB3A0DB31DC068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 031BEB68, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1fc9d95e3227bea0838e18d632b526558acd745f633f7f3d47b949a3a0efdb
Instruction ID: 52aa9987552e679886523dd2b5db789b2dbd2143aa99405abef59d1c0e80311a
Opcode Fuzzy Hash: 4b1fc9d95e3227bea0838e18d632b526558acd745f633f7f3d47b949a3a0efdb
Instruction Fuzzy Hash: 1521D4387052049FCB05EB79D8549DEBBB6EF8A15071884AEE449CB751DB70DC05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 031C9F3A, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb6b108c7aa8be240a73d5b55fd524fb522f81ed1c971092760dc919ffc028d
Instruction ID: c211ae5ce331cd55ed54349ae6c8c767206643531dec27a1bb259770bce00cea
Opcode Fuzzy Hash: 9bb6b108c7aa8be240a73d5b55fd524fb522f81ed1c971092760dc919ffc028d
Instruction Fuzzy Hash: 8E310535A14729CFCB25DF20D848698B772FF4A315F1085E9E50AA7650EB35AEC0CF01

Uniqueness

Uniqueness Score: -1.00%

Function 031C1F20, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ac656d2623706e2be037cb2ac20d8dcdae1e32af87c68107ebc101d4a207dc
Instruction ID: b8f229aa9d85cde14c971affd61a75a4f7b5ee0aa44db43e10d05907d0842f57
Opcode Fuzzy Hash: 70ac656d2623706e2be037cb2ac20d8dcdae1e32af87c68107ebc101d4a207dc
Instruction Fuzzy Hash: C311CE317101145FDB15AB798C50BAF77ABEFD9219B28413EE405CB3A1DFB68C068790

Uniqueness

Uniqueness Score: -1.00%

Function 031BDAA0, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8215a2d2d041aa283d834a4853c43294cc08504701f3648f65a48b49dcadf74e
Instruction ID: 49531206b32b7d30c90d735ff914feb34a9db99b22cac44b03cb0e08ca191862
Opcode Fuzzy Hash: 8215a2d2d041aa283d834a4853c43294cc08504701f3648f65a48b49dcadf74e
Instruction Fuzzy Hash: F81148363082008BC718DF39E8817ABB7E59FC5219F18447AD5048FB96EBA5D805C391

Uniqueness

Uniqueness Score: -1.00%

Function 031C1F30, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a4468626244314aceb92262d14d79b7c9b43a3686c9c2ba06e26b5ac5e529e
Instruction ID: 8dd58eac18a03e599bb499a3de532b9a50a1bb549ec722d4f5294ce89f94266d
Opcode Fuzzy Hash: a6a4468626244314aceb92262d14d79b7c9b43a3686c9c2ba06e26b5ac5e529e
Instruction Fuzzy Hash: EB0192317101145FDB14AB798C50A6F72EBEFD9215B24403EE505CB3A0DF76DC064790

Uniqueness

Uniqueness Score: -1.00%

Function 031C0D8F, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d5f0e29af8ea090602975513aa172f62413e4ea99a2525eaaad5bdefbd3375
Instruction ID: ce6b11ed07351428cac6f07ddeeb1e60ed98fffb72774f09eb0017bf918d6324
Opcode Fuzzy Hash: 34d5f0e29af8ea090602975513aa172f62413e4ea99a2525eaaad5bdefbd3375
Instruction Fuzzy Hash: C4118C35A002549FCB14EB74C4806EEB3F2AF8D215F1849BDC106AB651EB71EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031BEB58, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6f671ad15385786502c649ed4cded2bec6d7967ca4825c3d071cf61539b1a7
Instruction ID: 5ca99eeaeb157bb2f5b029b701c51cf581e0a9cbb5d0525e519ea6a59df11797
Opcode Fuzzy Hash: 7c6f671ad15385786502c649ed4cded2bec6d7967ca4825c3d071cf61539b1a7
Instruction Fuzzy Hash: FE11C2387052449FCB11DF66D880ADEBFBAEF8A250B14806AE849DB351E730DC15C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 031CF26D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbf0985bf65c1a92e05ee4b533afab9336816bd0af8c16cd2478b00ea251d84
Instruction ID: e989fac4858a498301574a1bf401bf341b783420e343e721fbcc5a4070da99b1
Opcode Fuzzy Hash: 3fbf0985bf65c1a92e05ee4b533afab9336816bd0af8c16cd2478b00ea251d84
Instruction Fuzzy Hash: 28110A75D2075A8BDB14CF61C850B9AF7B2BF99300F158685D508BB244EB70AAC5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031BE6DA, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795ef28ca8e643e22de86bf3c91483f26a98055c5fd5f200fec461557c165484
Instruction ID: 8c4ae7057d6c022916c3c046aa0be3172da4ed7f5b3dde53bd2ac2528e8ef6ce
Opcode Fuzzy Hash: 795ef28ca8e643e22de86bf3c91483f26a98055c5fd5f200fec461557c165484
Instruction Fuzzy Hash: C101D8697093501FCB16D776589499AAFFADFCA15071980AFD409CB752EB20CC0587B1

Uniqueness

Uniqueness Score: -1.00%

Function 031BA340, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3841b282aa98f4d5f506d7d4b91aec1912b05fbc9477ddefe3fbc33bebcc9f98
Instruction ID: b015532457d1792a5062935a96f917ca3364891abf486d8d744c80cb282e12a4
Opcode Fuzzy Hash: 3841b282aa98f4d5f506d7d4b91aec1912b05fbc9477ddefe3fbc33bebcc9f98
Instruction Fuzzy Hash: AD01F932E0464187C715CA7ADC102E9B3B2AFCD200F19C667D991E72A1FB7095D483A1

Uniqueness

Uniqueness Score: -1.00%

Function 031B433F, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fdc18d4d3280a081222a856d4ecc1be487ab7829c4b94bad6bf56aeed2dfc1
Instruction ID: f0736b8e3641edf07a06d63d047317d9f1be0a0f4890a0b038f0ff89f4bfabf0
Opcode Fuzzy Hash: 21fdc18d4d3280a081222a856d4ecc1be487ab7829c4b94bad6bf56aeed2dfc1
Instruction Fuzzy Hash: 4E118B74A042159FCB10DF48D8909AEFBB4FF89314F1441A9D84A9B362C731FD02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031BA350, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7b730aef5309183617a08e499d85da554d7b30c4e60e3b9776cc3a7cca6d02
Instruction ID: 6f3f1bec16e110ee32fc72891d1990897eea1978742606c384b88b2ed1670ef4
Opcode Fuzzy Hash: 9b7b730aef5309183617a08e499d85da554d7b30c4e60e3b9776cc3a7cca6d02
Instruction Fuzzy Hash: 0301B132E0464183D7188A6ADC103EEB2B6EFCD210F16C627D951A2694FBB094D082A1

Uniqueness

Uniqueness Score: -1.00%

Function 034FD006, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.522968863.00000000034FD000.00000040.00000001.sdmp, Offset: 034FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe970d8d2738342720f8a2ca3a8e7f27a0b4de41e51ca914a0a111f0cc9d357
Instruction ID: 81b87e314658076c672a17547f3f5ad1e1e952eb73f2607681fb1ea3276b770b
Opcode Fuzzy Hash: 2fe970d8d2738342720f8a2ca3a8e7f27a0b4de41e51ca914a0a111f0cc9d357
Instruction Fuzzy Hash: 6C012D7140D3C05FD7128B258894B52BFB8EF43228F1D84DBD9848F2A7C2699848C772

Uniqueness

Uniqueness Score: -1.00%

Function 034FD01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.522968863.00000000034FD000.00000040.00000001.sdmp, Offset: 034FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbacc38089e28ba1b0c28dd426807ebd4f2fb1270c599fba7c91d8bafc65348
Instruction ID: 1bb9700dc0f0f417e1e43965c5393671b7ee9d361d711cc68864eb6e5d53a57d
Opcode Fuzzy Hash: ebbacc38089e28ba1b0c28dd426807ebd4f2fb1270c599fba7c91d8bafc65348
Instruction Fuzzy Hash: 4601D871804240AFE7108B11CC84767BB98EF4326CF0C846BEE451F746C3799805C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 031BE6F0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb3c4bbd2b9acb093a4451f2c0748337865adf0db0805ca330a6efc104d5a13
Instruction ID: 9e255e516d9a834b90d27e29b2aa9aa466035d8ad5f63f20dc7d4ffe90c00992
Opcode Fuzzy Hash: ceb3c4bbd2b9acb093a4451f2c0748337865adf0db0805ca330a6efc104d5a13
Instruction Fuzzy Hash: 45F062393002145F9718E66AA854EABE6EFEFC8194728C02AE509C7750EB60DC0147E5

Uniqueness

Uniqueness Score: -1.00%

Function 031C21B8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1e6c1be59f4b88594f22d993e613167f4289061ea6a17540fd7cda240d89f7
Instruction ID: 6b5bdd1fedab4e4bd3916cb18358eead34861f0298c37cad286b711b5387664e
Opcode Fuzzy Hash: dd1e6c1be59f4b88594f22d993e613167f4289061ea6a17540fd7cda240d89f7
Instruction Fuzzy Hash: E1F09072A0010CABDF14CF95EC45DDEBBBDEB88350F00443AF516A3200DB71A9259B91

Uniqueness

Uniqueness Score: -1.00%

Function 031CB848, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bea9111cd80859321b1f56f84376c91386c6a989ed0999e86a156b74c4abdda
Instruction ID: 9e55865ac72f4216a09c69dc3d0978540f66416f30c7b678dc115b83ec665f75
Opcode Fuzzy Hash: 5bea9111cd80859321b1f56f84376c91386c6a989ed0999e86a156b74c4abdda
Instruction Fuzzy Hash: 08F03075E14604AFD714CE5AD804A5BB7E9EFD8720F05C0AAEA18DB350DA319801CF50

Uniqueness

Uniqueness Score: -1.00%

Function 031CB940, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d2e0725ee6343397558787d3c8e84c760d8126cb94be88315946f6cd883726
Instruction ID: 9cfd9bf1c4709449621ced18dce26a45f9a81bf499f9b0dd18c4db391f12d4fb
Opcode Fuzzy Hash: f9d2e0725ee6343397558787d3c8e84c760d8126cb94be88315946f6cd883726
Instruction Fuzzy Hash: 3AF05E393005105FC300DA6EC884E17FBDAEFCC661B558069E609CB361CA31EC018AA0

Uniqueness

Uniqueness Score: -1.00%

Function 031BA817, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60da2fd76aadc462a5bc3368d8981b1e60acbe03467553d76c3b6dba42e2d677
Instruction ID: a1437983c25054710bac8d0aadd62fe176ffcf01918b239057e2d38a1a0a80d0
Opcode Fuzzy Hash: 60da2fd76aadc462a5bc3368d8981b1e60acbe03467553d76c3b6dba42e2d677
Instruction Fuzzy Hash: A1F03731A00218EFDF95CF64D884BEEB7B6FF88315F1480AAE50893250DB358995CB50

Uniqueness

Uniqueness Score: -1.00%

Function 031BA80E, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60da2fd76aadc462a5bc3368d8981b1e60acbe03467553d76c3b6dba42e2d677
Instruction ID: a1437983c25054710bac8d0aadd62fe176ffcf01918b239057e2d38a1a0a80d0
Opcode Fuzzy Hash: 60da2fd76aadc462a5bc3368d8981b1e60acbe03467553d76c3b6dba42e2d677
Instruction Fuzzy Hash: A1F03731A00218EFDF95CF64D884BEEB7B6FF88315F1480AAE50893250DB358995CB50

Uniqueness

Uniqueness Score: -1.00%

Function 031BCA88, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c51bef4e9a3d0fb2e98a05887da436979176a6e1329e0d8658af40b9b9a4ddb
Instruction ID: 96e3c0ddd8708ffc4682867586190e1a9ec56f7f88f19c6f1b0472bc8ab3a358
Opcode Fuzzy Hash: 2c51bef4e9a3d0fb2e98a05887da436979176a6e1329e0d8658af40b9b9a4ddb
Instruction Fuzzy Hash: D6F0F870F102198F8B54DFBD89445DE7BFAAF8C240B2044AAD109DB314EB309D008BD1

Uniqueness

Uniqueness Score: -1.00%

Function 031C5485, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45184b9904a036c92b2c9fb584c19cbd15db468ad27f426a1a1aeb9bd80be7d
Instruction ID: eb6bda25dfd0bcdba0ea799bf3a5efdaaeab6874ad9cefaa9cbb80971984d98d
Opcode Fuzzy Hash: a45184b9904a036c92b2c9fb584c19cbd15db468ad27f426a1a1aeb9bd80be7d
Instruction Fuzzy Hash: 47F0BE32A20248EFDF12CE80DC40BD8BBB2FB09340F448099F20992550D7365AE0DF61

Uniqueness

Uniqueness Score: -1.00%

Function 031C2DBA, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def6df5726cb29f097a6c52122e1025a2a3897b765a3bf36c566534b5d556e9f
Instruction ID: c8d97d678097dd9ee4402184345c4643f473d47d139f0ad68f891d4727fb9b44
Opcode Fuzzy Hash: def6df5726cb29f097a6c52122e1025a2a3897b765a3bf36c566534b5d556e9f
Instruction Fuzzy Hash: 3DF0AF35A10108CFCB04CF98D9849DDB7F2FF88211B158495E904AB226D736ED45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 031BA420, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af34bc59ed422ced2ed8fe0afcb0b31f2e555f393bc13cd0c1f92286bb6bd5a
Instruction ID: 9f736bdc136e3b5d8381ee0e78f7648063c5bae23654fa2778670eb5b9e8c8fd
Opcode Fuzzy Hash: 0af34bc59ed422ced2ed8fe0afcb0b31f2e555f393bc13cd0c1f92286bb6bd5a
Instruction Fuzzy Hash: 50F0AE7200014EBFDF528EA0DD01FEA3F6AEB8C314F088155FA5454061C63AD530AB60

Uniqueness

Uniqueness Score: -1.00%

Function 031BA422, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad3e044a2280a9ad3b786ae54b61ffb61a72a49c9c8510adaaa13d9c3e8dbd7
Instruction ID: 13053603ce01758b453e500e8418fa4ed0c04a916686e937b5510c6b2163be0a
Opcode Fuzzy Hash: bad3e044a2280a9ad3b786ae54b61ffb61a72a49c9c8510adaaa13d9c3e8dbd7
Instruction Fuzzy Hash: BEE0527214014ABFDF528FA0DD01FEA3F7AEF8C315F098155FA5494061C63AC571AB60

Uniqueness

Uniqueness Score: -1.00%

Function 031B513F, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb34f796b30adc1ebd84e6d2e29ed46c7d5cd4f64b0a45818a1102c9695296ef
Instruction ID: b7c8ef80b2dbaae7dfc22fb29b94424611986f60f0599854eef407462adfc27e
Opcode Fuzzy Hash: fb34f796b30adc1ebd84e6d2e29ed46c7d5cd4f64b0a45818a1102c9695296ef
Instruction Fuzzy Hash: 2CD0A7215091814FCA22CF1868956E23B39DB53115B2C00D9DC45C6600E611D101D662

Uniqueness

Uniqueness Score: -1.00%

Function 031CEDE2, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.518237114.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d903d06c0dd56d07e403670af992a547d74b1a18f186b4df0ee884bf2bca74e1
Instruction ID: f62e90078212c090f90bbf8359b36a1f8c26d6b729c8dd1a18e8f718a64bd0b9
Opcode Fuzzy Hash: d903d06c0dd56d07e403670af992a547d74b1a18f186b4df0ee884bf2bca74e1
Instruction Fuzzy Hash: 10C0123A6041008EDB04AAA0E8006ADB322EB81326F9100BAC3892B680CB3688128B20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 031B187F, Relevance: 6.4, Strings: 5, Instructions: 163COMMON

Download Yara Rule

Strings

`oj, xrefs: 031B18B0
`oj, xrefs: 031B190B
`oj, xrefs: 031B1969
`oj, xrefs: 031B19C7
`oj, xrefs: 031B1A29

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID: `oj$`oj$`oj$`oj$`oj
API String ID: 0-426813867
Opcode ID: c7ee69d7ed759f465438e9ba5f277c371b8717c348ceaabb4928a8dbe3347c00
Instruction ID: 34e1f77ccea5a519567869680ac260a576b467e2368c73561c4bb1e70de35913
Opcode Fuzzy Hash: c7ee69d7ed759f465438e9ba5f277c371b8717c348ceaabb4928a8dbe3347c00
Instruction Fuzzy Hash: 236119341017009FC714EF65C854B9AB3A2FF89248F584E6DC18A4FEA8EB75BC49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 031B1890, Relevance: 6.4, Strings: 5, Instructions: 158COMMON

Download Yara Rule

Strings

`oj, xrefs: 031B18B0
`oj, xrefs: 031B190B
`oj, xrefs: 031B1969
`oj, xrefs: 031B19C7
`oj, xrefs: 031B1A29

Memory Dump Source

Source File: 00000003.00000002.517873209.00000000031B0000.00000040.00000001.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID: `oj$`oj$`oj$`oj$`oj
API String ID: 0-426813867
Opcode ID: 9a4c1e709ac5330dea9aa57b8ba9f2eeef81b48cb57739f2c2699ac072faccfe
Instruction ID: 8e04e906c8ab1fce1a64127af1e97a3c72791a5bc92a4e4d8b9f06bbab0979d4
Opcode Fuzzy Hash: 9a4c1e709ac5330dea9aa57b8ba9f2eeef81b48cb57739f2c2699ac072faccfe
Instruction Fuzzy Hash: C05117341017009FC714EF65C850B9AB3A2FF88248F544E2DC18A4FEA8EB75BC4ACB90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 5876 Parent PID: 4504 powershell.exeCOMMON

