Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DHL#DOCUMENTS001010.PDF.exe

Overview

General Information

Sample Name:DHL#DOCUMENTS001010.PDF.exe
Analysis ID:431780
MD5:b7fece0a9529306a2644ce102fe2d86a
SHA1:767fcf70a98dd70d9035dfe4fcca04e17cdebfde
SHA256:f9284667090735eccb6110c4c9e33122890570b6f10798ef57370740c4d9db6d
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL#DOCUMENTS001010.PDF.exe (PID: 6964 cmdline: 'C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe' MD5: B7FECE0A9529306A2644CE102FE2D86A)
    • RegAsm.exe (PID: 7020 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • bhjhjkek.exe (PID: 6868 cmdline: 'C:\Users\user\AppData\Local\bhjhjkek.exe' MD5: B7FECE0A9529306A2644CE102FE2D86A)
    • RegAsm.exe (PID: 5868 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • bhjhjkek.exe (PID: 5456 cmdline: 'C:\Users\user\AppData\Local\bhjhjkek.exe' MD5: B7FECE0A9529306A2644CE102FE2D86A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ba5f434c-3370-4fb7-bec8-4c7f593d", "Group": "Grace", "Domain1": "23.105.131.142", "Domain2": "startedhere.ddns.net", "Port": 2092, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
DHL#DOCUMENTS001010.PDF.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\bhjhjkek.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.767317369.00000000030F1000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        0000000E.00000002.910382533.00000000007C2000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xff8d:$x1: NanoCore.ClientPluginHost
          • 0xffca:$x2: IClientNetworkHost
          • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
            • 0xfcf5:$a: NanoCore
            • 0xfd05:$a: NanoCore
            • 0xff39:$a: NanoCore
            • 0xff4d:$a: NanoCore
            • 0xff8d:$a: NanoCore
            • 0xfd54:$b: ClientPlugin
            • 0xff56:$b: ClientPlugin
            • 0xff96:$b: ClientPlugin
            • 0xfe7b:$c: ProjectData
            • 0x10882:$d: DESCrypto
            • 0x1824e:$e: KeepAlive
            • 0x1623c:$g: LogClientMessage
            • 0x12437:$i: get_Connected
            • 0x10bb8:$j: #=q
            • 0x10be8:$j: #=q
            • 0x10c04:$j: #=q
            • 0x10c34:$j: #=q
            • 0x10c50:$j: #=q
            • 0x10c6c:$j: #=q
            • 0x10c9c:$j: #=q
            • 0x10cb8:$j: #=q
            Click to see the 112 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xe38d:$x1: NanoCore.ClientPluginHost
            • 0xe3ca:$x2: IClientNetworkHost
            • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xe105:$x1: NanoCore Client.exe
            • 0xe38d:$x2: NanoCore.ClientPluginHost
            • 0xf9c6:$s1: PluginCommand
            • 0xf9ba:$s2: FileCommand
            • 0x1086b:$s3: PipeExists
            • 0x16622:$s4: PipeCreated
            • 0xe3b7:$s5: IClientLoggingHost
            0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0xe0f5:$a: NanoCore
              • 0xe105:$a: NanoCore
              • 0xe339:$a: NanoCore
              • 0xe34d:$a: NanoCore
              • 0xe38d:$a: NanoCore
              • 0xe154:$b: ClientPlugin
              • 0xe356:$b: ClientPlugin
              • 0xe396:$b: ClientPlugin
              • 0xe27b:$c: ProjectData
              • 0xec82:$d: DESCrypto
              • 0x1664e:$e: KeepAlive
              • 0x1463c:$g: LogClientMessage
              • 0x10837:$i: get_Connected
              • 0xefb8:$j: #=q
              • 0xefe8:$j: #=q
              • 0xf004:$j: #=q
              • 0xf034:$j: #=q
              • 0xf050:$j: #=q
              • 0xf06c:$j: #=q
              • 0xf09c:$j: #=q
              • 0xf0b8:$j: #=q
              11.2.RegAsm.exe.68d0000.22.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
              • 0x2dbb:$x1: NanoCore.ClientPluginHost
              • 0x2de5:$x2: IClientNetworkHost
              Click to see the 242 entries

              Sigma Overview

              AV Detection:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 7020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              E-Banking Fraud:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 7020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              System Summary:

              barindex
              Sigma detected: Possible Applocker BypassShow sources
              Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk, CommandLine|base64offset|contains: 8c, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe' , ParentImage: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe, ParentProcessId: 6964, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk, ProcessId: 7020