Executed Functions

Function 010F8919, Relevance: 4.4, Strings: 1, Instructions: 3161COMMON

Download Yara Rule

Strings

, xrefs: 010F9AB3

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6ff2eb1a09b8b1147536858d3dff1e384b3385013a61d16f3877d6d32cfc31d1
Instruction ID: 961b76fc40f96515e2a9b0406496d1b961a157f6fc9e81fb1277ef7ec5e34cf7
Opcode Fuzzy Hash: 6ff2eb1a09b8b1147536858d3dff1e384b3385013a61d16f3877d6d32cfc31d1
Instruction Fuzzy Hash: B763F734A00219CFDB65DF24C855BADBBB2BF89305F1080E9E949A7650EF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010FE7DB, Relevance: 1.1, Instructions: 1069COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6420fcbc316a5c30b4d4d3396dd39b57dec85e4658a2b61329de488b1a180f32
Instruction ID: 37043d7c3c3ae5237d6fc91f0ee33c4823c63c257a04c25b30da04f1b2c525d1
Opcode Fuzzy Hash: 6420fcbc316a5c30b4d4d3396dd39b57dec85e4658a2b61329de488b1a180f32
Instruction Fuzzy Hash: B8B23974A01329CFDB64DF28D855B99BBB2BF85305F1440E8D50AA7B90EB399E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 010F44CF, Relevance: .7, Instructions: 663COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742fa11f9de4ec5e086783cb3dc8f51938ce53511af662d1846ea20a15521708
Instruction ID: 9ac3c5b7c1d69fe6f07b26b0966004eb941bf0a9db4a35735a7fc418bfc34386
Opcode Fuzzy Hash: 742fa11f9de4ec5e086783cb3dc8f51938ce53511af662d1846ea20a15521708
Instruction Fuzzy Hash: 8F527934A01218CFDB25EF24C854BAEB7B2FF85204F1045E9E94AABB91DB349D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 031899C0, Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716c5cab994a1ac523b2231848f0400b20c3936deff875110dafc565c0339db6
Instruction ID: 6271bb3e4bc9287b54883823a9647f170465e07af42f2fe51a4962a4a387f34b
Opcode Fuzzy Hash: 716c5cab994a1ac523b2231848f0400b20c3936deff875110dafc565c0339db6
Instruction Fuzzy Hash: 01327F34A00205CFDF19EF79C890ABEBBB6AF89304F148569E905AB391EB35D941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0318C340, Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486a0aa241fa70d2597fbff3f8bcdd5a6029fa8e2963d7db50266d90f17b3dd2
Instruction ID: c609272ebaac14557d445514bf5ab0f5440774291b626ca941a13eb7631e33ac
Opcode Fuzzy Hash: 486a0aa241fa70d2597fbff3f8bcdd5a6029fa8e2963d7db50266d90f17b3dd2
Instruction Fuzzy Hash: 3F329334B002049FCB14EF65D884AAEB7F2EF89344F158869E4019FB65DB74ED46CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0318F7D0, Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e435ea43cf07756c3dec28efc613f10d67cfe71fb46eea38f8a2057e8b8a65
Instruction ID: b9b8626f927a21176723a9cee1c7a0104961b18228a060e6b40492a5df9663da
Opcode Fuzzy Hash: 44e435ea43cf07756c3dec28efc613f10d67cfe71fb46eea38f8a2057e8b8a65
Instruction Fuzzy Hash: FD125C34A04345CFCB04DF65D880AAEBBB2BF89304F1985A9D9499F356DB34E946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0318DBF0, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973481470bf7b8d3035ed2705ed30f8f211dd6f5ad6c8d3ff7d5528492aef37e
Instruction ID: 8ff573a2ab9b57bb240d13e97c24301a05c0abe265ff6dba3a174395b9aee906
Opcode Fuzzy Hash: 973481470bf7b8d3035ed2705ed30f8f211dd6f5ad6c8d3ff7d5528492aef37e
Instruction Fuzzy Hash: D4A12534B043009FDB28EB719850B7BBAA79FC9244F09886DD4068F795EF74DD068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0318BDB8, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31490509bbbbde1411558ac9138347bddd4bd950586dd190d3ed9d72c39ccc0b
Instruction ID: 768b58b29e60d02231913262cf3602fc080d9d596f7ca88a39bc80d96cd77583
Opcode Fuzzy Hash: 31490509bbbbde1411558ac9138347bddd4bd950586dd190d3ed9d72c39ccc0b
Instruction Fuzzy Hash: 4DC18B74A006198FCB14EF65C880B9EF7F2BF89344F1485A9D509AB354EB70AD86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010F27B0, Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

", xrefs: 010F286F

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 9755104eb343c8a8b9dc73791683c526fe21ee78436b08298304c5d187afd4fa
Instruction ID: 23ee83af6cb12eafbe291957502867da14f562ae3b1f6ad2a14c8fc16a4806bf
Opcode Fuzzy Hash: 9755104eb343c8a8b9dc73791683c526fe21ee78436b08298304c5d187afd4fa
Instruction Fuzzy Hash: C2E11A74A00208CFDB14DFA4C985BAEB7F6BF48304F2580A9E605AB791DB75AD45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01067AB0, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0106CDE2), ref: 0106D06F

Memory Dump Source

Source File: 00000005.00000002.508979987.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 5e030bfc17abfc5746c9cd87a809313e0e29af6d6994ffa5bd2ea615cdbeb816
Instruction ID: 66db7b5d33426e0bacd1de4d94c1e4c8148c3d94f1130dde44bcda90a3a9f790
Opcode Fuzzy Hash: 5e030bfc17abfc5746c9cd87a809313e0e29af6d6994ffa5bd2ea615cdbeb816
Instruction Fuzzy Hash: 461146B5900248CFDB10CF9AD488BDEBBF8EB48324F10845AD459A7760C3746945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01067ABC, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0106CDE2), ref: 0106D06F

Memory Dump Source

Source File: 00000005.00000002.508979987.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 3bcac813011f650d3eff637e2b7ae44f978a604d0685727a17f2c1e42e5b89dd
Instruction ID: 96b52e9611942d0c6d42c21b565632fc1920727e8f992a0e9894601f3e7e2cbc
Opcode Fuzzy Hash: 3bcac813011f650d3eff637e2b7ae44f978a604d0685727a17f2c1e42e5b89dd
Instruction Fuzzy Hash: 8D1145B5900208CFDB20CF9AD488BDEBFF8EB48314F10845AE459A7750C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0106D00A, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0106CDE2), ref: 0106D06F

Memory Dump Source

Source File: 00000005.00000002.508979987.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: eab0a389a9fdada916b770889ea51fc9aa745de1bd4b5eabf5455a5753f6d4a5
Instruction ID: 30c00f200b253c3df215ea9478c9d3def0353781b761928d0fd1cd6e2fe9edf1
Opcode Fuzzy Hash: eab0a389a9fdada916b770889ea51fc9aa745de1bd4b5eabf5455a5753f6d4a5
Instruction Fuzzy Hash: A81103B59002498FDB20CF9AD488BEEBBF4FB88324F10856AD459A7750C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010F0860, Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

`oj, xrefs: 010F09BB

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID: `oj
API String ID: 0-507969173
Opcode ID: aeb6fec550e9e2444b2599fcc814d1b02b8f1f0bc8639506198c5d1be6ac7da1
Instruction ID: 82c2f5aacbb57e2b26d877f1fb21385f989dd898be6a1e3d2ad84792d9f4bc46
Opcode Fuzzy Hash: aeb6fec550e9e2444b2599fcc814d1b02b8f1f0bc8639506198c5d1be6ac7da1
Instruction Fuzzy Hash: B7B14334A00208CFDB14DF98C685A9DB7F2BF48314F218598E945ABB66D774FD46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 031801A0, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

`oj, xrefs: 03180211

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID: `oj
API String ID: 0-507969173
Opcode ID: c62f0fc3bfa2aafabef402fc6e8458e0125e947e1f7d3f0f4d991263de0df9e8
Instruction ID: 68156fcae65561a57da67935d72feb0845fc6aa52776f947d77e2d558b01462b
Opcode Fuzzy Hash: c62f0fc3bfa2aafabef402fc6e8458e0125e947e1f7d3f0f4d991263de0df9e8
Instruction Fuzzy Hash: F531F434A017089FCB06EF75C80059DBBB2FFCA251F0585AED5498F661EB359809CB95

Uniqueness

Uniqueness Score: -1.00%

Function 010FD9EA, Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea7bacdc749a03efad2bc669240fd0206536e0bd345c9e1d9afe8b4e6121e24
Instruction ID: b780efd650fb631a9ce67f4ab75efc043638221d9359c0a4b2e60ece1c94b3e0
Opcode Fuzzy Hash: 1ea7bacdc749a03efad2bc669240fd0206536e0bd345c9e1d9afe8b4e6121e24
Instruction Fuzzy Hash: CE7241B4E016298FCB60CF28CD84B9ABBB1BB49205F1041EAE94DA7751EB345EC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0318A868, Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81afdadd8c24a370ec1553e9e1d4953cfda6b708878a0874ba7a0e5ab52ae670
Instruction ID: f69fe4b4783866b1b6cbc598daa261fb3896d152891edffa9a6178c80199c710
Opcode Fuzzy Hash: 81afdadd8c24a370ec1553e9e1d4953cfda6b708878a0874ba7a0e5ab52ae670
Instruction Fuzzy Hash: 18124C74A01218DFDB64EF65C994BADBBB1FF48305F0445AAE809AB3A0DB349D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03187D18, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83da0928831d14a84ea80cf0bf6ca1b2cea989e24b8d1898153cb51306e40b0e
Instruction ID: dca681f751a52e2ed400639233abd311e7b62839349bb6c8d9747471c9a087fc
Opcode Fuzzy Hash: 83da0928831d14a84ea80cf0bf6ca1b2cea989e24b8d1898153cb51306e40b0e
Instruction Fuzzy Hash: B4D1A174B00205DFDB24EF69C880BAEB7B6EF88304F25856AE415AB394DB349C45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 010FCE87, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cb21ce399edf8c3c81229561e8294b2df05a3a0c514893f1e4ef8e803d6f46
Instruction ID: 427a62bc1f4f016327dc06827386b216e6790f56ef68eb2ed70e149ed7d9c3d2
Opcode Fuzzy Hash: d8cb21ce399edf8c3c81229561e8294b2df05a3a0c514893f1e4ef8e803d6f46
Instruction Fuzzy Hash: AC02B3B4A012298FDB65DF24C895B9DBBB5BF48304F1081EAE509A7650EB34AFC1CF45

Uniqueness

Uniqueness Score: -1.00%

Function 010F6138, Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9af792c425e2563a9f3d13744e1a5d146f94db921532d262c447fc534054dff
Instruction ID: 3993f8bac1985daae9ea8a085f53d044f17ba57bcfcc5c543126ba8012c06ad0
Opcode Fuzzy Hash: e9af792c425e2563a9f3d13744e1a5d146f94db921532d262c447fc534054dff
Instruction Fuzzy Hash: E2C1F534A002058FC715DF68C894AAEBBF2FF85310F1585AED6459B7A1CB36EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010F1D48, Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f11ea5de26652e6c790842e9606bae9ff74f3322db9f412279da66c1427b64
Instruction ID: a91f8c1f18f264b0cd948ec078d0963c2404572b5f26368a045aa30b8a1ab206
Opcode Fuzzy Hash: d2f11ea5de26652e6c790842e9606bae9ff74f3322db9f412279da66c1427b64
Instruction Fuzzy Hash: 7FE12B746002058FC744DF69C485D9DBBF2BF88324F195698E945AB7A6DB30EC86CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010F14D8, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a48be59ed1593cf2c806e285b70cd10d7bd94e75a722a38aeec5ea8b2d2508e
Instruction ID: b0951c457e6bd7c6f61b5fbe9cb7af18ffb613b948009fcae8d3cdbda2b5d952
Opcode Fuzzy Hash: 6a48be59ed1593cf2c806e285b70cd10d7bd94e75a722a38aeec5ea8b2d2508e
Instruction Fuzzy Hash: 57B18C34B00605DFDB05DF68D855AAEBBF2FF88601F04846DEA469B795DF349902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010F3580, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e8b692e0295510c5a8f4e79c4aefc8bc1360f1e74e1935736cfa9e49ef6158
Instruction ID: 01395c7a4c77339f3695cdaf8887fc6e3088f697a1b3081d51cbc4ee0ae61e6f
Opcode Fuzzy Hash: b3e8b692e0295510c5a8f4e79c4aefc8bc1360f1e74e1935736cfa9e49ef6158
Instruction Fuzzy Hash: 35B16E75A00208DFDB14DFA4D880B9DBBB2FF88314F508569E505AB391DB71A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0318B3FF, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5613d88cb5ea5e07b04c12d4a70185693a0355d24ce5c21c362ce611ce8bc30f
Instruction ID: 8d52cfef58f40e20268e9f517d9a24d3f8e13a5756cbabda5df0b7fad317972a
Opcode Fuzzy Hash: 5613d88cb5ea5e07b04c12d4a70185693a0355d24ce5c21c362ce611ce8bc30f
Instruction Fuzzy Hash: 82B10A34A04254CFDB64EF24C898BADB7B6AF48345F15C4E9D40AA73A1DB349D85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0318C339, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fe516bef99286154c40402537bc20f86a927582eca34b2cc9348fe5d1be883
Instruction ID: 5c5756be0fa5ce8b60787f42758cdebc866497b68dc2cd4b61b1d5f3bb190c71
Opcode Fuzzy Hash: 96fe516bef99286154c40402537bc20f86a927582eca34b2cc9348fe5d1be883
Instruction Fuzzy Hash: 579170706002058FCB14EF65D884AADB7F6FF88704F148969E402DB765EB74ED4ACBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03184758, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73a967a586b21dcd57ccc58238df26c0c81af20493901f76223b785d120359f
Instruction ID: 9030c0096e9bc211c36631ac34e4a6c8640d8abf7a7945f0c0ba9e5ce3300eda
Opcode Fuzzy Hash: b73a967a586b21dcd57ccc58238df26c0c81af20493901f76223b785d120359f
Instruction Fuzzy Hash: 9171C038B002055FC715EB69C890ABEB7E3ABC9244B15487CD40ADF795DF34AC068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 010F1D39, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e012b8f996f4d2cb9b89985094486d54b4d93986761d327551bcfd4b894343
Instruction ID: 88d9ec5a18028c638ccdcd12a096ee03aedb47141e4c64662c6c2f39ee5ee4eb
Opcode Fuzzy Hash: 71e012b8f996f4d2cb9b89985094486d54b4d93986761d327551bcfd4b894343
Instruction Fuzzy Hash: 21A1F874A002058FC744DF59C585D9DBBF2BF48320F199698E945AB7A6DB30EC86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0318B95B, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e5ab04c84c0e4269ab6a7189fce1fc14b0b56f8ebab29db0aca34691e775af
Instruction ID: 9d934626b056c968169bfe679c8d58e1aa46b0eb41073871e5eae6d1d72c4f59
Opcode Fuzzy Hash: 12e5ab04c84c0e4269ab6a7189fce1fc14b0b56f8ebab29db0aca34691e775af
Instruction Fuzzy Hash: CE817934B002048FCB04EF69D490AADBBB2FF89654F1581A9E9059F7A5DB31EC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03185157, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9eaa678ad57fb856db2bad21672cb9c503a203ce44d67c395eaeb6a37a97bca
Instruction ID: 95cd44341ced3cf572c783269885bc4cb15db5447a4d518e0bd150cd3d65c17a
Opcode Fuzzy Hash: a9eaa678ad57fb856db2bad21672cb9c503a203ce44d67c395eaeb6a37a97bca
Instruction Fuzzy Hash: D27169347006018FCB08EF75C894A6EB7B3EF8A305B258569D5069F7A5EB74ED42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010F3A70, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863a689a89f8bef3b112de39532c64fed72633f8ff4076584f9a02282258bf27
Instruction ID: 7f1c620a65af30039faca9ed21b7090fa3304091c81c4c28db5369eb136e1345
Opcode Fuzzy Hash: 863a689a89f8bef3b112de39532c64fed72633f8ff4076584f9a02282258bf27
Instruction Fuzzy Hash: 1A61FE347002058FDB15AB69C861A7EB7E6EFC4250F14886CDA469FB91EF34DC06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 031806D8, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20262871aa4092186de9251052b6c5f59fd60ee9496805be447601f64f2bdde3
Instruction ID: a1c7f69636c289ff4427b8ad51983392b82b529b14b5f33d9cff965ad777c5c6
Opcode Fuzzy Hash: 20262871aa4092186de9251052b6c5f59fd60ee9496805be447601f64f2bdde3
Instruction Fuzzy Hash: 9C713834B012089FDB15EF68D494AAEB7F2EF8D304F1440A9E506AB3A1DB35AD45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010F40E0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ee8395692207fa2887cc15b421757d2dcbed9c8facc499a52e53357f66cbb1
Instruction ID: 5481c9843272dc3b8d44a19593fcc6ad46172346b97b6611c24e0141f39c4f8d
Opcode Fuzzy Hash: c0ee8395692207fa2887cc15b421757d2dcbed9c8facc499a52e53357f66cbb1
Instruction Fuzzy Hash: 80819F34A012099FCB50DF69D880A9EBBF2FF88704F158969E945ABB61D771EC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0318E072, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2a991ec501ba761ef45b3fccf1f9b8c88e829e7264a76f1b52d877c124bc52
Instruction ID: 5bb0b5184e618b37ef83e201a66fe491d83facada3ebdf9a3fb7a73b588b215a
Opcode Fuzzy Hash: fe2a991ec501ba761ef45b3fccf1f9b8c88e829e7264a76f1b52d877c124bc52
Instruction Fuzzy Hash: F061AD75B012049FCB14EF78E450A9EBBF6FF89211F10846DE505EB394DB369845CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0318BDB5, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab8316a964b8c5ab0749b0124aaa58301b4588ca36b048fa3d315f247dc62a6
Instruction ID: 2ebe5b4ecc2fbcb6b8ab0547cd9ce143c0aecbe0cc5874496dc08e6cb011430d
Opcode Fuzzy Hash: 0ab8316a964b8c5ab0749b0124aaa58301b4588ca36b048fa3d315f247dc62a6
Instruction Fuzzy Hash: 7051BE74A006198FDB14EF65C880AAEF7F2AF89344F1485A9D509AB354EB30AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0318E080, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bd70363202255497a477b7974f1649ff91d24c26b29a79087f813eb8249372
Instruction ID: 72a718adc635b422ad31643c27a2d9213c853fd03861f62a20cf2b8a6f18393e
Opcode Fuzzy Hash: c4bd70363202255497a477b7974f1649ff91d24c26b29a79087f813eb8249372
Instruction Fuzzy Hash: BF416C74A01204AFCB19EF78D450A9DBBF6EF8A201F60846DE505AB394DB369C418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 010F1939, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817707fcb25978e7717fd2a8ee6adf6086cfb37169d9824c46721d3a2ac9e7be
Instruction ID: 496c75b0a3312fe12c3eebab7e2012140c529c10b417588c8c71ace146eeb413
Opcode Fuzzy Hash: 817707fcb25978e7717fd2a8ee6adf6086cfb37169d9824c46721d3a2ac9e7be
Instruction Fuzzy Hash: 51418E30B006048FCB01DB6AC8559AEBBF2AF89214F04886DE485EBB55EF349D06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0318E780, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5500cd7dfadeeddccd89ed5d2dd85773ecccbe314b8531b7eae832d933fcf1f
Instruction ID: f333db5dd081b2bc58bdb42e8f7fb5f02bbae02021646938c695dbf802c869ac
Opcode Fuzzy Hash: f5500cd7dfadeeddccd89ed5d2dd85773ecccbe314b8531b7eae832d933fcf1f
Instruction Fuzzy Hash: D941BC2150E3D15FC317DB3998A4496BFB5AF4325071A84DBC089CF5A3D724AC0AC7BA

Uniqueness

Uniqueness Score: -1.00%

Function 010F4B2C, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e56e7b0403733c0e6448a5967405dc9607746d038073b09dbe25fc8755672a4
Instruction ID: 0e41072dad86dde63d6b07c1b92517198987444fbbec43f3a4f2cd574a7f7e5e
Opcode Fuzzy Hash: 5e56e7b0403733c0e6448a5967405dc9607746d038073b09dbe25fc8755672a4
Instruction Fuzzy Hash: 02512B34A01219CFDB24DF24C954BADB7B2FF85205F0049E8E4495BBA1DB35AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010F1AF0, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f276ed4d0c51ffa52cf2528099492f1009720942db15f70bfb1342b6874783
Instruction ID: 3c0b40b1fe97679899fabae2bb03f08099db3d2bc5dbb23682a91c0d3de96fc6
Opcode Fuzzy Hash: 68f276ed4d0c51ffa52cf2528099492f1009720942db15f70bfb1342b6874783
Instruction Fuzzy Hash: D041D974A002099FCB40DF68C851BAEBBF2FF48214F148569E654DB795EB389D06CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 010F1950, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151a422b951639fbfbdfe721cbb7d9d18d4b3675c7aa003be1fa15689d93e724
Instruction ID: c4a9746575f0633aa17a0fc71476c7b4e55ee088020a505beb9aea29850843b8
Opcode Fuzzy Hash: 151a422b951639fbfbdfe721cbb7d9d18d4b3675c7aa003be1fa15689d93e724
Instruction Fuzzy Hash: 5C417F30B006048BCB05DF6AC855AEEBBF2EF88654F04886DE545ABB55DF349D06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010F7868, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778fb5c65930c6cf9b3ec541f194b78f0e3c2f68cbc186db771a43e9a7c12d5a
Instruction ID: 1d6499d2c52c99041f2923cfe936469d103d5e97340ba6188520bc7430ec68a7
Opcode Fuzzy Hash: 778fb5c65930c6cf9b3ec541f194b78f0e3c2f68cbc186db771a43e9a7c12d5a
Instruction Fuzzy Hash: A041A3313097018FD3298B3DD49592BBBF6BFC521575884ADD6C68BB51CB36E802CB92

Uniqueness

Uniqueness Score: -1.00%

Function 010F3A60, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b18e1fe8f601f002aef0e00130be0b3a0968114f32063a9682b78354208a8d
Instruction ID: ecbec06be7ab5949bd9107863cce86ba254e8a248ed203dbb13995ba953231fc
Opcode Fuzzy Hash: 87b18e1fe8f601f002aef0e00130be0b3a0968114f32063a9682b78354208a8d
Instruction Fuzzy Hash: 0B41E334B002058FDB15AB798866A7E7AE6EF84251F14446DDA42DF392EF34CC06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010F87F8, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b9e3bb43610b7a6515a2778735104c295eb959c711692b8c2a14dd451ec4f8
Instruction ID: 9a0ee986b2451e1a4fdd3036cb17fa9bf395839f5376e4627239345dd022b2dd
Opcode Fuzzy Hash: 31b9e3bb43610b7a6515a2778735104c295eb959c711692b8c2a14dd451ec4f8
Instruction Fuzzy Hash: 3731CD35B102158FDB04EB39D855A6EB7E6AF88644F14846ED602DB3A1FF34DE02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010F4D72, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3d648cf6cc7f17bdf12173fb837348b542a99c92c4c2b474a74958fa0887df
Instruction ID: 9f87611545703cdf530398bcf66bdb15837acef02a8df897cc935c96cbba5cc0
Opcode Fuzzy Hash: 0d3d648cf6cc7f17bdf12173fb837348b542a99c92c4c2b474a74958fa0887df
Instruction Fuzzy Hash: A6416930A01219CFEB64DF24C955B9DB7B2BF84308F1045E8DA09ABB90DB759D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03180040, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ea3cadd37c968808f1abd1fa733801dcd648fd565f41a47481faadf4fe9bc6
Instruction ID: 7040361affadb8fd7d989dbfb21b7166d840b80643c7a126dd55de9377b47ab1
Opcode Fuzzy Hash: b5ea3cadd37c968808f1abd1fa733801dcd648fd565f41a47481faadf4fe9bc6
Instruction Fuzzy Hash: B3315E717053049FCB09EB75941856E7BE6EFC621571400BED446CB3C2EF398C068B59

Uniqueness

Uniqueness Score: -1.00%

Function 010F6760, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b937f7607c806d62b6ebe848e69635e483732f49e626cd88eedcf444d18dd6
Instruction ID: 8e99e459d4897ef9a34d2a4929362860dde5931e51a729a3ae67e013dc67b3f3
Opcode Fuzzy Hash: 36b937f7607c806d62b6ebe848e69635e483732f49e626cd88eedcf444d18dd6
Instruction Fuzzy Hash: 57311A786002058FD754CF59C595E6AB7F2FF88314F2485ACEA865B761EB32EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0318BEC1, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fc7f091cba6d1fc76ae6d7add25ebb5235c68e7068c8f373851a4b178d7fda
Instruction ID: 6e1c59e22c3039d05d06a07bf1d9a063893e817efd1f0607abd9b329655bceea
Opcode Fuzzy Hash: f4fc7f091cba6d1fc76ae6d7add25ebb5235c68e7068c8f373851a4b178d7fda
Instruction Fuzzy Hash: 7F41A271A006098FDB10EFA1C880BDEF7B6BF89344F148569D405AF654EB70AD89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010FF840, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060435abb6468c27f26cdb539efba818baea7f4d86d2b1f6add0a973adb32dc9
Instruction ID: 957d44b56d4de7cb5759d4a54457cc54f24293fcdf91875b9f141b30c136de85
Opcode Fuzzy Hash: 060435abb6468c27f26cdb539efba818baea7f4d86d2b1f6add0a973adb32dc9
Instruction Fuzzy Hash: 31415A35A00329CFDB659F34D85A7AD77B6BB85305F1040ECC64AA6694DB3A8EC2CF41

Uniqueness

Uniqueness Score: -1.00%

Function 010F5088, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef19ce77508021bc45a97a17588370338b416ae5d52a75e41c8f9c7c16f1f3d1
Instruction ID: 92f5bb2d8d4b333053919387d5bc04d8270f7b2470eb89f14c33e171981058eb
Opcode Fuzzy Hash: ef19ce77508021bc45a97a17588370338b416ae5d52a75e41c8f9c7c16f1f3d1
Instruction Fuzzy Hash: A5314C34718601CFC765DA2ACC81A2A77E5BF85251B08849DEADACBF61E730FC408B80

Uniqueness

Uniqueness Score: -1.00%

Function 010F393F, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa0fb3579557a33fe75a523a7321363331204420474684183756ad341651b30
Instruction ID: ae913c38fd99b1db77a1eb4ececb85d2b8f9ebc010bafde7af0834627fdb0a45
Opcode Fuzzy Hash: cfa0fb3579557a33fe75a523a7321363331204420474684183756ad341651b30
Instruction Fuzzy Hash: 1621253AB002089FCB11DF64E8047DEBBA2FF84361F04846EE9429F751DB758955CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0318E8A8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c77e19811a4883fcb7a0b6df7107bb99e1a0cb6b08cd319e5e548f76c2c9362
Instruction ID: 11ff4c1d57dfb36ac1840a4d7a38ab36eee04bef85dfeb0236e96db1791230c7
Opcode Fuzzy Hash: 2c77e19811a4883fcb7a0b6df7107bb99e1a0cb6b08cd319e5e548f76c2c9362
Instruction Fuzzy Hash: C4210535B042489FCB09EB69D8445DEBBEAEFC5250714816EE844CB751DB70DC0187E4

Uniqueness

Uniqueness Score: -1.00%

Function 03180007, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419649be8aa2b0bd99d9caee4d9518c07a5f897b2d67ad2bfb30d488669d3fe0
Instruction ID: 45eb324caef771fc27623260e4301ba8388c65747cec60c663f4f22f11230c82
Opcode Fuzzy Hash: 419649be8aa2b0bd99d9caee4d9518c07a5f897b2d67ad2bfb30d488669d3fe0
Instruction Fuzzy Hash: 3821A47120E3844FD7079B35982462A7FB59F8B21970900EED485CF2A3DB299C06C76A

Uniqueness

Uniqueness Score: -1.00%

Function 010F2CC0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c2c03db5e74b96420ce709a46fd1493c6dae15d19a702d4645640313f17055
Instruction ID: ae86ec228ef6c5324071fca3981f75921bb29f7c34e576cfd78480bcf23d05a5
Opcode Fuzzy Hash: e7c2c03db5e74b96420ce709a46fd1493c6dae15d19a702d4645640313f17055
Instruction Fuzzy Hash: 84219D34300715EFC719EF24D880A6ABBA6FF89715F10816DEA058BB95DB31EC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010F2CB0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63520f1b79ea83bc90aefd455fd1877d9b01cad7c285e2c2c37ff2d3270af840
Instruction ID: bc7d6f79fdf7fc2a7b4d20a986afbd0bd0dfda256bbfa3ed69b07d07f8a7d36e
Opcode Fuzzy Hash: 63520f1b79ea83bc90aefd455fd1877d9b01cad7c285e2c2c37ff2d3270af840
Instruction Fuzzy Hash: 1321AC34300214AFC715EF65D881A6ABBA6FF89755F10816DEA058BB95EB35EC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010F87DA, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1828cdc878f0eb6483cd9ce55606bfd43e0e580929d59a1697ee464a31a2d0d2
Instruction ID: 7e6ddb1f1aec6c54757a4c1d2c06fc98f88da27f9bddb9100625d646c7625936
Opcode Fuzzy Hash: 1828cdc878f0eb6483cd9ce55606bfd43e0e580929d59a1697ee464a31a2d0d2
Instruction Fuzzy Hash: 541156326043008FCB02CB3999222AE7FF1AF82105F0940AFC641DB2A3EB35CD06C762

Uniqueness

Uniqueness Score: -1.00%

Function 010FF9C2, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf44793208c1d0076bf4ab488d69daa1e2edfb9f01ba03567ee2e2c4e2cf304d
Instruction ID: 554dd974d0743ec9489cc52f3073e1f5a844a1a6f77ee49f010f12272e257323
Opcode Fuzzy Hash: bf44793208c1d0076bf4ab488d69daa1e2edfb9f01ba03567ee2e2c4e2cf304d
Instruction Fuzzy Hash: 1C310735A00629CFCB25DF24D85569CB7B2FF8A305F1045E9E60AA7610DB39AE81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 010F2E28, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb8a392b1872c2350cde20a07cd806af02c1d3fe9bbc6141335236169060213
Instruction ID: 096417bf9f089a2f348555f8d7f722ed53a70c57509386a30993ea777f23aa30
Opcode Fuzzy Hash: 0fb8a392b1872c2350cde20a07cd806af02c1d3fe9bbc6141335236169060213
Instruction Fuzzy Hash: 301191377002199FDB029F59E841B9A7BA2FFC8321F158076F9058BA55DB71C862CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010F672B, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8531565c3e7f6b101f3df8f6a1737476bd8541ef8b3b6945aafd7aa25f5854a6
Instruction ID: c16aec9ec9f5c074cb67675b15614bedea8151df52882a8ecdba236f37dae53e
Opcode Fuzzy Hash: 8531565c3e7f6b101f3df8f6a1737476bd8541ef8b3b6945aafd7aa25f5854a6
Instruction Fuzzy Hash: 911126B190434A9FCB11CF59C882AAFBBB1FFC5314F14817DEA8557A12E7729806C790

Uniqueness

Uniqueness Score: -1.00%

Function 010F0B0A, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f130b42a821c8c33ad11552977b4f6cfa1e891ca9b88693a99d755c4a6f1eae5
Instruction ID: a665971b4c96310ff39ffab186317644bc9e3f7463e0dad17122dd5a1f8500f4
Opcode Fuzzy Hash: f130b42a821c8c33ad11552977b4f6cfa1e891ca9b88693a99d755c4a6f1eae5
Instruction Fuzzy Hash: 00211434600608CFC715DF58C685A59B7F2EF48325F258898E955ABB66CB34FD46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010F2D90, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2504d3f1b111127dfbf653e7351ab7b61e155824e24970c0ad1e7259ba8be0
Instruction ID: ebef97b6549d113346402e5b74edb68318f566f11a34571c1518b0256eec6bb8
Opcode Fuzzy Hash: 9f2504d3f1b111127dfbf653e7351ab7b61e155824e24970c0ad1e7259ba8be0
Instruction Fuzzy Hash: 1411DA32E0050DAFCF51DFA9D8048EEBBB9FF88314B04866AE518E2110E7319665DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0318E898, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df58ef662a91081e1a32e50dc3cd0061c4d86396011c9653ee3a40a4f2bebf8
Instruction ID: 4ca4fe9a2c548fd2323df8ca11fd36e4c714fe324348e72610009d8e6dc27e5f
Opcode Fuzzy Hash: 3df58ef662a91081e1a32e50dc3cd0061c4d86396011c9653ee3a40a4f2bebf8
Instruction Fuzzy Hash: 3B11E535B00208ABCB05DF56D8409DFFFFAEF95250B14822AE84887751D7B0DD018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 010F5080, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ce76d64d5c4349fe504bfbcdaf83bf54f0550a8b7e40c57de2be27a159a947
Instruction ID: bec9b419fd0d6e7a9beaf9643753bb8d52180d999fda35c8c181f80c9b278ea7
Opcode Fuzzy Hash: b6ce76d64d5c4349fe504bfbcdaf83bf54f0550a8b7e40c57de2be27a159a947
Instruction Fuzzy Hash: C7117334618611CFC365CA1ACD81E6977E4BF85261B08849DE6EA8BF61E731FC40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0318A740, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d6e3cd7fb6067c00501aec476728cab3c5097052fc3ce097e18cb04a63eccb
Instruction ID: 0705b94408e8962dc07e662f32622a5998c020768291e4b4318060a8fb242651
Opcode Fuzzy Hash: f8d6e3cd7fb6067c00501aec476728cab3c5097052fc3ce097e18cb04a63eccb
Instruction Fuzzy Hash: AD112232E04A8187C7059B7ADC003D6B7B2AFCE610F19C667D161A7284EB7299D98791

Uniqueness

Uniqueness Score: -1.00%

Function 03184747, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b56f91a22d3f7ab6146bcfaa1625e6695a82178b0387cc8cb5d1abe8eace49e
Instruction ID: 4dc5e001f9476f8e69319dc7b3225c0ee64f1006435e806cf10282e576165015
Opcode Fuzzy Hash: 3b56f91a22d3f7ab6146bcfaa1625e6695a82178b0387cc8cb5d1abe8eace49e
Instruction Fuzzy Hash: 72115B78A012059FC700DF5CD890DAABBB4FF8D314B1446A9D8099B351CB31FD06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010F4D90, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2b3a8be43b34a50960c01cfa135d9218f94210077361988a32b63e59e43b8b
Instruction ID: e8a6fc5105c34e18db21b5d5a9a70bc0dd1de158e50d0fbdaef5405e19888001
Opcode Fuzzy Hash: cc2b3a8be43b34a50960c01cfa135d9218f94210077361988a32b63e59e43b8b
Instruction Fuzzy Hash: 5F214730A012598FDB55DF24D954B9DB7B2BF84308F2049E8D505ABBA0C734DD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010F4454, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc24f9c8b1f0d9d8646370a86847c06a3923870d100415b07877e026d0dc56e
Instruction ID: a590084c65652b08ae3d6eeed147e24d94d570eb533dea9c0641fea289c9cac7
Opcode Fuzzy Hash: bdc24f9c8b1f0d9d8646370a86847c06a3923870d100415b07877e026d0dc56e
Instruction Fuzzy Hash: 6311DAB6D00215AFDB45CF98D8409AEBFF5FB49314B24419AE908A7202D336D913DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0318A750, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb246d12f67f0ff159f08ba2feb86edcb1f0dc94a106d7f8e866a770e0d246f6
Instruction ID: fc6c98d5ae603bf443be9c2f35291ef852a72a25e99317a293e4d09c5e921406
Opcode Fuzzy Hash: bb246d12f67f0ff159f08ba2feb86edcb1f0dc94a106d7f8e866a770e0d246f6
Instruction Fuzzy Hash: B101D432E04A41C3D7189B7AD8003EAB3B2AFCD710F15C627D121A3684EBB294D18691

Uniqueness

Uniqueness Score: -1.00%

Function 0318DBE0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e726af79eea553564dbdafb2886bd72d0bf9663697653954c29d28344d3cf9a
Instruction ID: 1e86bd900062b4ba5bbf1fb6340ff4b9f4b9ba0e9ee031b15ea19e7312c94931
Opcode Fuzzy Hash: 1e726af79eea553564dbdafb2886bd72d0bf9663697653954c29d28344d3cf9a
Instruction Fuzzy Hash: FAF07D363013401BD710EB29A8817BBA7969FC0225F044829E5058B6D1DFE8D90A83E4

Uniqueness

Uniqueness Score: -1.00%

Function 010F4047, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08f91297d78fe9e1ce3a930cac5bd8241bead1196fd6b3275b8145404eeae7a
Instruction ID: 97d078d3c70972cb8813216d7b0d981e4e007c7f9d331710f2a1bc751f8d5015
Opcode Fuzzy Hash: e08f91297d78fe9e1ce3a930cac5bd8241bead1196fd6b3275b8145404eeae7a
Instruction Fuzzy Hash: 2201F272300204AFC705AF90DC42BDD3B93EF84714F44482EF604AFAA0EBB6581B97A4

Uniqueness

Uniqueness Score: -1.00%

Function 010FFE80, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdc6bb856dd52f656b192ccae61af138eb54e0a12f975c610f7e4a299c95ad3
Instruction ID: d0ec8b82fe84e862f17ec61c71ac8310853b8b431a28230c9b562b6e5da26817
Opcode Fuzzy Hash: 9bdc6bb856dd52f656b192ccae61af138eb54e0a12f975c610f7e4a299c95ad3
Instruction Fuzzy Hash: BD012676B002158FCB19AB68C4267BE76B2AF88701F14402DC142FFB85CF380D0A87D6

Uniqueness

Uniqueness Score: -1.00%

Function 0318E830, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75eef71a8fa87b33065846e140af8c41c37d7e3767406cb842165fb1d233990b
Instruction ID: 0c1311dbd6c9fccb750584c051b9fdcedbb591d010146481a1fa69bc465b631e
Opcode Fuzzy Hash: 75eef71a8fa87b33065846e140af8c41c37d7e3767406cb842165fb1d233990b
Instruction Fuzzy Hash: 65F0C2797002046B9728E76A9844E6FF7DFEBC8554714C42DE90DC7750EB20DC0047E4

Uniqueness

Uniqueness Score: -1.00%

Function 010F51B0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c861857d690812cb6be576c47dce26316f6d7df313f19b45ac247e402eb1fd9
Instruction ID: 9f2fda50d3c979774db89c2d5d673762237b582b40608dac6e6e15e970cf901e
Opcode Fuzzy Hash: 9c861857d690812cb6be576c47dce26316f6d7df313f19b45ac247e402eb1fd9
Instruction Fuzzy Hash: 2B01B1749043A98AEF54DB95C8067EEBEF26B4A708F14015DD2817BF81CBB94A04CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 010F4468, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32811de453f174eb2366c2595e6285118cfc3bdfcb3d05b10917c761c1145899
Instruction ID: 96c0ce73526450608bf3b6f99c249ee1038b775c5724a14cdce6f80d6f096e51
Opcode Fuzzy Hash: 32811de453f174eb2366c2595e6285118cfc3bdfcb3d05b10917c761c1145899
Instruction Fuzzy Hash: 990197B5900119AFCF44CF99D8409AEBFF9FB4D214B244199E918A7301D332E913CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010F7800, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c60156f8b83749e7e0c8f86a9d9f86c6cba4cc08d6c022e09ed0c7cf3a99a4
Instruction ID: e3d60efafa1d26abc6a3dae9e4cd2a3b304093e588162c4dfa0205abeba4ad85
Opcode Fuzzy Hash: 06c60156f8b83749e7e0c8f86a9d9f86c6cba4cc08d6c022e09ed0c7cf3a99a4
Instruction Fuzzy Hash: 87F090367404219BC7159A5EF004AA9B7E6EFC4632F0840BFE60DCBA61CF319C42C791

Uniqueness

Uniqueness Score: -1.00%

Function 010F2D82, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2f0a1b6e71b989a3abd4b6fab6faa9d87fd9eca6a6ef75ec6e77238640a323
Instruction ID: bcc5fb50d99c1e64bfc1f479b7649f6a61f8ca0168c2b95df2954a502008b97e
Opcode Fuzzy Hash: ce2f0a1b6e71b989a3abd4b6fab6faa9d87fd9eca6a6ef75ec6e77238640a323
Instruction Fuzzy Hash: E7F0EC72E001199FCB55DFA998045EFBBF9EF88311B15817BE118E2250E6748A158B91