              Stealing of Sensitive Information:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 7020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Remote Access Functionality:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 7020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ba5f434c-3370-4fb7-bec8-4c7f593d", "Group": "Grace", "Domain1": "23.105.131.142", "Domain2": "startedhere.ddns.net", "Port": 2092, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
              Multi AV Scanner detection for domain / URLShow sources
              Source: startedhere.ddns.netVirustotal: Detection: 8%Perma Link
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeVirustotal: Detection: 44%Perma Link
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMetadefender: Detection: 22%Perma Link
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeReversingLabs: Detection: 31%
              Multi AV Scanner detection for submitted fileShow sources
              Source: DHL#DOCUMENTS001010.PDF.exeVirustotal: Detection: 44%Perma Link
              Source: DHL#DOCUMENTS001010.PDF.exeMetadefender: Detection: 22%Perma Link
              Source: DHL#DOCUMENTS001010.PDF.exeReversingLabs: Detection: 31%
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923206884.0000000003E7F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPE
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: DHL#DOCUMENTS001010.PDF.exeJoe Sandbox ML: detected
              Source: 11.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 19.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 11.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 11.2.RegAsm.exe.5dd0000.19.unpackAvira: Label: TR/NanoCore.fadte
              Source: 19.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 11.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 19.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.0.dr
              Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.pdb4 source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000003.764056703.00000000013F6000.00000004.00000001.sdmp, RegAsm.exe, 0000000B.00000002.919538476.00000000009A2000.00000002.00020000.sdmp, RegAsm.exe, 00000013.00000000.902750258.0000000000B52000.00000002.00020000.sdmp, RegAsm.exe.0.dr
              Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_0169F580
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_057D5578
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh0_2_057D5690
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_057D5570
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh0_2_057D5748
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh0_2_057D5684
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]11_2_0618A318
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]11_2_0618A4B1
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h14_2_02B9F580
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]14_2_052F5560
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh14_2_052F5678
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]14_2_052F5558
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh14_2_052F566D
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h17_2_00C914EC

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49765 -> 23.105.131.142:2092
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: startedhere.ddns.net
              Source: Malware configuration extractorURLs: 23.105.131.142
              Source: global trafficTCP traffic: 192.168.2.4:49765 -> 23.105.131.142:2092
              Source: Joe Sandbox ViewIP Address: 23.105.131.142 23.105.131.142
              Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://google.com
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ocsp.digicert.com0N
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.766910530.0000000001368000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: RegAsm.exe, 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

              E-Banking Fraud:

              barindex
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923206884.0000000003E7F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.928006695.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.927717545.00000000068D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.927972563.0000000006A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.927934540.0000000006A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.928049608.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.927902201.0000000006A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.923629464.000000000410E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.928268197.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.928208155.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.927748989.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.926591236.00000000054A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.927857463.0000000006A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.928087795.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.68d0000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6b30000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.2eb1188.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.4173246.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6aa0000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3e2e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.68d0000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.2835ae0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.2835ae0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6aa0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.2ea4f40.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6af4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6b30000.35.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6a80000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3faba4d.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6ae0000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.416a417.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.2eb0238.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.2eb0238.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6ab0000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6a70000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6a70000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3e381d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.4181676.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3f9f819.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.68e0000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.3e29930.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.4173246.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6afe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.2f39658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.68e0000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3e29930.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.2ea4f40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6a50000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.416a417.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.416a417.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6ac0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6ae0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6ab0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6a80000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.4181676.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6af0000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6ac0000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 17.2.bhjhjkek.exe.2835ae0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.2835ae0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6a90000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.54a0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.2eb1188.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.2eb0238.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6af0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.2eb0238.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.2e79fc4.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: DHL#DOCUMENTS001010.PDF.exe
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_016917600_2_01691760
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_016917510_2_01691751
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_016917370_2_01691737
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_01691B900_2_01691B90
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_057D2D030_2_057D2D03
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_057D0BE80_2_057D0BE8
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_057D0B680_2_057D0B68
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_0585F4000_2_0585F400
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_058500400_2_05850040
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_0585ED780_2_0585ED78
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_058566B00_2_058566B0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_009A3DFE11_2_009A3DFE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_06B4187011_2_06B41870
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_06B342EB11_2_06B342EB
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_06B346D311_2_06B346D3
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_02E0E48011_2_02E0E480
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_02E0E47111_2_02E0E471
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_02E0BBD411_2_02E0BBD4
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0618E7E811_2_0618E7E8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0618F40011_2_0618F400
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_06186F5011_2_06186F50
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0618F4BE11_2_0618F4BE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_061883F811_2_061883F8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_061880C011_2_061880C0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0618817E11_2_0618817E
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_02B91B9014_2_02B91B90
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_02B9176014_2_02B91760
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_02B9175114_2_02B91751
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_052F0BD814_2_052F0BD8
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_052F2CF214_2_052F2CF2
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_052F0B5814_2_052F0B58
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_0539F40014_2_0539F400
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_0539ED7814_2_0539ED78
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_0539004014_2_05390040
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_053966B014_2_053966B0
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00C91B8117_2_00C91B81
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00C91B9017_2_00C91B90
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00C9175117_2_00C91751
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00C9176017_2_00C91760
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D0F40017_2_04D0F400
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D0004017_2_04D00040
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D0000717_2_04D00007
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D09D7817_2_04D09D78
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D0ED7817_2_04D0ED78
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D066B017_2_04D066B0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_00B53DFE19_2_00B53DFE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_02EBE48019_2_02EBE480
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_02EBE47119_2_02EBE471
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_02EBBBD419_2_02EBBBD4
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: invalid certificate
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: bhjhjkek.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.767317369.00000000030F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.770887180.00000000056D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZqwmuuf.dll" vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.766910530.0000000001368000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.767279106.00000000030C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.767287047.00000000030D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.766555386.0000000000D2E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaajfkfkf.exe4 vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.770386723.0000000005610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000003.764056703.00000000013F6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRegAsm.exeT vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.768281438.000000000416D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScokftdv.dll2 vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exeBinary or memory string: OriginalFilenameaajfkfkf.exe4 vs DHL#DOCUMENTS001010.PDF.exe
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
              Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.928006695.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928006695.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.927717545.00000000068D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927717545.00000000068D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.927972563.0000000006A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927972563.0000000006A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.927934540.0000000006A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927934540.0000000006A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.928049608.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928049608.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.927902201.0000000006A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927902201.0000000006A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.923629464.000000000410E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.928268197.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928268197.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.928208155.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928208155.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.927748989.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927748989.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.926591236.00000000054A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.926591236.00000000054A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.927857463.0000000006A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927857463.0000000006A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.928087795.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928087795.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.68d0000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.68d0000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6b30000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6b30000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.2eb1188.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.2eb1188.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.4173246.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.4173246.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6aa0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6aa0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3e2e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e2e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.68d0000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.68d0000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.2835ae0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.2835ae0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.2835ae0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6aa0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6aa0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.2ea4f40.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.2ea4f40.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6af4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6af4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6b30000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6b30000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6a80000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a80000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3faba4d.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3faba4d.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6ae0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ae0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.416a417.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.416a417.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.2eb0238.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.2eb0238.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.2eb0238.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6ab0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ab0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6a70000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a70000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6a70000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a70000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3e381d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e381d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.4181676.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.4181676.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3f9f819.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3f9f819.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.68e0000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.68e0000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.3e29930.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e29930.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.4173246.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.4173246.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6afe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6afe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.2f39658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.2f39658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.68e0000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.68e0000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3e29930.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e29930.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.2ea4f40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6a50000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a50000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.416a417.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.416a417.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.416a417.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6ac0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ac0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6ae0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ae0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6ab0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ab0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6a80000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a80000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.4181676.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.4181676.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6af0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6af0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6ac0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ac0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 17.2.bhjhjkek.exe.2835ae0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.2835ae0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6a90000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a90000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.54a0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.54a0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.2eb1188.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.2eb0238.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6af0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6af0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.2eb0238.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.2e79fc4.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: bhjhjkek.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: classification engineClassification label: mal100.troj.evad.winEXE@7/10@0/1
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile created: C:\Users\user\AppData\Local\bhjhjkek.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ba5f434c-3370-4fb7-bec8-4c7f593d07f3}
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: DHL#DOCUMENTS001010.PDF.exeVirustotal: Detection: 44%
              Source: DHL#DOCUMENTS001010.PDF.exeMetadefender: Detection: 22%
              Source: DHL#DOCUMENTS001010.PDF.exeReversingLabs: Detection: 31%
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile read: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe 'C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe'
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
              Source: unknownProcess created: C:\Users\user\AppData\Local\bhjhjkek.exe 'C:\Users\user\AppData\Local\bhjhjkek.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\bhjhjkek.exe 'C:\Users\user\AppData\Local\bhjhjkek.exe'
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfkJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfkJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.