Uniqueness

Uniqueness Score: -1.00%

Function 031802C0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56c580b1387c89254976314f6d3e1f67c405ec92e426c872ff2db683dbb8dab
Instruction ID: b02488962f2cf697b4feebf664ed3dc1fda5f8f0316f1cbc0af93208e6159635
Opcode Fuzzy Hash: c56c580b1387c89254976314f6d3e1f67c405ec92e426c872ff2db683dbb8dab
Instruction Fuzzy Hash: C0F0587544E3C4AFC7038778CCA58A07FB0AE5B25130A41CBE485CF9B3D259890ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0318AC17, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779fc18787445d0b81f4df0c0dd96a6ff8592a17a3f687af6adf2673d2865732
Instruction ID: a0451c1a724c75f7f02cdfb8cfb5d92a468aa3708588bf8cc6e9ea74df2bf9a1
Opcode Fuzzy Hash: 779fc18787445d0b81f4df0c0dd96a6ff8592a17a3f687af6adf2673d2865732
Instruction Fuzzy Hash: 1DF03771A00218DFDF95EF68D884BAEB7B6FF88305F1480AAE90897250DB349995CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0318AC0E, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779fc18787445d0b81f4df0c0dd96a6ff8592a17a3f687af6adf2673d2865732
Instruction ID: a0451c1a724c75f7f02cdfb8cfb5d92a468aa3708588bf8cc6e9ea74df2bf9a1
Opcode Fuzzy Hash: 779fc18787445d0b81f4df0c0dd96a6ff8592a17a3f687af6adf2673d2865732
Instruction Fuzzy Hash: 1DF03771A00218DFDF95EF68D884BAEB7B6FF88305F1480AAE90897250DB349995CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010F33B8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d59102657c0f6daa3498aea3c5c52871f8ee64d9f4de193c0b718c4c7bcaec3
Instruction ID: 2e55852aee6b0aeef111341a76881278a3ecfb459a27bbb10b74f98e41735f94
Opcode Fuzzy Hash: 7d59102657c0f6daa3498aea3c5c52871f8ee64d9f4de193c0b718c4c7bcaec3
Instruction Fuzzy Hash: C3F0C476D00219DFCF44DFA8D9059EEBBF4FB48360B11842AE959E7610E7399A10CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010F0BCB, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b8ab1cb2c59f42465e214246b43ffa21d9133ee9514a70adf583b5b1b990d9
Instruction ID: 5a7f97070cdf24d9172a7838b91975a5da534f093bd7c983c9e8f7515ded01d3
Opcode Fuzzy Hash: 70b8ab1cb2c59f42465e214246b43ffa21d9133ee9514a70adf583b5b1b990d9
Instruction Fuzzy Hash: 50F0B47594420ECFDB41DF44D456B9DBBB2FB04318F24054AE1A2EBA27C7395446CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0318A810, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bb98e7c75bb12911b479daf441d5dd6db3c911ea7a48aa88152c0cc40ea1ee
Instruction ID: 0a6e908d486a38d0aca47905da116166adcbd0262f1a13729d488832f6aa9482
Opcode Fuzzy Hash: 51bb98e7c75bb12911b479daf441d5dd6db3c911ea7a48aa88152c0cc40ea1ee
Instruction Fuzzy Hash: F7F03032048289BFDF034FA0CC11FEA3F76AF49205F098196F95495461C63AC531EB60

Uniqueness

Uniqueness Score: -1.00%

Function 010F33C8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdcb686ebf91d77467199dc8f860b0820e51668f19e9e6f501e9d28ad2226dc
Instruction ID: 12a297edc7303d61d0191e2f45a124517868450d421ac7ae803284a484e2c735
Opcode Fuzzy Hash: afdcb686ebf91d77467199dc8f860b0820e51668f19e9e6f501e9d28ad2226dc
Instruction Fuzzy Hash: 64F0B775E00219EF8F40DFA9D9059EEBBF5FB4C250B00842AE919E7710E7345A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 010FAF0D, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da98b1ebb53adb3434d673c313de71dcf21beeab10037a8ee58f113ceccacf81
Instruction ID: 1f9280e6c716044e91111dfe19fa489d72d70c91c552460d8f1cadc6fc8bdadd
Opcode Fuzzy Hash: da98b1ebb53adb3434d673c313de71dcf21beeab10037a8ee58f113ceccacf81
Instruction Fuzzy Hash: E2F01732600209EFDF518E94DC01BD97BB1FB08350F408095F64996950D7724AE4CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010FABB8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1bebc51bb1c30ee9f792e6ce78bc085bac13ac3b78d3cda1c93bc0f1cc9d47
Instruction ID: eb6926dc3a46de556f3cd78ec84746bf9172b9275cf3aaa761b6e5f4fbeaee2d
Opcode Fuzzy Hash: 6b1bebc51bb1c30ee9f792e6ce78bc085bac13ac3b78d3cda1c93bc0f1cc9d47
Instruction Fuzzy Hash: 21F0F832B04219EFDF528E94DC01BDD7BB2EB48350F0084D9F74A92A50D7728AA0DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010F6463, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d2c282452249adc24ccb45ea55a5fdd0509c6a4da87477818ca2b5a53b5879
Instruction ID: 8817c91ba5db5fb5b6b08a3a62d4378e3aae2f61db32c4a29cdc4805044c1cb6
Opcode Fuzzy Hash: c6d2c282452249adc24ccb45ea55a5fdd0509c6a4da87477818ca2b5a53b5879
Instruction Fuzzy Hash: 85F05878A401068FCB04CF98D185A9EBBF1FB48320F104699E654EB7A1C731FD40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03180158, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c4616105bdbdd7fd6fa7a6dd584caac2bf262097d27914feab999d8c33dfb9
Instruction ID: dacb9685778ca33d0ecff6bb8c48952bcbcc457e875a4925556ea361b9a0751f
Opcode Fuzzy Hash: 42c4616105bdbdd7fd6fa7a6dd584caac2bf262097d27914feab999d8c33dfb9
Instruction Fuzzy Hash: E9E0C2313093940FCB06126EA8004AA3FADCBCB521B0501FBE248CB352D9560C0643F2

Uniqueness

Uniqueness Score: -1.00%

Function 0318A820, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452ffdde3c3ee3196bbb3a0e09bd03d9956e35680d9a22ae324e7db39100e5c0
Instruction ID: fd8b8f7c0f38d22244083a63a32a8128383fd7b68a2266b50a3b9a0c2f27b722
Opcode Fuzzy Hash: 452ffdde3c3ee3196bbb3a0e09bd03d9956e35680d9a22ae324e7db39100e5c0
Instruction Fuzzy Hash: 4DF0C27200014EBFDF128F91CC01FEA3F6AFB8C304F088151FA5454460CA3AD531AB60

Uniqueness

Uniqueness Score: -1.00%

Function 03180934, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e3d70610df110719b86a45e9ec703e843d263f342a088201a141d48289a02b
Instruction ID: d81200f33b3e980dce2869ccc52779efa900b768be416b849c94c3efb479d2ed
Opcode Fuzzy Hash: 03e3d70610df110719b86a45e9ec703e843d263f342a088201a141d48289a02b
Instruction Fuzzy Hash: A8F01532D10208CFCB00EBB8D4845DCF7B0FF89319F2086AAD55467221D7329A94CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010F4010, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b16b6ee8c5b5bc0105e68b4dcc003fb5c20782dade769e0935abb06a1fb8f02
Instruction ID: 7e27c2cf18d947f5d124b4021dd726a1c2bd4588494937aa7beedc5661214f47
Opcode Fuzzy Hash: 4b16b6ee8c5b5bc0105e68b4dcc003fb5c20782dade769e0935abb06a1fb8f02
Instruction Fuzzy Hash: 75D05B723001107BE314558AAC05FBB76AEDBCAB62F55C07EB109DB6818DA58C0243F0

Uniqueness

Uniqueness Score: -1.00%

Function 010F400A, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a427dced5b1d33e08f548c43b947d07ea5e3995499d7a4e0f980299ae76562
Instruction ID: c003970a1681c5237b3f7690f6588096cb1ceec5e36a0cd8a0c645545ec6b3c9
Opcode Fuzzy Hash: 87a427dced5b1d33e08f548c43b947d07ea5e3995499d7a4e0f980299ae76562
Instruction Fuzzy Hash: C3D012B7700110ABE3059589AC06FBB529EEBC9762F59807AB109EB685DD658C0243B0

Uniqueness

Uniqueness Score: -1.00%

Function 03180168, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e11ef20247dc7778b0331c7c6395d6be98a170eb5a23cb1b80b4cdd1211be8d
Instruction ID: 5f29553dd44d19b48c580e14f0145e61e5fb868ed8caedd65d133a62db6644a2
Opcode Fuzzy Hash: 4e11ef20247dc7778b0331c7c6395d6be98a170eb5a23cb1b80b4cdd1211be8d
Instruction Fuzzy Hash: D5C01232310024178A08618EA4089AB7ACECBCAA62B1440BBA20EC33819DA68C0202E5

Uniqueness

Uniqueness Score: -1.00%

Function 03180280, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7728d288b9892ff9815663c1df5d174552f4c6a4a50b594a63db9eb76707f621
Instruction ID: af4456042c8e041d16315418cae09182595deac142c1d207950bca6489a01562
Opcode Fuzzy Hash: 7728d288b9892ff9815663c1df5d174552f4c6a4a50b594a63db9eb76707f621
Instruction Fuzzy Hash: 77D0523408A3849FC702CB74C8858887FB0BF0622431A80DEE449CF273C26A8C02CF52

Uniqueness

Uniqueness Score: -1.00%

Function 031802A1, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fab08d4e5b16d20cd8fd77f026b59d715fc09a38c77714472a10d8d2aee5a8
Instruction ID: ddebd22d29d1bc67cac5ac6fc7d982629839d6b9d3d16efdcbcd092bc458042b
Opcode Fuzzy Hash: 74fab08d4e5b16d20cd8fd77f026b59d715fc09a38c77714472a10d8d2aee5a8
Instruction Fuzzy Hash: F7D05E3018A3808FC3028774C449A54BFB4BF02630B0600CAE085CF673D2658804CF41

Uniqueness

Uniqueness Score: -1.00%

Function 010F442A, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed978dae006a132c259518be520fe9069b73a8fd65cc3401a889b6ccdee6776
Instruction ID: 3f6678388cee0e7e2d9a0a6bbd4b712a05793b98debf0fc2858442e7e60b7aac
Opcode Fuzzy Hash: 4ed978dae006a132c259518be520fe9069b73a8fd65cc3401a889b6ccdee6776
Instruction Fuzzy Hash: 7ED09235A00018CBDF44CF88D8457DCF7B0FB88329F1480AADA18B7691C77BA956CB64

Uniqueness

Uniqueness Score: -1.00%

Function 010F6599, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65218c4113f573e99635821c78f94d444be888b4083f65c218836eee9df8036
Instruction ID: 4f7d43a2432f37886a81ac996687fcf525ec1a7f4ab221e737ce2162c4126923
Opcode Fuzzy Hash: f65218c4113f573e99635821c78f94d444be888b4083f65c218836eee9df8036
Instruction Fuzzy Hash: 77D0C9762482408FC706CF18F554815BB70AF9661130540EAE6428F632C322E820DB71

Uniqueness

Uniqueness Score: -1.00%

Function 031802B0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a93df405bc429466bd65229d29705813b12b6460fd06a522898cc08a59ba6a
Instruction ID: c16569c77793bc0f09bc920b9b274da3ad68a6c1fb003328aecad9df46874185
Opcode Fuzzy Hash: 79a93df405bc429466bd65229d29705813b12b6460fd06a522898cc08a59ba6a
Instruction Fuzzy Hash: E9B092342A02089FC2409B5AD849F01B7ACEF05A24F4140D0F2088F672C662E8008A80

Uniqueness

Uniqueness Score: -1.00%

Function 010F10B0, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.511197174.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3235a201bb0fe260959cb9b1d708e6692c76d25554da47b9c6629e3bad1601
Instruction ID: 96a74fec5220f98754945e00ce640a92889f3d2d232068f8612b65c1e83e2114
Opcode Fuzzy Hash: fa3235a201bb0fe260959cb9b1d708e6692c76d25554da47b9c6629e3bad1601
Instruction Fuzzy Hash: B4B092351502088F82009B68E448C4073E8AB08A253114090E10C8B232C621FC008A40

Uniqueness

Uniqueness Score: -1.00%

Function 0318C2C0, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc09f4e097be285a973c6549adcc0044616449b647fa1562c9f4a12cc92ae52
Instruction ID: 6c84f58e38e52437c48c39c112b6bd73dda771c7a1f73d1839d09522ec36cc65
Opcode Fuzzy Hash: ebc09f4e097be285a973c6549adcc0044616449b647fa1562c9f4a12cc92ae52
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03181880, Relevance: 6.4, Strings: 5, Instructions: 168COMMON

Download Yara Rule

Strings

`oj, xrefs: 03181969
`oj, xrefs: 03181A29
`oj, xrefs: 031818B0
`oj, xrefs: 0318190B
`oj, xrefs: 031819C7

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID: `oj$`oj$`oj$`oj$`oj
API String ID: 0-426813867
Opcode ID: 8b47fd69d5a390b6ce375880b90ef33aa8042b15c5b802ff2cc2a0886fdbbb87
Instruction ID: cb45d2f5dd333ee4780813cf5187ea641e6c37502f761dc20fd509f0a1a965f9
Opcode Fuzzy Hash: 8b47fd69d5a390b6ce375880b90ef33aa8042b15c5b802ff2cc2a0886fdbbb87
Instruction Fuzzy Hash: 39617A315017009FC315EF65C840799B3A3FF89209F444E6CD08A4FAB9EB75AC4ACBA5

Uniqueness

Uniqueness Score: -1.00%

Function 03181890, Relevance: 6.4, Strings: 5, Instructions: 158COMMON

Download Yara Rule

Strings

`oj, xrefs: 03181969
`oj, xrefs: 03181A29
`oj, xrefs: 031818B0
`oj, xrefs: 0318190B
`oj, xrefs: 031819C7

Memory Dump Source

Source File: 00000005.00000002.518911735.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID:
String ID: `oj$`oj$`oj$`oj$`oj
API String ID: 0-426813867
Opcode ID: f547b3a327a77126ebf6f6738d9078f24186c1f90770b9fe8599f841af6319f7
Instruction ID: dcef00aa5816f97d0398731873049a174cbb0c7d3f538caf32c8056e0972832f
Opcode Fuzzy Hash: f547b3a327a77126ebf6f6738d9078f24186c1f90770b9fe8599f841af6319f7
Instruction Fuzzy Hash: F45149355017049FC314EF65C44079AB3A7FF88249F544E2CD08A4FEA9EB75AC4ACBA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 2104 Parent PID: 4504 powershell.exeCOMMON

Executed Functions

Function 008CB7A0, Relevance: 8.0, Strings: 6, Instructions: 542COMMON

Download Yara Rule

Strings

HJ, xrefs: 008CBE75
HJ, xrefs: 008CBD99
HJ, xrefs: 008CBE5E
HJ, xrefs: 008CBE8C
HJ, xrefs: 008CBDB0
HJ, xrefs: 008CBD82

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID: HJ$HJ$HJ$HJ$HJ$HJ
API String ID: 0-2282386358
Opcode ID: 90bc69566facbd8016247aff3b522b61389d7c708ff590e7933f4ca6ed8e0490
Instruction ID: 2ee55938afa5735031b8c737ec3ab87a305c468ece9a72b805e8be0f90294cd6
Opcode Fuzzy Hash: 90bc69566facbd8016247aff3b522b61389d7c708ff590e7933f4ca6ed8e0490
Instruction Fuzzy Hash: 02225D306006059FCB14EF69D895AAEB7F2FF84304F158868E406DB7A5EB74ED05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008CD300, Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

HJ, xrefs: 008CD373

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID: HJ
API String ID: 0-775665175
Opcode ID: 7c54c3f1ecccafdde8657e0f6ecef5823e6d242396ae55985f06b4bc96aae247
Instruction ID: 5bae20ddc618a3e172f7d069831779a1faec5e583272ae3d7c2d6ceed879ac49
Opcode Fuzzy Hash: 7c54c3f1ecccafdde8657e0f6ecef5823e6d242396ae55985f06b4bc96aae247
Instruction Fuzzy Hash: 16A19C307042009FEB28AB758855BAB7AA7EF85308F148479D5068B791EF78DD0987A5

Uniqueness

Uniqueness Score: -1.00%

Function 008C8E20, Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd12633a5271185407c049ef71da5383e4f0780f37dc5d6399577b456f5dc2b
Instruction ID: ef9992a898b4e3dd045cc4c594b1b22acccc1f45411a4f20596dcdf693514193
Opcode Fuzzy Hash: dcd12633a5271185407c049ef71da5383e4f0780f37dc5d6399577b456f5dc2b
Instruction Fuzzy Hash: A1325830A002099BDB15DF79C894BAEBBB2FF89304F1485ADE951EB391EB35D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008CF4F7, Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67b514d15613d76844e47c991bf50ee14b201a2bfd1c332c2b6f65c01956a45
Instruction ID: 74f39eba0f50b4231da8eea2887ee64d04011c7217593403abb19bc0c24162ab
Opcode Fuzzy Hash: e67b514d15613d76844e47c991bf50ee14b201a2bfd1c332c2b6f65c01956a45
Instruction Fuzzy Hash: 9E22F634B102099FEB14DBB5C990EAD77B6EF88304F148469EA02DB396EB79DD05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008CB218, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6833b9b9be78d6a14ca94761092b226a459840061e1093d33151bd95fd65e4
Instruction ID: b8ac98ec083345b29a56ad54bb5a1490a2d89d1beb45ba1b8d8a3e2411c95267
Opcode Fuzzy Hash: ad6833b9b9be78d6a14ca94761092b226a459840061e1093d33151bd95fd65e4
Instruction Fuzzy Hash: 25C17A30A106198FCB14DF65C881B9EB7B2FF89344F1485A9D409EB351EB70AE89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 008C49B8, Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

HJ, xrefs: 008C49E0
s, xrefs: 008C4B41
s, xrefs: 008C4B05

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID: HJ$s$s
API String ID: 0-3337235561
Opcode ID: 06c92e8d8c25a7d0679c7e887a0dea64e7071993798681515dcab064b0e8d708
Instruction ID: 44b3abadf17aa34abe878125d976b05335a685470d628b8b4423a962f5ab3448
Opcode Fuzzy Hash: 06c92e8d8c25a7d0679c7e887a0dea64e7071993798681515dcab064b0e8d708
Instruction Fuzzy Hash: 85916834B102058FCB04DB79C865A6EB7B2EF89304B20856DE506DB7A1EB34EC45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 008C9CD8, Relevance: 1.7, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

HJ, xrefs: 008CACC8

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID: HJ
API String ID: 0-775665175
Opcode ID: 0f419cf4e60a29d64882dd2ccf90b6c849f1796c335553b9119a8c12d850e637
Instruction ID: 8ec62657f763eb6b88b0a4c7b7995907ae7d4ab58f192e18190c510c0e9a46fd
Opcode Fuzzy Hash: 0f419cf4e60a29d64882dd2ccf90b6c849f1796c335553b9119a8c12d850e637
Instruction Fuzzy Hash: 2E120534A01219DFDB64DF65D894BA9BBB2FF48344F0081A9E90AE73A0DB359D84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 008CDFC0, Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

HJ, xrefs: 008CE03E

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID: HJ
API String ID: 0-775665175
Opcode ID: e04d3c6418abcdcb205717f9339797149e255563f9ecb57863b2f1d712781b3a
Instruction ID: 907362d711dd65c8c37f5adea7cdb16b7b219b0f7d1a0076d7800881b9095416
Opcode Fuzzy Hash: e04d3c6418abcdcb205717f9339797149e255563f9ecb57863b2f1d712781b3a
Instruction Fuzzy Hash: 3711D2347042449FCB14ABA9E854AAEBBF6FF85310754846EE909DB791DB70EC04C791

Uniqueness

Uniqueness Score: -1.00%

Function 008C3BB0, Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

U, xrefs: 008C3BBC

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 439a8e6f0fc0b277c8e352861db473a8f1b435bf27498a5d1bf7f6fcdddf2fb6
Instruction ID: 13c49dcc1574e57f4c70369d4728aeab84a6292f9c699375f55cbbadbf90efb5
Opcode Fuzzy Hash: 439a8e6f0fc0b277c8e352861db473a8f1b435bf27498a5d1bf7f6fcdddf2fb6
Instruction Fuzzy Hash: CE116D746002049FCB00DF48C8D0DAABBB5FF4A310B148499E849EB361C731FC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 008C7578, Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4f54095f4bd0de761b9ef2785c09d47b221493c8182fd01d0d8387ab8e8b8f
Instruction ID: 5392ac89244bc4694cc0c25dd2582e2696bfe3551d1af4cb1edbdc706a9d6661
Opcode Fuzzy Hash: 0a4f54095f4bd0de761b9ef2785c09d47b221493c8182fd01d0d8387ab8e8b8f
Instruction Fuzzy Hash: B8D17D70A042099BDB24DFA5C884BAEB7F2FF84304F14892DE506EB694DB34ED45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 008CB78F, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bb9ec8d69c5c6f61c9354f98ece6f1ed539254bbe33599691c9b3d9795bdf8
Instruction ID: 92e537be66a897235f7fa09e72a4d0f5491704fdac88d44a552317ab8e12d63f
Opcode Fuzzy Hash: c7bb9ec8d69c5c6f61c9354f98ece6f1ed539254bbe33599691c9b3d9795bdf8
Instruction Fuzzy Hash: C6A16C306006099FCB14EF69D885AAEB7F2FF84304F148968E442DB761EB74ED49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008CA85F, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b286de78a0ed105f31c18c2c79d2fd925234f8a04450b34d4ccb68e154dfc97e
Instruction ID: f0111b36a97ff2f78ea4458e647cb33674663331521f1fb02831419a90ae2539
Opcode Fuzzy Hash: b286de78a0ed105f31c18c2c79d2fd925234f8a04450b34d4ccb68e154dfc97e
Instruction Fuzzy Hash: D8B1D734A00258CFDB68DB25C998FAD77B6BF48309F1485A9E50AE72A0DB30DD85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 008C3BC0, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2d3a7823415506f274cb597a1e5094e8c26d0dd107671f1b09a72831a5824d
Instruction ID: 03ca724ae153569e89a721363e73ff1055d565edb429917882fd15ab32ec037f
Opcode Fuzzy Hash: 6d2d3a7823415506f274cb597a1e5094e8c26d0dd107671f1b09a72831a5824d
Instruction Fuzzy Hash: 13719F347041055FC714EB68C890AAEB7E2FFC9314B558878E40AEB792DF34ED0687A5

Uniqueness

Uniqueness Score: -1.00%

Function 008CADBB, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6970582a8ff1dd2580a145067670a36e5d1f9f8a05c38b6fd5e59d56b5425f
Instruction ID: 16d26eb19e8717b06d4605c3944ff34d81e0b7e8e5029e0f68b5a838186ed00a
Opcode Fuzzy Hash: ab6970582a8ff1dd2580a145067670a36e5d1f9f8a05c38b6fd5e59d56b5425f
Instruction Fuzzy Hash: E98166347102099FCB04DB68D481E9EBBB2FF89318F1481A9E905EB761EB31ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008CB208, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641e9341e4162f36d4b52d816cdff74cab158586481afcdcecc62e2790139fd5
Instruction ID: 692c0b06c3696e43fc7bc4cd247a3f84d0278af1971020bb32657fec39fdfbcd
Opcode Fuzzy Hash: 641e9341e4162f36d4b52d816cdff74cab158586481afcdcecc62e2790139fd5
Instruction Fuzzy Hash: 30618830A006199FDB14DFB5C881BAEBBF2BF89344F1484A9D405EB365EB34AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008CD787, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459a32bac2558f763b87300bcb7339b8cf187201279f5542e13c7ed1ec718b13
Instruction ID: 328a73b6c54fed5a7f33be10e7b5d7a5f4a5fecd57ed08f9bedc79f38072311d
Opcode Fuzzy Hash: 459a32bac2558f763b87300bcb7339b8cf187201279f5542e13c7ed1ec718b13
Instruction Fuzzy Hash: 93516E70611200DFC754EB78D456AAE7BF2EF8A305F60806DE406EB391DB369D06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008CD798, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684eb342020b654cb237f684489e6b2e03410cbdd8bf524711bb202f87e0ba88
Instruction ID: 55af72dd38e7b26363567a3f67a2aba53604e6adf3c1b577fe0b896a5827cb70
Opcode Fuzzy Hash: 684eb342020b654cb237f684489e6b2e03410cbdd8bf524711bb202f87e0ba88
Instruction Fuzzy Hash: D1416F70611200DFC754EB78D456AAE7BF2EF8A305F60846DE405EB391DB35AD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008CDEE7, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead44152294b994ef2162dc8ce0307f5189cecd3ff6ebcfaadb0d152ecd544b7
Instruction ID: e409e4fa16a21cc498152cac5ad700e5d59447fcb82c01931674fc1d947c06ee
Opcode Fuzzy Hash: ead44152294b994ef2162dc8ce0307f5189cecd3ff6ebcfaadb0d152ecd544b7
Instruction Fuzzy Hash: 71311E2564E3D11FD31797791C609A67FB5EE9321470A45EBD081CFAA3D924C80993A2

Uniqueness

Uniqueness Score: -1.00%

Function 008CB321, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9bda04e08802d57f2f0d1172441598228368216f9b1d8786f0b453741705f9d
Instruction ID: 2186b5463b0369efbb90242afc1b7227e0882414eab37658adf501818b35906f
Opcode Fuzzy Hash: b9bda04e08802d57f2f0d1172441598228368216f9b1d8786f0b453741705f9d
Instruction Fuzzy Hash: F5415E70A006099FDB14DFA0C881BDEB7B2FF89304F148569D405EB765EB74AD4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 008CDFB0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab82f96da20f7567b2cf1ba793c7f7cfea48cee91dc78201309aad8e138e4f2
Instruction ID: ce4610e86e4b82913adef1e3a25afd5dd5b27e84a7f0d2c07e3654841d9058e7
Opcode Fuzzy Hash: cab82f96da20f7567b2cf1ba793c7f7cfea48cee91dc78201309aad8e138e4f2
Instruction Fuzzy Hash: 7511E030B041449FCB10CFA99850ADEBBF2FF85210B14856EE804D7361D770EC09C790

Uniqueness

Uniqueness Score: -1.00%

Function 008C9BA0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f89fc0d583eeeade8471d15173f066c055ed19435ddd9bd6759592ddfe9b7ca
Instruction ID: 79aea87715cbb9b2ce14afa5ac46caa14f5b1d27fa5f1ab8c1becc9b34e93889
Opcode Fuzzy Hash: 8f89fc0d583eeeade8471d15173f066c055ed19435ddd9bd6759592ddfe9b7ca
Instruction Fuzzy Hash: EA110432E04A858AC7118A7ADC007E9B7F1FFDA310F24C7ABD4A1E7290E770D8948291

Uniqueness

Uniqueness Score: -1.00%

Function 008C9BB0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2235ea90881ef7dd196384beef43eda80b98fca6b7bd59b9c3c06f5d086a3a7
Instruction ID: 2f04bf6489736005b7198a9bd0f71c92a9383bdb18a63732f7d742b76781fe97
Opcode Fuzzy Hash: e2235ea90881ef7dd196384beef43eda80b98fca6b7bd59b9c3c06f5d086a3a7
Instruction Fuzzy Hash: 5E01D832E04A45C2D7104A7ADC047E6B3F2FFD9310F24C6ABD591E3240E771D4D08291

Uniqueness

Uniqueness Score: -1.00%

Function 008CD2EC, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f51537b10753297982f4b49c778b2289c1758f3f5e74b0e9c07867e4ea6f06
Instruction ID: 540c48ea0e451e1e546dab9a6c8d59f81f54e4d12c13f1201fbe78690461cb38
Opcode Fuzzy Hash: 28f51537b10753297982f4b49c778b2289c1758f3f5e74b0e9c07867e4ea6f06
Instruction Fuzzy Hash: FC012B313043405BD7109B26889177BAAD6FFD0315F14843EE5848B791DFB4CC058391

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD005, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.522800884.0000000000EBD000.00000040.00000001.sdmp, Offset: 00EBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4947ec6ae35adba58dd1250fd4c225d097905562dbbce36682b77eebe002d0ef
Instruction ID: 670a87975f20c4dd0a91ed4c02b22ff7e647e00f4301ddfba46e6a43a8f9126a
Opcode Fuzzy Hash: 4947ec6ae35adba58dd1250fd4c225d097905562dbbce36682b77eebe002d0ef
Instruction Fuzzy Hash: 7601406140E3C05ED7138B258C94B92BFB49F43224F1981DBD9889F2A3D2695C48C772

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.522800884.0000000000EBD000.00000040.00000001.sdmp, Offset: 00EBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e27e89703b1463d875932e666a7119a2cf1e594ef7ed0715a9e38b39699efa8
Instruction ID: 9d2cf9df38e37e45e228059e9b446d26c541c682a9a6bbbced35ef314ac0d1ba
Opcode Fuzzy Hash: 9e27e89703b1463d875932e666a7119a2cf1e594ef7ed0715a9e38b39699efa8
Instruction Fuzzy Hash: D301F77140C340AAE7205B12CCC4BE7BB98EF41328F18901AED496B682D3B99C09D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 008CA06E, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd2b52569643ecf1b413776989e324fa872e7770c18b2de1003e3f8aad550c4
Instruction ID: 881668a9fd831caf9cabe76ec3b8c7c8aef46c358bf9ee271da0ae9047b689ae
Opcode Fuzzy Hash: 8fd2b52569643ecf1b413776989e324fa872e7770c18b2de1003e3f8aad550c4
Instruction Fuzzy Hash: 50F01431A0021CDFDF99DF64D880BADB7B6FB84358F1480AAE409D2250EB34C999CB52

Uniqueness

Uniqueness Score: -1.00%

Function 008CA077, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd2b52569643ecf1b413776989e324fa872e7770c18b2de1003e3f8aad550c4
Instruction ID: 881668a9fd831caf9cabe76ec3b8c7c8aef46c358bf9ee271da0ae9047b689ae
Opcode Fuzzy Hash: 8fd2b52569643ecf1b413776989e324fa872e7770c18b2de1003e3f8aad550c4
Instruction Fuzzy Hash: 50F01431A0021CDFDF99DF64D880BADB7B6FB84358F1480AAE409D2250EB34C999CB52

Uniqueness

Uniqueness Score: -1.00%

Function 008C9C71, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202c2f268878a4167d89f6c3a059df12497ee7d48122610f6ec10435098e7554
Instruction ID: 6173b43d2b4d5407524ec939fec7698f759b1b3ab32ace68b36c28243c86708f
Opcode Fuzzy Hash: 202c2f268878a4167d89f6c3a059df12497ee7d48122610f6ec10435098e7554
Instruction Fuzzy Hash: FFF0173200428AAFDF138F94DC01EEA3FB6AF4A214F088096FA9496461C635D530EB61

Uniqueness

Uniqueness Score: -1.00%

Function 008CF12F, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2bb8b1ce3be6a9671a81f6f737e33e4982bbee406b018393a91ea941915f81
Instruction ID: a4e66f44c477a6872ce19e972a0df2e36795a0530ee2e4ac9bdacac5e67c1b4e
Opcode Fuzzy Hash: 2e2bb8b1ce3be6a9671a81f6f737e33e4982bbee406b018393a91ea941915f81
Instruction Fuzzy Hash: 46F06D35710648CFEB12CF68E8C4D9ABBF6FF44301B5549AADA5A9B216C731E815CB01

Uniqueness

Uniqueness Score: -1.00%

Function 008CBEE0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7def78d8814f475a79c634fef21f67d6e6650b6c379683763ec760225394de
Instruction ID: c47a4b67cb8e5f7d6379b11ee2747c34dd5678610da65833fcf59daf21069a47
Opcode Fuzzy Hash: 7c7def78d8814f475a79c634fef21f67d6e6650b6c379683763ec760225394de
Instruction Fuzzy Hash: 40F01C74F106298F8B54DFBD88055AE7BF6EF8C244B20407AD509DB710EB30DE008B91

Uniqueness

Uniqueness Score: -1.00%

Function 008CFD80, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3b035980915ce92333b85b9a0e70e94d047feaad8ca9e1c334478dd4cf3bcc
Instruction ID: aff027a68b6efc954010777157d4ebf44ce1d1d9d0a03cbe677f5a41d3c22e62
Opcode Fuzzy Hash: ea3b035980915ce92333b85b9a0e70e94d047feaad8ca9e1c334478dd4cf3bcc
Instruction Fuzzy Hash: BCF03076509189FFCF02CFB48C008EE3FBAEF4A200B058496F940D7121D2318A32BB60

Uniqueness

Uniqueness Score: -1.00%

Function 008C9C80, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2af6e8e39e87ace5cc65c1cf0b8b90ccb665fa6e4c6fd6dfbd07634fc1fd68
Instruction ID: 85af07f7cb7bfcdaba79034dad4831dea444bf8ad5fc17230bee790cd17cae1c
Opcode Fuzzy Hash: ad2af6e8e39e87ace5cc65c1cf0b8b90ccb665fa6e4c6fd6dfbd07634fc1fd68
Instruction Fuzzy Hash: 85F0C27200014EBFDF528F90CC01FEA3F6AEB8C304F048155FA5454061C676D531AB60

Uniqueness

Uniqueness Score: -1.00%

Function 008CFD90, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37ea2a768b8affaf94cab2fc42a70fae9df920cf7f5368c73fb57094cfc1b27
Instruction ID: 28ee6a60162a6451dedaf8438a94d15c4ae3331e5482b35ed870fa7ff36aaa3a
Opcode Fuzzy Hash: a37ea2a768b8affaf94cab2fc42a70fae9df920cf7f5368c73fb57094cfc1b27
Instruction Fuzzy Hash: 9EE092B691010DFF9F01DEA49D00CAF7BBAEB48200B00C465BA04D2120E6329A31ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 008C49A8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c0ac9cecba1517d53c01a7114b434c6a4af9a483c75d2ba09ae5c34c70f73a
Instruction ID: 1fde718e924aa0913062544d1f1eef45b5b6c3015364b5b3f51287a40d595bbd
Opcode Fuzzy Hash: 49c0ac9cecba1517d53c01a7114b434c6a4af9a483c75d2ba09ae5c34c70f73a
Instruction Fuzzy Hash: 98D05B341093565FD7114B69A861A527F79FF1725030551D5F941CB231D931D894C762

Uniqueness

Uniqueness Score: -1.00%

Function 008CB710, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25bf42541499c5582217ea49b5ecae37f4c8b0ce580e68c540f3d087742cb2d
Instruction ID: 6ebfea7e4994b692b1f42fc6bd9725c4e0ab09f5513906a41625264ce7787acd
Opcode Fuzzy Hash: b25bf42541499c5582217ea49b5ecae37f4c8b0ce580e68c540f3d087742cb2d
Instruction Fuzzy Hash: 0BB0123D6351C10AEA018334E4A2AE13B557F43309BB50CD39480D9C62EA4D89448B63

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008C0E7F, Relevance: 6.4, Strings: 5, Instructions: 166COMMON

Download Yara Rule

Strings

`oj, xrefs: 008C1029
`oj, xrefs: 008C0EB0
`oj, xrefs: 008C0F69
`oj, xrefs: 008C0FC7
`oj, xrefs: 008C0F0B

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID: `oj$`oj$`oj$`oj$`oj
API String ID: 0-426813867
Opcode ID: a715689f6613215ca2c274b8e99ddade7deae00bae5a91c4e4ac1d5d0bd2a822
Instruction ID: 8b7cc0200091e9c8c3b485669f2c20e6424fa6f603dbe7d15b6296b12fa46ca7
Opcode Fuzzy Hash: a715689f6613215ca2c274b8e99ddade7deae00bae5a91c4e4ac1d5d0bd2a822
Instruction Fuzzy Hash: 12613930100600DFD764EB74C485B9AB3A2FF85348F504E6CD18A8BAA5EB71FD49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008C0E90, Relevance: 6.4, Strings: 5, Instructions: 158COMMON

Download Yara Rule

Strings

`oj, xrefs: 008C1029
`oj, xrefs: 008C0EB0
`oj, xrefs: 008C0F69
`oj, xrefs: 008C0FC7
`oj, xrefs: 008C0F0B

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID: `oj$`oj$`oj$`oj$`oj
API String ID: 0-426813867
Opcode ID: 97a0fca2dad448f0c7b3909402e824bdcd9ccee6c95cc408eb9c19d2b19b1dfb
Instruction ID: db208115098100e32aea3d072cc5b175af7fb0bfe72853094ec39cdd5cb51997
Opcode Fuzzy Hash: 97a0fca2dad448f0c7b3909402e824bdcd9ccee6c95cc408eb9c19d2b19b1dfb
Instruction Fuzzy Hash: 96511730100600DBD764EB75D485B9AB3A2FF85348F504E2CD18A8BAA5EB71FD49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008C47D8, Relevance: 5.1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

Strings

HJ, xrefs: 008C4897
HJ, xrefs: 008C4979
HJ, xrefs: 008C4804
HJ, xrefs: 008C48E2

Memory Dump Source

Source File: 00000009.00000002.512339643.00000000008C0000.00000040.00000001.sdmp, Offset: 008C0000, based on PE: false

Similarity

API ID:
String ID: HJ$HJ$HJ$HJ
API String ID: 0-2451104629
Opcode ID: a34351876fcf5987fb0fcce31d68623af90b47c326e2cfdc9fb5225ca33c611f
Instruction ID: 01bbba271b4d0e6207c3e3ab146efb6bd04f10f2fbc791657d520a21f8950f2a
Opcode Fuzzy Hash: a34351876fcf5987fb0fcce31d68623af90b47c326e2cfdc9fb5225ca33c611f
Instruction Fuzzy Hash: A851ED75B001149FCB44EFA8D994AAE77F6EF8D314F214068E506EB7A1DB359C02CB61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Devizni izvod za partiju 0050100073053.exe PID: 6196 Parent PID: 4504 Devizni izvod za partiju 0050100073053.exeCOMMON

Executed Functions

Function 0509268C, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 0509273F

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: aa44793b7ec065d8f82520fdb3a30ddb9d2871af034d41fc59e76c76c65bc454
Instruction ID: a31fb9b556936da3e831f674bcdc07e3b45c6f5d97dd5b2861199d709635bd67
Opcode Fuzzy Hash: aa44793b7ec065d8f82520fdb3a30ddb9d2871af034d41fc59e76c76c65bc454
Instruction Fuzzy Hash: 97315E7550D3C06FD7138B259C54B96BFB8AF47224F0984EBE984DF1A3D2249909C772

Uniqueness

Uniqueness Score: -1.00%

Function 05091357, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 050913D7

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: aed7094d3a1678fbd20e182bffa35f63df160b7c4d7c3cb58d6a2eaee19c39ad
Instruction ID: b94da39289cbb82665032136a0f3bbb300c3ca109e5c855893cf501e08590782
Opcode Fuzzy Hash: aed7094d3a1678fbd20e182bffa35f63df160b7c4d7c3cb58d6a2eaee19c39ad
Instruction Fuzzy Hash: 2921BF75509380AFDB228F25DC44B66BFF4EF06210F0884AAED858B563D2359808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05092B9A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05092C0A

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 9fe04daf2e329dcbdda075a622d7ead779f75c6154c6fd89b1625186e81d183a
Instruction ID: a4ee0214a2b5030a170a05ee49035f3565faca50068294ac119a1b44e39146fb
Opcode Fuzzy Hash: 9fe04daf2e329dcbdda075a622d7ead779f75c6154c6fd89b1625186e81d183a
Instruction Fuzzy Hash: C111A2B2400204AFEB21DF55ED44FABFBE8EF08311F14886AE9459B151D274A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05091593, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 05091609

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 2e21fc882a428aa5b273c14603bca3b9c86603fb20cdda84f9e162a516e25757
Instruction ID: 1637125f8472bc28e2a1e6aa2950f3cf10322508b759382d029d6fd565703229
Opcode Fuzzy Hash: 2e21fc882a428aa5b273c14603bca3b9c86603fb20cdda84f9e162a516e25757
Instruction Fuzzy Hash: FD21AE759097C09FDB238B21DC45A62FFB0EF16214F0D84DBE9848B1A3D265A509DB62

Uniqueness

Uniqueness Score: -1.00%

Function 050926DE, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 0509273F

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: fd15bb32378db5a4ddfc3c298276ee78c10b0243a688ee5ae561c6bcf446aefa
Instruction ID: 4bf5cce5c7ef479d2364f61398276b223aa0b96ad336824091823c1dd2b1f621
Opcode Fuzzy Hash: fd15bb32378db5a4ddfc3c298276ee78c10b0243a688ee5ae561c6bcf446aefa
Instruction Fuzzy Hash: CD11C179500200AFEB20CF19ED84FAAFBECEF04721F08846AED49EB245D674A404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04F6F8B8, Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F6F8FA

Memory Dump Source

Source File: 0000000D.00000002.542686025.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fcb43a8cfe3e99b7df5d4062876bd833555ab59d46f549924efcc9d64355bcb5
Instruction ID: 04c390542bc0254022a9030129bc9dd5102ec3b9e11fa7a31136256cf1a88bb8
Opcode Fuzzy Hash: fcb43a8cfe3e99b7df5d4062876bd833555ab59d46f549924efcc9d64355bcb5
Instruction Fuzzy Hash: D011BE32B08209EBCB149F24E8557AEBFB2AB4531CF14006DC15BA7240DAB56886DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0509138E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 050913D7

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 15b37732be9874117638c1a91e51f0c132da9d588151e6aee85ee654bf61bb6f
Instruction ID: 63e90fec98a975fa2e5c33a00b4632c1ad89c744ba457372f486d2f0a9018547
Opcode Fuzzy Hash: 15b37732be9874117638c1a91e51f0c132da9d588151e6aee85ee654bf61bb6f
Instruction Fuzzy Hash: 5E119E75A043009FDF20CF55E844B6AFBE4FF08220F08C46ADD868B656D271E418DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0509339A, Relevance: 1.5, APIs: 1, Instructions: 41timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNELBASE(?,?,?), ref: 050933D2

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 43216e04d8228e39a85a6dac6f2a841512b9bb570dee2a93e81a761147954e0e
Instruction ID: 808019dcf94e876e4598ea015f0a60db62675b39966abc31b6bb06f1f9b162ff
Opcode Fuzzy Hash: 43216e04d8228e39a85a6dac6f2a841512b9bb570dee2a93e81a761147954e0e
Instruction Fuzzy Hash: 03018F75600640CFDB258F19E884BAAFFA4EF04320F08C4AEDE458B655D275E419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0509101A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0509104C

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 717c5f8c1a5744d2c80d2bb55a6fa66d9f0f3aa2be8a4dfb84bc55d532465df4
Instruction ID: 561edc5577223f9916b0a5474ff9d8e85b8655fe599f72fcc66efa6b65ea25fc
Opcode Fuzzy Hash: 717c5f8c1a5744d2c80d2bb55a6fa66d9f0f3aa2be8a4dfb84bc55d532465df4
Instruction Fuzzy Hash: AF01A270904280CFDB10CF15E885B69FBD4EF44320F08C4AADD488F256D2BAA408CA72

Uniqueness

Uniqueness Score: -1.00%

Function 050915CE, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 05091609

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 35e6057b645af21bdf9933e2d9b6056f5ed276b56e7395cc167cc7ec510c6192
Instruction ID: 2410ebc28f91c42eabf39e18e3ea490e6e37bc3aacd4d3468c272bb710e89ea3
Opcode Fuzzy Hash: 35e6057b645af21bdf9933e2d9b6056f5ed276b56e7395cc167cc7ec510c6192
Instruction Fuzzy Hash: BD018F35A04280DFDB20CF05E844B69FBA0EF08721F08C4AADD854B615C275A418DF72

Uniqueness

Uniqueness Score: -1.00%

Function 05091714, Relevance: 1.6, APIs: 1, Instructions: 127networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 0509180A

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: bd1a179a8051d363965d586e7ccee972b41d18e4476cee90baea6534542a491b
Instruction ID: ab0f779860cacbea08afab273c1d0baecbee0f3610fb38495157820ebc10a10b
Opcode Fuzzy Hash: bd1a179a8051d363965d586e7ccee972b41d18e4476cee90baea6534542a491b
Instruction Fuzzy Hash: 5A41226550E3C06FD3138B359C61A62BFB4EF47624B0E85CBD884CF5A3D128690AD7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AF50, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 00F3AFEA

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f63339970dba027d30d5c918c035104579fb4e9ff0c70119e8bf790b46639582
Instruction ID: 7c062b5cdb926972fe99966a3108ae9f29690f6710cc19e71b9b057c4424ab7f
Opcode Fuzzy Hash: f63339970dba027d30d5c918c035104579fb4e9ff0c70119e8bf790b46639582
Instruction Fuzzy Hash: 5641E2755093809FD7128F25DC55B62BFB4EF47620F0980DBEC84CF693D224A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0509301D, Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 050930C3

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9b95576b1610cec3270d3c2d2932ef9085425b0558a8807a8e398146245c9ed8
Instruction ID: 333f689f1132b41dd0141b0c27f508758737b62fb84b700d969b24010519de1c
Opcode Fuzzy Hash: 9b95576b1610cec3270d3c2d2932ef9085425b0558a8807a8e398146245c9ed8
Instruction Fuzzy Hash: 38312371504340AFEB258B15EC45FB6FBE8EF45720F1880AEED448B291D3756949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05093C76, Relevance: 1.6, APIs: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05093D2F

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 1e4c071f72fc52a116e7114480c7c371b200de70c668da8cc381b23b4def7c88
Instruction ID: fecd339811b8ab94d9e1b4e27cfddf22e05d704b8394ee49b7c22e1daae3f7cb
Opcode Fuzzy Hash: 1e4c071f72fc52a116e7114480c7c371b200de70c668da8cc381b23b4def7c88
Instruction Fuzzy Hash: 56314A6100E7C06FD7138B259C65B66BFB49F47214F0D85DBD984DF1A3C2685809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05090390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0509045E

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d41076433b850cab22dd33bfc4478c7c83f61c0487cacef77c59cc37fe65242e
Instruction ID: 490b061f96c6fd8aae22b3d4271abc2cb50e3d8d6ca2cdd3df96a607ebef4c2a
Opcode Fuzzy Hash: d41076433b850cab22dd33bfc4478c7c83f61c0487cacef77c59cc37fe65242e
Instruction Fuzzy Hash: DD31C6B10043406FEB228F11DC45FA6FFB8EF05714F04859EE9858B192D265A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050907F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05090899

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: df246eab10d8e150675939705ec230a0b507ace0196ba6e1d9dd1f04a3772bbe
Instruction ID: f84d9dac4f79fa0f51d6822f869164c7928166d0d6eef7e1e6b3c0eb00207e3d
Opcode Fuzzy Hash: df246eab10d8e150675939705ec230a0b507ace0196ba6e1d9dd1f04a3772bbe
Instruction Fuzzy Hash: EE316F71504380AFE722CF65DC44FA6BFE8EF45210F1884AEE9858B252D375E409DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00F3AAB1

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 05e0d9dd2d93b27d96a9f6a6276b15c17dbd390d5a505a4da0797a1128f422f5
Instruction ID: b64a6397b79767981a9a4df198ca7d1b3f7b2c083198301a1e4616681c5a322c
Opcode Fuzzy Hash: 05e0d9dd2d93b27d96a9f6a6276b15c17dbd390d5a505a4da0797a1128f422f5
Instruction Fuzzy Hash: 6C31D672504384AFE7228F25CC45F67BFECEF05720F0884AEED808B152D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05092414, Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 050924B1

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 171ee63c5e64c7d6e0884319d97ae9193065ca64dbabacf3764922c6179aafca
Instruction ID: c0593dd243f14ee213f1e8afb1a43132a580284609fb415a42099f316785b9b6
Opcode Fuzzy Hash: 171ee63c5e64c7d6e0884319d97ae9193065ca64dbabacf3764922c6179aafca
Instruction Fuzzy Hash: 4A31D7B25093806FDB12CF25DC45FA6BFB8EF46314F0884AAED85DB153D2259909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050900F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0509019D

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 499ab7a19c052c454d0e9dff3f7404b7bf1fe76575469e5c81921368630b6e16
Instruction ID: 883dc5cad1bd414a7f3cc3d56e22cba19cc13d76ffda8df0126537dfdf0b50b6
Opcode Fuzzy Hash: 499ab7a19c052c454d0e9dff3f7404b7bf1fe76575469e5c81921368630b6e16
Instruction Fuzzy Hash: E2319371509780AFE712CB25DC85F56FFF8EF06210F18849AE984CB292D375A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 00F3ABB4

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e58f534ba64dac07369b6f22ec1f34c185070d03e575da653a64929cc25eac5e
Instruction ID: f0601ef65eecc58225c44ddbba4c06200e782646376545ac5ac2b75bc6726261
Opcode Fuzzy Hash: e58f534ba64dac07369b6f22ec1f34c185070d03e575da653a64929cc25eac5e
Instruction Fuzzy Hash: FC3195715093845FD722CB26DC44F62FFE8EF46720F08849EE985CB152D264E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05092877, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 0509291D

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 2f041589431f881a2fbee74011da4de4f79a9e00377ef53a4aa752726d8cf794
Instruction ID: dc7a48692acc323b317066c96c1315cf41c908866383bcbbaa6b34ca4972beb8
Opcode Fuzzy Hash: 2f041589431f881a2fbee74011da4de4f79a9e00377ef53a4aa752726d8cf794
Instruction Fuzzy Hash: 5131A071509780AFEB12CF25DC54FA6BFF8EF06310F0884DAE9849B153D225A509C771

Uniqueness

Uniqueness Score: -1.00%

Function 05091FA8, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 0509205A

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: db3c5e4629659f9ad9299d5ee6b84669b7a2d55094fd8f49f1462fc1b9a1565c
Instruction ID: 5b2f5dc1089f7369ef7d74886442d334b9b834b3bd26041a20806137be10e98c
Opcode Fuzzy Hash: db3c5e4629659f9ad9299d5ee6b84669b7a2d55094fd8f49f1462fc1b9a1565c
Instruction Fuzzy Hash: 7C31C1B2404780AFE722CB25DC44F56FFF8EF06320F08859AE9848B152D365A548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050901F4, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05090264

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a5e175a3c4644591f1271c5780fbf2dc0782a2d632c67a8e8ed3fc527ad60eca
Instruction ID: 3266d7db681d267ff2b9df2a7ec694a77e799cfd69493e2033ac6abab2635cca
Opcode Fuzzy Hash: a5e175a3c4644591f1271c5780fbf2dc0782a2d632c67a8e8ed3fc527ad60eca
Instruction Fuzzy Hash: 3C31C3B29093849FD755CF15EC49BA6BFA8EF42324F0880AFDD448B652D335A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050904AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 0509055C

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ed8ac893b0f2e408675cfba4350f7878d5589fba77d6d3aa7d7442421ed9bbdd
Instruction ID: c080eedefe265d816668849071eae95aaaa0fe372431b7c580edf66b6f5785b4
Opcode Fuzzy Hash: ed8ac893b0f2e408675cfba4350f7878d5589fba77d6d3aa7d7442421ed9bbdd
Instruction Fuzzy Hash: 60318471509780AFD722CB25DC54F57BFF8EF06610F0885DAE9859B152D264A808D771

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A120, Relevance: 1.6, APIs: 1, Instructions: 82networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 00F3A1C2

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 839717a67b60cc8ff907ece90e5fe88e16ff6a763a41ffe7031bbf1bf57d8cde
Instruction ID: 5d56596b7e115746c4d3a31134ced04111f416da37e6b46df16852e627376f6f
Opcode Fuzzy Hash: 839717a67b60cc8ff907ece90e5fe88e16ff6a763a41ffe7031bbf1bf57d8cde
Instruction Fuzzy Hash: 3A21BF7140D3C05FD7128B358C55B62BFB4EF87620F1981DBD8C48F193D229A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05092A81, Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05092B16

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: ee1ff4a657a7eb49152242abe4a4da4946de4af522c5a97b12f774e795814ec7
Instruction ID: f0af21396c875541f65e2e542bbd5a64930055a19055fce9117bd444cfb46724
Opcode Fuzzy Hash: ee1ff4a657a7eb49152242abe4a4da4946de4af522c5a97b12f774e795814ec7
Instruction Fuzzy Hash: 8621B0B2404344AFEB228F56DC44FA7BFECEF49310F0488AAF9859B152D234A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050908F0, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05090985

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 76f24597147921ab52db09c2e8917300d490b84ed0ab0001c12f848889d8b899
Instruction ID: 262800b5032d0256f7245ea7e1611de5f95e114174cd6528445ec055bce01764
Opcode Fuzzy Hash: 76f24597147921ab52db09c2e8917300d490b84ed0ab0001c12f848889d8b899
Instruction Fuzzy Hash: 94210AB54097806FE7138B25DC51FA6BFACEF47720F1884DAED848B293D2645909C771

Uniqueness

Uniqueness Score: -1.00%

Function 050902AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 05090353

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7217f05958fb0b7e04bdd245cab48a9645647d64eb9c207a561595905bb3b777
Instruction ID: 3e5cfd5801777be6920dd27aee823a6599924f379dc394ad3dcbf360ce31ad02
Opcode Fuzzy Hash: 7217f05958fb0b7e04bdd245cab48a9645647d64eb9c207a561595905bb3b777
Instruction Fuzzy Hash: 7C2197754097806FEB228B11DC45FA6FFF8EF06710F1884DAE9848B192D275A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05091EC6, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05091F51

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: f030080871d66efe20cc858ce6323da4aa74af12463cb785aa9af820fcfa773a
Instruction ID: ef32d04066754102fac5fdd23494cd6d68a596d455d12a271d1d77606625f97f
Opcode Fuzzy Hash: f030080871d66efe20cc858ce6323da4aa74af12463cb785aa9af820fcfa773a
Instruction Fuzzy Hash: 8E219171509384AFE721CF25DC45F66FFE8EF45214F1884AEE9858B252D375A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05091836, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 050918C2

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 852412df0f48dd89260f0182952a6c647c7b9dd6470d5f18ef0bd6d33db7e7d8
Instruction ID: e2b10a6879876518751094d81055662cbd9774859aaa5e9a43277c240730a2e3
Opcode Fuzzy Hash: 852412df0f48dd89260f0182952a6c647c7b9dd6470d5f18ef0bd6d33db7e7d8
Instruction Fuzzy Hash: AA217E71509780AFE7228F65DC49F66FFF8EF09210F18849EE9858B252D275A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05092B7A, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05092C0A

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 0078a80140fbaaa697d3c2f3f057634cd3c74479a3a703392caa6f6f4545ae63
Instruction ID: 31b0c2865bd9de959f20ff21dcea7de3b85bed8c078790f8f34e710333fe8ca9
Opcode Fuzzy Hash: 0078a80140fbaaa697d3c2f3f057634cd3c74479a3a703392caa6f6f4545ae63
Instruction Fuzzy Hash: C6216272404744AFDB228F55DC44FA7FFF8EF49310F0485AAE9859B152D235A548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0509081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05090899

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7d97a02dc64af5c7881f89932865e2440659e123a03a26240cc502c57dc6b302
Instruction ID: 41cec6a1d5508b71c0e1a00e4a0fe95e03234cb772514b6407836c5f7e724119
Opcode Fuzzy Hash: 7d97a02dc64af5c7881f89932865e2440659e123a03a26240cc502c57dc6b302
Instruction Fuzzy Hash: 6B216B71604240AFEB25DF65ED49FAAFBE8FF08210F18846EE9858B255D371E404DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 05090E58, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 05090EEF

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: eead08f2fee7eefeccfd37dd1d795f532f2577c8c8926f1796885d1140267761
Instruction ID: dd76ddaf32fdc96eed749b00d80f8dd318fdaf34ea8c91da20cfd4db8b0bf3ec
Opcode Fuzzy Hash: eead08f2fee7eefeccfd37dd1d795f532f2577c8c8926f1796885d1140267761
Instruction Fuzzy Hash: E521F571204380AFE7218B25DC55FB6BFA8EF46710F18809EF9848B192D275A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050932A8, Relevance: 1.6, APIs: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05093342

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 0f19dae5a57138a9a119913ce017cd4ed812b8d048f12b5acd32e43168d138a1
Instruction ID: 431479ca8cb97559d3b667fa55c25c19ad9402dae5a056dc3a95a5a2387da4be
Opcode Fuzzy Hash: 0f19dae5a57138a9a119913ce017cd4ed812b8d048f12b5acd32e43168d138a1
Instruction Fuzzy Hash: FA21B2714093806FD712CB25CC55B66BFB8EF87610F0980DBDC848B263D224A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05090D79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05090E10

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 45951619e7bb57b580d5a9f3646de423e216e1bbb82e89e984799c4de5ce1ed5
Instruction ID: 6e154ca2063c1af8dccc47c6aa930421c268c4d462950a014638b0f65922486e
Opcode Fuzzy Hash: 45951619e7bb57b580d5a9f3646de423e216e1bbb82e89e984799c4de5ce1ed5
Instruction Fuzzy Hash: B52190B6504740AFEB228F15DC84F67BFE8EF45710F08849EE9859B252D264E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050903CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0509045E

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 252275760556879699664afa2c35ea3b9e97c5693b53f16a4c1d0a3941e84ddb
Instruction ID: c77286ae9c7e1528620d27bc8798ab2b4922d270af00335eae1a910adb452b6e
Opcode Fuzzy Hash: 252275760556879699664afa2c35ea3b9e97c5693b53f16a4c1d0a3941e84ddb
Instruction Fuzzy Hash: 8D21B3B2100204AFEB318F15DC45FBAFBACEF04710F04855AFE458A181D6B1A549CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 050909C0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05090A51

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f0e7a40dc6c7016c8d4acfcabfd2843058bb50bc26199e75e4005416f49e1df6
Instruction ID: 20ba1a72faadbd30cbf0cd53c5b74811d3e02f210e4d022da9937038e773d12b
Opcode Fuzzy Hash: f0e7a40dc6c7016c8d4acfcabfd2843058bb50bc26199e75e4005416f49e1df6
Instruction Fuzzy Hash: 9D217172509380AFDB228F65DC44F66BFB8EF46714F0984AFE9849B153C275A409CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00F3AAB1

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2aec677b0644094a9c4e64304f39c377df075b1a15af51fd3d3cb20a63c9f7b9
Instruction ID: fbb4bbb4d6f375f53b711fda6b34a1846d29602fdccf57fe7a9785991550909b
Opcode Fuzzy Hash: 2aec677b0644094a9c4e64304f39c377df075b1a15af51fd3d3cb20a63c9f7b9
Instruction Fuzzy Hash: 89219272500604AFEB219F26DD44F6BFBECEF08720F14845AE985DB241D674E908CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0509012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0509019D

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e6efb5130753a73c9070a28dda811c62bee3ce1464d8306759360a990cb6a98c
Instruction ID: e3da98b7de32d8a01b608f99a0e66cd532e5f63fc036833eb269faf64eba9b33
Opcode Fuzzy Hash: e6efb5130753a73c9070a28dda811c62bee3ce1464d8306759360a990cb6a98c
Instruction Fuzzy Hash: DC219F71504240AFEB24DF25ED89F6AFBE8EF04710F18846AED458B245D375E504CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05090723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0509079F

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: f18569b4d9e1d55284d71e504bebd270a8d6f2f72b74cb43abdd9dac2673d370
Instruction ID: cabb2256249c05ec05a70dde5ebcb597538c2a4966b6cf2819373704b311d8e2
Opcode Fuzzy Hash: f18569b4d9e1d55284d71e504bebd270a8d6f2f72b74cb43abdd9dac2673d370
Instruction Fuzzy Hash: 1C21B3769093809FDB55CB25DC98B56BFE8EF06214F0984EAEC45CF152D234D908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 00F3ABB4

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d67dd3ef9c88afa044b2e8990b5129ccca4d8913b3971dc60c0f557e21d9f46f
Instruction ID: 5431a27d559fc42d47cbfe15914b7fba52051c62b234a37ce262baefd53a3dbc
Opcode Fuzzy Hash: d67dd3ef9c88afa044b2e8990b5129ccca4d8913b3971dc60c0f557e21d9f46f
Instruction Fuzzy Hash: 3C216376504604AFE720CF16DC84F66FBECEF44721F14846AED85DB251D760E844DA72

Uniqueness

Uniqueness Score: -1.00%

Function 05091424, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05091490

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c6c7670946f73f8be929d98a28338c8c812d42210f9015df2ba5265f309e7974
Instruction ID: a13634112266202aaa15d88221434ea424f15041cccecf88f5e0033c57f2a8f9
Opcode Fuzzy Hash: c6c7670946f73f8be929d98a28338c8c812d42210f9015df2ba5265f309e7974
Instruction Fuzzy Hash: B221A4715093C05FDB028B25DC54A92BFB4AF07224F0984EADC858F653D2659508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05091EE6, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05091F51

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 1562e83756ace8305af148a6a918396a9425bed02da2f11d6030a855b24c142e
Instruction ID: e27c10ceb80a5b72052fae3f56c14d4c66a1e94cec2d5a51b107ebbfb7e30301
Opcode Fuzzy Hash: 1562e83756ace8305af148a6a918396a9425bed02da2f11d6030a855b24c142e
Instruction Fuzzy Hash: 9421C071604244AFEB21DF25EC86F6AFBE8EF04324F18846EED858B241D375A408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05091856, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 050918C2

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 5580bb523eb1f5e5da73fd875f0bbca742097ad5ed8ff5667e57a20dfc5a487c
Instruction ID: f264e6f7b221be78075c14bd2a931fdb4703f3a956d6269da8a9b6262ea40bdf
Opcode Fuzzy Hash: 5580bb523eb1f5e5da73fd875f0bbca742097ad5ed8ff5667e57a20dfc5a487c
Instruction Fuzzy Hash: E421F071504240AFEB21DF65ED48FAAFBE8EF08320F14846EED858B251C371A408DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05092AA6, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05092B16

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 9fe04daf2e329dcbdda075a622d7ead779f75c6154c6fd89b1625186e81d183a
Instruction ID: e0e05f3533bfb531e306140728da0fafdba52f5bc9f1a6831ea4b47f53dab3bd
Opcode Fuzzy Hash: 9fe04daf2e329dcbdda075a622d7ead779f75c6154c6fd89b1625186e81d183a
Instruction Fuzzy Hash: 81117272504604AFEB21CF55EC44FAAFBE8EF08711F04886AE9459B151D275A409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 050914D9, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,5FC4EDDB,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 0509154A

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 199443c2b210d7cb10a74b44324aa17026bb93ef64a35c6a04bf62386cf1edee
Instruction ID: cf58bcd8b24a186173f323c6744c35a01188883c3a4ea6ec1409beb26454843d
Opcode Fuzzy Hash: 199443c2b210d7cb10a74b44324aa17026bb93ef64a35c6a04bf62386cf1edee
Instruction Fuzzy Hash: 462181715093809FDB52CF25DC85B96BFF8EF06210F0984EAE985CF163D235A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05091FE6, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 0509205A

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 238f22ef26f3872e75e7cb2877dd64efb5f7270f4ac2c2d5c9ceb80243758ddf
Instruction ID: eee6601ea7ffc8e1b46071421dd92309f36ca4cd78d9ea8448d7f2bcfea711a8
Opcode Fuzzy Hash: 238f22ef26f3872e75e7cb2877dd64efb5f7270f4ac2c2d5c9ceb80243758ddf
Instruction Fuzzy Hash: 0421C371500244AFEB21DF66DD44FAAFBE8EF08320F14845EE9858B252D371A548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05090D9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05090E10

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f147eeb8c3ce4f536934d9087c0307400b6af41c0b6c7515117eedbb9c4e06ac
Instruction ID: 858cedb0c9ce9c3bbf31351126c8d8a60e4212d274571fa0c9171e07b391f721
Opcode Fuzzy Hash: f147eeb8c3ce4f536934d9087c0307400b6af41c0b6c7515117eedbb9c4e06ac
Instruction Fuzzy Hash: 3D118E76504604AFEB218F16EC85F6BFBECEF04710F08846AED459B255D670E404DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 050904EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 0509055C

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 16841a8226b5548bb62d58b33b9013ece08534b0495f5c0ff7ef3a258445ed47
Instruction ID: 756ceeb590f4b6f8c836e071e6e3dad353a65f67bc82027a4fa920a47db63e21
Opcode Fuzzy Hash: 16841a8226b5548bb62d58b33b9013ece08534b0495f5c0ff7ef3a258445ed47
Instruction Fuzzy Hash: 30117F72500600EFEB20CF16EC84F6BFBE8EF08720F04846AE9469B255D260E444DA71

Uniqueness

Uniqueness Score: -1.00%

Function 05091150, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 050911BA

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 76a7dc5994902176c03bb3b7de2519e052b183dfbdc80abeef2d65dd2d99c613
Instruction ID: d3d7515e722b45bbb317fa89a59054603ae90ee70c391585287710265ed6941e
Opcode Fuzzy Hash: 76a7dc5994902176c03bb3b7de2519e052b183dfbdc80abeef2d65dd2d99c613
Instruction Fuzzy Hash: 641172716093819FDB65CF25DC85B67BFE8EF06210F0C84AAED45CB252D274E448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05092452, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 050924B1

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: c780878c5e4ceed0d80c3f30e8b6daad5ee13b8f28f5e4a8bf0ef66fdc235b5b
Instruction ID: a59141a805c5576101aa4e59a04575f7bc410a1d1a37398e0832fc19ab10b4a7
Opcode Fuzzy Hash: c780878c5e4ceed0d80c3f30e8b6daad5ee13b8f28f5e4a8bf0ef66fdc235b5b
Instruction Fuzzy Hash: 3911B276500200AFEB21CF69ED85FAAFBE8EF44720F14846EED49DB251D274A404DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05090CB4, Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 05090D1E

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 76a7dc5994902176c03bb3b7de2519e052b183dfbdc80abeef2d65dd2d99c613
Instruction ID: fa175e60aacd2e536e15c02992dfd1201bf4cb81cb7670b78d7783910f327809
Opcode Fuzzy Hash: 76a7dc5994902176c03bb3b7de2519e052b183dfbdc80abeef2d65dd2d99c613
Instruction Fuzzy Hash: A411A2755093809FDB61CF25DC89B67FFE8EF45210F0984AAEC49CB252D234E408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050928B6, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 0509291D

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 22c7c2b317a33e92ae78698338aabe0e61a1df969fd0fee6c54ab01d1ac054c1
Instruction ID: a156829e2107ec727e01869e5441c3d92e554258c77b884aa74ad268b0896a6f
Opcode Fuzzy Hash: 22c7c2b317a33e92ae78698338aabe0e61a1df969fd0fee6c54ab01d1ac054c1
Instruction Fuzzy Hash: 26119075504305AFEB21CF5AED84FAAFBE8EF04720F04846AED499B255D274A409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05090F33, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 05090FA6

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: f4beacf86be9e55a572f3f00948472ff710123d837fd1ee7da8c8ecd842c3eb3
Instruction ID: 3606e5c579a31856dd54b97228e8dd18427d9e8b7b13f9e6965683ad3aa2192a
Opcode Fuzzy Hash: f4beacf86be9e55a572f3f00948472ff710123d837fd1ee7da8c8ecd842c3eb3
Instruction Fuzzy Hash: BE21D2751093C09FDB128B25DC94A62FFB4EF06214F0980EFED858B1A3D375A949CB22

Uniqueness

Uniqueness Score: -1.00%

Function 05090FE2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0509104C

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 3fe01377967dabaf1b25bcbc9b90cc5e25b5b4090e15398df6cee1d28b637c2c
Instruction ID: bb801219f44cb78140539cc69f413363b44e33735260bda14da1846e915e9101
Opcode Fuzzy Hash: 3fe01377967dabaf1b25bcbc9b90cc5e25b5b4090e15398df6cee1d28b637c2c
Instruction Fuzzy Hash: 3A11AF7540D3C09FDB128B25EC95A52BFB4EF47214F1980EBDD848F153D27AA809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00F3B841

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6b521c1c789792d0fb9181b0ea9921f3eb2e72a244f992f18f672c53cbd7de66
Instruction ID: 78af78125c1a805e29a8df336e65b36b8262268ac0926ab64f7b4c9988a5a272
Opcode Fuzzy Hash: 6b521c1c789792d0fb9181b0ea9921f3eb2e72a244f992f18f672c53cbd7de66
Instruction Fuzzy Hash: 922190714097C09FDB128B21DC54AA2BFB4EF17324F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F3A58A

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 21e4a7f505d366bc1b7e13e9cdd5a128ec0077adeeaead3a4370a6ef34f63f94
Instruction ID: e9ddd4cb17728b535009c559dcd2a83e0cfc7fa12271ca7aa694896990900ad4
Opcode Fuzzy Hash: 21e4a7f505d366bc1b7e13e9cdd5a128ec0077adeeaead3a4370a6ef34f63f94
Instruction Fuzzy Hash: E0117F72409380AFDB228F55DC44A62FFF4EF4A320F08849EED858B562C275A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05090E86, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 05090EEF

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0feda21ee24c166ee39b5a104eac49e0f6382842069e0d9ca1793a0f7f0e4ed6
Instruction ID: be0e778fa11bd99287187d0b8cf28e9580b26e0789ffd88673c877ba305afa88
Opcode Fuzzy Hash: 0feda21ee24c166ee39b5a104eac49e0f6382842069e0d9ca1793a0f7f0e4ed6
Instruction Fuzzy Hash: E611C671600300AFEB24DB19EC45FBAFBD8DF04721F14846EFD458B685D6B4A5448A71

Uniqueness

Uniqueness Score: -1.00%

Function 050902DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 05090353

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3a379aa9db0c898198a05bf96d4933dff8b084c24ed4a85b8d4f2239441b56ad
Instruction ID: 6f2ce25616ed1466f70064804fabcee4296e9ad1fa16962142cfd8c5d846e274
Opcode Fuzzy Hash: 3a379aa9db0c898198a05bf96d4933dff8b084c24ed4a85b8d4f2239441b56ad
Instruction Fuzzy Hash: 5D11BF71500700AFEB31CF15EC45F7AFBA8EF08720F14C4AAEE854A295C2B5A548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 050909F2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05090A51

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ec136559bce45c1d0831a4bf09112e2ca2e53cf9a1481cb0a6816ba99d2c2ad9
Instruction ID: b7ae7f0ecc165256082ea187af77a2df4eb52a44e14fea1f7ae62408b9055a03
Opcode Fuzzy Hash: ec136559bce45c1d0831a4bf09112e2ca2e53cf9a1481cb0a6816ba99d2c2ad9
Instruction Fuzzy Hash: A611A372500300AFEB21CF55EC45FAAFBE8EF48721F14846AED499B255C275A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00F3BBB9

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 65d96a77a6f0466e0e8ab1b1aeb700a3328ecf17b6f581421241e9497c0aa295
Instruction ID: 917532918a76110b9161e743f78a898f9097282e2240d943b62a86fcd1a53468
Opcode Fuzzy Hash: 65d96a77a6f0466e0e8ab1b1aeb700a3328ecf17b6f581421241e9497c0aa295
Instruction Fuzzy Hash: D41103314093C09FD7128F21DC45B52FFB4EF06220F0884EEED858B663C365A808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05093CD6, Relevance: 1.6, APIs: 1, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05093D2F

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 5f94868cdf09dfd88627d659e7fc291a1262773d782aa25a067b46e9909db260
Instruction ID: 2eebd73aea7b620eaf94cc6a08a4646f578e623115d6258069efb3d33aac080f
Opcode Fuzzy Hash: 5f94868cdf09dfd88627d659e7fc291a1262773d782aa25a067b46e9909db260
Instruction Fuzzy Hash: B611C271501604AFEB21CF5AEC85FAAFBE8EF44721F18886AED499B245C274A404CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00F3BE70

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 19b29b25b787d1bb0cfffe00ed0ac05c74c8c0886b6926b3ffef2ca3cec1728d
Instruction ID: 5a6040180f58340449d8446385eaf6139dd534e9ea4f48843e8a1473355d65fa
Opcode Fuzzy Hash: 19b29b25b787d1bb0cfffe00ed0ac05c74c8c0886b6926b3ffef2ca3cec1728d
Instruction Fuzzy Hash: A1117C758093C0AFD7128B259C54B62BFB4DF47624F0984DEED848F263D2696848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00F3B78A

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: c419592e72b1516c8025f71c9f0c5b187ff07ef5301a4782c251bfe8e022585e
Instruction ID: 615c34ffce5ef9fa087d642651bb357418efabb8abb9ed4adbd64b78d818be2f
Opcode Fuzzy Hash: c419592e72b1516c8025f71c9f0c5b187ff07ef5301a4782c251bfe8e022585e
Instruction Fuzzy Hash: FA1160714083809FDB228F55DC84A52FFF4EF49320F0985AEED858B562C375A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0509305A, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 050930C3

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ba13d9ad8a48c54732ef7e9a158650cb68d8a62ad620686a21f73dcadc741b34
Instruction ID: 043a1f4dbba2a2d0a4810e153be37207706add1253cecae94b30296b35cd000a
Opcode Fuzzy Hash: ba13d9ad8a48c54732ef7e9a158650cb68d8a62ad620686a21f73dcadc741b34
Instruction Fuzzy Hash: 1111E571500300AFEF30DB15EC45FBAFBA8DF44721F14846AED445B285D2B5A5488EB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 00F3BF0C

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 60c894f93c2045e33e50b226162d010a760097a2e12571a8189a8bc3b888cb2e
Instruction ID: 35c7d91b85f970de6d64d42300e3bbbeef2d75b7b67f6e7959da7a20a74c2a59
Opcode Fuzzy Hash: 60c894f93c2045e33e50b226162d010a760097a2e12571a8189a8bc3b888cb2e
Instruction Fuzzy Hash: A11191719053809FD711CF65DC85B56BFE8EF46220F0984AAED45CF252D374E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05091172, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 050911BA

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 922c7ff727ee8fc5782dfec5165338e35ccaf5b7121bbc535721a98ad216b494
Instruction ID: 1a782e5f24e797f1fecca526944a1ba38b9988591be8fa6f8deba9db11b05f72
Opcode Fuzzy Hash: 922c7ff727ee8fc5782dfec5165338e35ccaf5b7121bbc535721a98ad216b494
Instruction Fuzzy Hash: 4D115E75A042419FEB64CF29E885B6AFBE8EF04620F0C84AADD49CB645D674E404DA71

Uniqueness

Uniqueness Score: -1.00%

Function 05090CD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 05090D1E

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 922c7ff727ee8fc5782dfec5165338e35ccaf5b7121bbc535721a98ad216b494
Instruction ID: 020908a1c4033b6908232868ea1e38f0feb617e05bcea138660160006626ed5d
Opcode Fuzzy Hash: 922c7ff727ee8fc5782dfec5165338e35ccaf5b7121bbc535721a98ad216b494
Instruction Fuzzy Hash: 6411A1B56056008FDF64CF29EC89B6AFBE8EF44620F0884AADC49CB246D275E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05090932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,5FC4EDDB,00000000,00000000,00000000,00000000), ref: 05090985

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 995ceb090778a75a0ff6ca3f616de3de0b0231be5a72cc32dbe8942beb0b8d18
Instruction ID: c8572fc0b69d0a6ff5dde099eaeda2273db5254ad24dd9b44a9ff6a9ec9d3a9b
Opcode Fuzzy Hash: 995ceb090778a75a0ff6ca3f616de3de0b0231be5a72cc32dbe8942beb0b8d18
Instruction Fuzzy Hash: 6401F571500300AFFB20CB1AEC89FBAFBD8EF04721F14C4AAED449B245C274A444CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0509075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0509079F

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 18c36982fa0a03169021d0c303d9cca0bee95a9cd6ae8c968333324e1108ade1
Instruction ID: 46dca1a3551fdc6f5b466444fbc3a6492d3c9c1e4b47e34052fd4b2f938b5f5b
Opcode Fuzzy Hash: 18c36982fa0a03169021d0c303d9cca0bee95a9cd6ae8c968333324e1108ade1
Instruction Fuzzy Hash: 72116D79A042448FDB64CF29E98DB6AFBD8EF04620F08C4AADD49CB646D274E404DF71

Uniqueness

Uniqueness Score: -1.00%

Function 05093378, Relevance: 1.6, APIs: 1, Instructions: 52timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNELBASE(?,?,?), ref: 050933D2

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 696cc8cc8659106fb4c6ce78da66aaa94f921b995f956e8aa7b2b0ae18a4c6d6
Instruction ID: 62d7264c7b38c2b6edeb6bc41dc96232151a018e6dfe7dc5a94e03d82b6f0618
Opcode Fuzzy Hash: 696cc8cc8659106fb4c6ce78da66aaa94f921b995f956e8aa7b2b0ae18a4c6d6
Instruction Fuzzy Hash: D311A3715093809FDB268F15DC84A66FFF4EF06220F0984AEED858B262D275A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00F3A7BC

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 89f5120604ae7b02a1396f13d8d8c43c7166ed930d99665fe04b85aa784c9e85
Instruction ID: 9705e2e139206120bcd6bfd3cccbd03dc0ecd4406690e16f984b19b6c9d3650a
Opcode Fuzzy Hash: 89f5120604ae7b02a1396f13d8d8c43c7166ed930d99665fe04b85aa784c9e85
Instruction Fuzzy Hash: 1611A3714493849FD711CF15DC85B52BFB4EF46324F0884EAED448F253D279A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0509150A, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,5FC4EDDB,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 0509154A

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: cbdaab2dd6258e0756653a1805598a7c594684f1706da4cc2b5fc49947f4d3ab
Instruction ID: 421d589fce1c8be485f1a5872e66b4aa4469b321870e7398a79f38ec26c6dc35
Opcode Fuzzy Hash: cbdaab2dd6258e0756653a1805598a7c594684f1706da4cc2b5fc49947f4d3ab
Instruction Fuzzy Hash: AC11AD71600241CFDB64CF29E884BAAFBE8EF04220F0884AADD4ACB255D274E408CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00F3A926

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: fcea69b773b2023295ab0298c6474bd3875f8888b5ad71b1cf37180501fcdac4
Instruction ID: 24b224c78625f22c3f57ce46806b75752329a6c1bb54315aed6388cb667eb4d9
Opcode Fuzzy Hash: fcea69b773b2023295ab0298c6474bd3875f8888b5ad71b1cf37180501fcdac4
Instruction Fuzzy Hash: 58118E714097849FD7228F16DC85B52FFB4EF06320F09C4EAED854B262C375A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 050932F2, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05093342

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 79ed54e68d593aeed8c2acd2639c65654f05e8ab464004bc847dc13b6fc6708f
Instruction ID: 4944c259c899d62428e9ab8bfee820cbfce83d10ed52566deb6594ea595bc0e9
Opcode Fuzzy Hash: 79ed54e68d593aeed8c2acd2639c65654f05e8ab464004bc847dc13b6fc6708f
Instruction Fuzzy Hash: 01017171500200ABD750DF26DC86F36FBA8EF88B20F14816AED089B641D235F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 00F3BF0C

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6b61bbcd8f4f49015efc6caa2bb1ed531d6721112c3b466b1320ecb48d0d78cb
Instruction ID: cd72a2736f400f69a396d5e8fcc230354f6ccb7040ae7a83ef180f29d9c6b599
Opcode Fuzzy Hash: 6b61bbcd8f4f49015efc6caa2bb1ed531d6721112c3b466b1320ecb48d0d78cb
Instruction Fuzzy Hash: A9019E71A002408FDB20CF6AEC857A6FB98DF00330F0880AADE49CB246D774E808DE61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 00F3A1C2

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: ca80c4d6aa4e3b0f569d7deec6bd6f87e8e01a1d320d36b3da72d4c38d540d1f
Instruction ID: de0bd63f749bd934ea6caf0b6283d697308a0bb74336d275f24b7c3b755ca688
Opcode Fuzzy Hash: ca80c4d6aa4e3b0f569d7deec6bd6f87e8e01a1d320d36b3da72d4c38d540d1f
Instruction Fuzzy Hash: B2017171500200ABD710DF26DC86F36FBA8EF88A20F14816AED089B641D235F515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05090F66, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 05090FA6

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: 57ea23392918351be79f50dddca11da2eba918341db83ee9ec77128c49c436a7
Instruction ID: 94c5061e1d0350ca6e26ca612ecac387fc67ffb48b15d00b7b6d9ddcc7d4d773
Opcode Fuzzy Hash: 57ea23392918351be79f50dddca11da2eba918341db83ee9ec77128c49c436a7
Instruction Fuzzy Hash: 1F01DE316002408FDB24CF15E899B6AFBE4EF04320F08C0AADD4A8B655D370E648DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F3A58A

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 716f0ea7a630b45a3c06fc2188f56c7b950c6a77ab99c7d27b9699e75807b9e0
Instruction ID: cb7a3d7544eb6ada32abe121ae8c269040388bd6e8d269798f064d5674b762a7
Opcode Fuzzy Hash: 716f0ea7a630b45a3c06fc2188f56c7b950c6a77ab99c7d27b9699e75807b9e0
Instruction Fuzzy Hash: BD016D32900740DFDB618F56E844B66FFE4EF08721F08C8AADD898B611D275A418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00F3B78A

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 1468aa26113196d5d9f4db558cd1b57454785f00cb1e0f5694b872605186a3f4
Instruction ID: b614a145fb1365255207c562bcfe3dc495bf9254316ba61fc4671a052ca66d39
Opcode Fuzzy Hash: 1468aa26113196d5d9f4db558cd1b57454785f00cb1e0f5694b872605186a3f4
Instruction Fuzzy Hash: 88016D32800640DFDB218F55E884B66FFE0EF48720F0888AEDE858B612D375A418EF71

Uniqueness

Uniqueness Score: -1.00%

Function 05090232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05090264

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: dae5092f6ba4129252d9924fb31448ec05b4d1c0ea42b3b9978116d563d0695b
Instruction ID: d4f6f4e08ea1f0e7278df5386b79d50f4f43c94f4cbad773681eb3dde9e549a7
Opcode Fuzzy Hash: dae5092f6ba4129252d9924fb31448ec05b4d1c0ea42b3b9978116d563d0695b
Instruction Fuzzy Hash: 4601DF719002408FDF54CF29E888B6AFB94EF40320F08C4AADC498F646D275A408DA61

Uniqueness

Uniqueness Score: -1.00%

Function 0509145E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05091490

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8d93cf9f602d704f93560f0990413244d913365e8dbe42db754503786fea4efc
Instruction ID: faa51c0d2ded872a4fb73a69a1b3e6c6be6afe0fe6b6ef58df8ec61f65574414
Opcode Fuzzy Hash: 8d93cf9f602d704f93560f0990413244d913365e8dbe42db754503786fea4efc
Instruction Fuzzy Hash: BA018FB5A042408FDB54CF59F885BAAFBE4EF44621F08C4BADD498B646D275A408CF72

Uniqueness

Uniqueness Score: -1.00%

Function 050917BA, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 0509180A

Memory Dump Source

Source File: 0000000D.00000002.543891847.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 43f5b63d21982110bfeb6470d132d9076fa9099b0fe047e76a636ddc9e0764fd
Instruction ID: b3e5e3812de79229f6475845b80f8c7a45364625ef14309ff623f383575bf345
Opcode Fuzzy Hash: 43f5b63d21982110bfeb6470d132d9076fa9099b0fe047e76a636ddc9e0764fd
Instruction Fuzzy Hash: C4016D75500600ABD264DF1ADC86F36FBA8FF89B20F14816AED085B741E271F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 00F3AFEA

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d8c9e5fcb6dfc31d0aa9118fba0d62b8859d39918d3ddd44904e94ff005039c1
Instruction ID: 3bd4435aa8fc05de532c5f4f8737db1839d7ad9c4b95888d4ccda6388de6a507
Opcode Fuzzy Hash: d8c9e5fcb6dfc31d0aa9118fba0d62b8859d39918d3ddd44904e94ff005039c1
Instruction Fuzzy Hash: A801AD71500200ABD220DF1ADC86F36FBA8FF88B20F14816AED084B741E231F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00F3BBB9

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6db1988df2ea177c2d1a501d6e27d53c1269ab09c7c5f0cd8d3dc56d0de73011
Instruction ID: d5a6f8d526fe15fd761ed5e80a0cdce38c1d012302c3209feddbf5ce3923d6d1
Opcode Fuzzy Hash: 6db1988df2ea177c2d1a501d6e27d53c1269ab09c7c5f0cd8d3dc56d0de73011
Instruction Fuzzy Hash: 1801B136904340CFDB208F16E844B66FBA4EF44330F08C4AEDE458B665C771A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00F3A7BC

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 177f65b76ce3e09b256d84d3bfd8812440b902b9520cfc2fac9afd8de02b0f6b
Instruction ID: 554eacc5fb6da904ed0bf9997c34af5bf6df2b70d31cd8d53fa506247b26fab4
Opcode Fuzzy Hash: 177f65b76ce3e09b256d84d3bfd8812440b902b9520cfc2fac9afd8de02b0f6b
Instruction Fuzzy Hash: E201A2758042408FDB20CF16E888765FBA4EF04330F18C4AADD888F602D279A404DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00F3B841

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e074aa29ff49afa961b2b7917bf2aeb286cc6a21d9cc11c9212d9c55fb475355
Instruction ID: cf992c8d7bb8409c2f3b6eca787fc925216f4b2c5fa32e918ec3c0dd911ca09d
Opcode Fuzzy Hash: e074aa29ff49afa961b2b7917bf2aeb286cc6a21d9cc11c9212d9c55fb475355
Instruction Fuzzy Hash: 00018F35804340DFDB208F16D884B65FBA4EF04730F08C4AEDE894B622D375A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00F3A926

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: bb8d21ba7e120a81554a1f6f75fb8af66125596def1ef87c05749b31125824b3
Instruction ID: 97fcfb14d866eb58a92eecf3dffc67249ea771818b73e395a89875a4974e49b7
Opcode Fuzzy Hash: bb8d21ba7e120a81554a1f6f75fb8af66125596def1ef87c05749b31125824b3
Instruction Fuzzy Hash: 1801AD31801644CFDB208F06E885B62FFA0EF05730F08C4AADD864B652C275A808EB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00F3A3A4

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a501a8023ca5b2fb5fb8c8e0962d6d1821623ab3f93ef0cb8abeffc47400bce8
Instruction ID: 5152926f08d4cf4795f746f10fd796d574cb85d80416e61776f7d9d930f03d82
Opcode Fuzzy Hash: a501a8023ca5b2fb5fb8c8e0962d6d1821623ab3f93ef0cb8abeffc47400bce8
Instruction Fuzzy Hash: E7F0AF75904340DFDB208F16E884B65FFA0EF04730F18C4AADD894B652D2BAA408DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00F3BE70

Memory Dump Source

Source File: 0000000D.00000002.521781652.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: a501a8023ca5b2fb5fb8c8e0962d6d1821623ab3f93ef0cb8abeffc47400bce8
Instruction ID: 0ea2fbc95d890d1cd1a519663f35a3a1cf8921febcdf7b4cad9a7eeed6b184cb
Opcode Fuzzy Hash: a501a8023ca5b2fb5fb8c8e0962d6d1821623ab3f93ef0cb8abeffc47400bce8
Instruction Fuzzy Hash: 0BF0AF35904240CFDB208F09E8857A5FBA0EF04730F18C4AADE494B252D3B9A448DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 061D5450, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetProcessDPIAware.USER32 ref: 061D5473

Memory Dump Source

Source File: 0000000D.00000002.550211832.00000000061D0000.00000040.00000001.sdmp, Offset: 061D0000, based on PE: false

Similarity

API ID: AwareProcess
String ID:
API String ID: 2881334838-0
Opcode ID: 6cff1cf6ac582c6d8a43fe7357ac607b385fc38ebe7ef0a420e7f702529cf03a
Instruction ID: 8d45e58b7f1118d0abac8f3132d8ac4bbffca623489587bd9e343a829e2d7f51
Opcode Fuzzy Hash: 6cff1cf6ac582c6d8a43fe7357ac607b385fc38ebe7ef0a420e7f702529cf03a
Instruction Fuzzy Hash: 32E0CD729463094BC7C4A2E46D0571B77D55F50611F05C5A1A98CDB216F734D491C592

Uniqueness

Uniqueness Score: -1.00%

Function 061D5460, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetProcessDPIAware.USER32 ref: 061D5473

Memory Dump Source

Source File: 0000000D.00000002.550211832.00000000061D0000.00000040.00000001.sdmp, Offset: 061D0000, based on PE: false

Similarity

API ID: AwareProcess
String ID:
API String ID: 2881334838-0
Opcode ID: f1790e6c04785bdfdc19e351699e231a80fc5b396b37754c644cf7a6f27cc4b0
Instruction ID: 47febe4111f0e69ba8c5495b9427cd967358357bc8421b1ce89f3b5959b8bd72
Opcode Fuzzy Hash: f1790e6c04785bdfdc19e351699e231a80fc5b396b37754c644cf7a6f27cc4b0
Instruction Fuzzy Hash: 4DC09B705442058F8AC4B7D85A05505F7DA5EC1505396C1E0E45CCB115EB60DC51CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F32477, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.521625514.0000000000F32000.00000040.00000001.sdmp, Offset: 00F32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5938199b00ab5ef4f1e2267cbdc4ed52eabc83061f9a36d931c3d5961fb32eb4
Instruction ID: bae043810397d60e7f13a634e5c306e9032889a9dba678c95f9f33821abf7972
Opcode Fuzzy Hash: 5938199b00ab5ef4f1e2267cbdc4ed52eabc83061f9a36d931c3d5961fb32eb4
Instruction Fuzzy Hash: 5581B4B264E3D24FCBC3CA74A8B56947F629B22735F4D40EFC4848B0D3E605460AA766

Uniqueness

Uniqueness Score: -1.00%

Function 06A13220, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.552380818.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907c1bf97aba2cec374088ce1e0bd7d9542d5f0a0e85aa61565af0a01907b5b1
Instruction ID: 368a4810465eb62619b45d3adc3f8ae26f1855d2a36ec3f6ae10284b74bf30b6
Opcode Fuzzy Hash: 907c1bf97aba2cec374088ce1e0bd7d9542d5f0a0e85aa61565af0a01907b5b1
Instruction Fuzzy Hash: 4E11CCB5508301AFD350CF19D880A5BFBE4FF88664F04896EF998D7311D235E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0288087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.525164690.0000000002880000.00000040.00000040.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a8e289360514053157142c694f5a85f3ea64d7fdef9bd4ad31de680a6ae1b8
Instruction ID: df11d01a1357b8f3192c20fba017da2aebe32ce3a0577cfca25f8ab1bfb09e76
Opcode Fuzzy Hash: 49a8e289360514053157142c694f5a85f3ea64d7fdef9bd4ad31de680a6ae1b8
Instruction Fuzzy Hash: 9C11063C204344DFE715DB14D940B26BB95EF88718F28C9ADE9498B742C37BD847CA91

Uniqueness

Uniqueness Score: -1.00%

Function 02880846, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.525164690.0000000002880000.00000040.00000040.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166c33ded287a23b193440ea284884fe9450e6252c1d287dd96dd97213eaa8d5
Instruction ID: e845b402ddccfef49f197da57e554f77e6f191d13be6585f10f87f820db0bcad
Opcode Fuzzy Hash: 166c33ded287a23b193440ea284884fe9450e6252c1d287dd96dd97213eaa8d5
Instruction Fuzzy Hash: FA21303950D3C08FD7038B24D850755BFB1AF57614F2985DAD4858B663C33A981ADB51

Uniqueness

Uniqueness Score: -1.00%

Function 06A130C4, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.552380818.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc8babb5e615772c470598c33fa0f275db140b6fd4cf4e3e3e398bf07f02609
Instruction ID: 75fe93d75946cde7cbea736f3ed81131368f23ac67c04ed9d45dc9e61f06facb
Opcode Fuzzy Hash: 1dc8babb5e615772c470598c33fa0f275db140b6fd4cf4e3e3e398bf07f02609
Instruction Fuzzy Hash: 6511A8B5508301AFD350CF19D881E5BFBE8EB88660F14892EFD9997311D275E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 06A103DC, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.552380818.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d750620adea30672296c2de26a463eb9d1dea48c8705372e4fce1378f9c44c40
Instruction ID: 4b7251a09539bd3e1acb9b6087734d055861d805ca59dcfb53ce4ef079eec5e7
Opcode Fuzzy Hash: d750620adea30672296c2de26a463eb9d1dea48c8705372e4fce1378f9c44c40
Instruction Fuzzy Hash: ED11A8B5508301AFD350CF19DC81E5BFBE8EB88660F14892EFD9997311D275E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F4ADD8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.521999998.0000000000F42000.00000040.00000001.sdmp, Offset: 00F42000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bf8512d3301bb1dad4e5cbaa7fef1297d63576d3b0e114e10fcb548b66ba56
Instruction ID: 2353c8edb534a24c1de53ea09a7dfb6f508bc8dbb403d72f526524e2b212fdf0
Opcode Fuzzy Hash: 50bf8512d3301bb1dad4e5cbaa7fef1297d63576d3b0e114e10fcb548b66ba56
Instruction Fuzzy Hash: 0911ECB5508301AFD350CF09D840E57FBE8EB88660F14C92EFD9897311D231E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 028805CF, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.525164690.0000000002880000.00000040.00000040.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b04352312d52e390a32a166db2ec157f284262b0fe196578d0a38713545385b
Instruction ID: 7b968e26a7fe15ccc99cd767446e16b8cada7a50c51719e4df2c57f9ce6ee63a
Opcode Fuzzy Hash: 1b04352312d52e390a32a166db2ec157f284262b0fe196578d0a38713545385b
Instruction Fuzzy Hash: 2D01A7715097905FD7128F15DC55862FFB8DE86620749C4EFEC498B612C2256804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02880938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.525164690.0000000002880000.00000040.00000040.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction ID: 20d1308dbea5c428fec3ab4e897d3197b7a6cbfbd13d6e389a1f8ae3ba1fd755
Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction Fuzzy Hash: 9BF03139204644DFC306DF40D940B15FBA6FB89718F24C6ADE9491B752C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 028805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.525164690.0000000002880000.00000040.00000040.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91049989b5139ed1b001330daaafa519fd95835416fb30358c6dd4942a4bb6a
Instruction ID: f0f97b592b8c3eee65e80a38cd17b66d0ed36faeb02e2f8cdb06b2ec39716bfd
Opcode Fuzzy Hash: b91049989b5139ed1b001330daaafa519fd95835416fb30358c6dd4942a4bb6a
Instruction Fuzzy Hash: 25E092B66006008BD750CF0AEC45866F7D8EF84630718C47FDC0D8B700D135B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 06A1328B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.552380818.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c79966a6e4650cbeeb328235382956a990febefe0a40a14c7b4048e5e36584
Instruction ID: 51a2e44089ff25d980cc4de63803d4d00b2457faface4e0cbe49f51cf1ca68d1
Opcode Fuzzy Hash: f4c79966a6e4650cbeeb328235382956a990febefe0a40a14c7b4048e5e36584
Instruction Fuzzy Hash: A2E0D8B255020067D2608F06AC45F23FB98DB44A30F04C47BED081B702E075B5148AF1

Uniqueness

Uniqueness Score: -1.00%

Function 06A1042B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.552380818.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2cce08add4c3cbd9ab1c0cd4fa8c40cdc723580656137d3543a355a054fb8f
Instruction ID: a853a71608e67d1c0e4f0d12e50320349e68f3a44ce5296e6ff98ed2de563ab7
Opcode Fuzzy Hash: 7c2cce08add4c3cbd9ab1c0cd4fa8c40cdc723580656137d3543a355a054fb8f
Instruction Fuzzy Hash: F1E020B254020467D2608F0AEC45F23FB5CDF40A30F04C57BED085B701E175B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 06A12B37, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.552380818.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4735fd4bd9ae84664ab806c946431266339e71279082d5706ac6906ae62137a9
Instruction ID: 9a96e017977019dc331925b0011f12d13322a6b169a2d24cb2cb46e46b039e1f
Opcode Fuzzy Hash: 4735fd4bd9ae84664ab806c946431266339e71279082d5706ac6906ae62137a9
Instruction Fuzzy Hash: D8E0D8B291120067D2609F06EC45F23FB98DB40A30F04C46BED081B701E076B514CEF1

Uniqueness

Uniqueness Score: -1.00%

Function 06A13113, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.552380818.0000000006A10000.00000040.00000001.sdmp, Offset: 06A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84b4dbd1bae44d6278a0af3962b310029a4e3882d7ee91aaf8c4cd8f82b2c77
Instruction ID: cf5712ec490699dee64775952ca8e7e06090aa72d49d3677083435f18c1eb4ca
Opcode Fuzzy Hash: b84b4dbd1bae44d6278a0af3962b310029a4e3882d7ee91aaf8c4cd8f82b2c77
Instruction Fuzzy Hash: F2E0D8B250020467D2609F06AC85F23FB98DB40A30F04C46BED091B702E176B5148AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4AE27, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.521999998.0000000000F42000.00000040.00000001.sdmp, Offset: 00F42000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146f03c303e5bae6fa7ad153e0983b78e5a6d3e7fd62d6745057bd3def6a3ba8
Instruction ID: cc32283636f24090e7c0baebcb5ffc1cb85d2e18a01c6253f19b1190d25b63e6
Opcode Fuzzy Hash: 146f03c303e5bae6fa7ad153e0983b78e5a6d3e7fd62d6745057bd3def6a3ba8
Instruction Fuzzy Hash: 1AE0D8B250020467D2608F06AC45F23FB58EF40A30F14C56BED081F701D175B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 00F323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.521625514.0000000000F32000.00000040.00000001.sdmp, Offset: 00F32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23626a670fc15e8cda1d21c66efeefebccd5d2fa20e6e62454ece948819fce22
Instruction ID: 75c7bb503db10d40b49491803f78bb702ac7270066370febc67675f34f9abbf1
Opcode Fuzzy Hash: 23626a670fc15e8cda1d21c66efeefebccd5d2fa20e6e62454ece948819fce22
Instruction Fuzzy Hash: FCD05E79605A814FD326CA1CD1A8B953B94AB51B24F4644FDE8008B663C368E981E600

Uniqueness

Uniqueness Score: -1.00%

Function 00F323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.521625514.0000000000F32000.00000040.00000001.sdmp, Offset: 00F32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64febeebb6a5bdf59c29238c9d45771fe4a1131047a4619ece1c4b9383d542c
Instruction ID: fd447e30c41e01fef293a74917839a7e230d94ef0bf9e422789393549160a7e6
Opcode Fuzzy Hash: a64febeebb6a5bdf59c29238c9d45771fe4a1131047a4619ece1c4b9383d542c
Instruction Fuzzy Hash: 08D05E346402814BC725DB0CC1D4F5977D4AB81B20F0644FDAC008B362C7A8DCC1D600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000000.233546518.0000000000304000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFXAssembly.exe. vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.258236925.0000000003BD8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.260833469.0000000004B90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.263221899.00000000058F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.263832226.00000000059F0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.263832226.00000000059F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 00000002.00000002.260890521.0000000004BB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000A.00000002.245540498.0000000000344000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFXAssembly.exe. vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000C.00000002.246917473.00000000004D4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFXAssembly.exe. vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.296886935.0000000004040000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.552591050.0000000006A50000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.508512327.0000000000624000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFXAssembly.exe. vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.542047057.0000000003FB7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.542047057.0000000003FB7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.542047057.0000000003FB7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.542047057.0000000003FB7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000003.297630594.000000000410E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Devizni izvod za partiju 0050100073053.exe
Source: Devizni izvod za partiju 0050100073053.exe, 0000000D.00000002.545321090.00000000053C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Devizni izvod za partiju 0050100073053.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Devizni izvod za partiju 0050100073053.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre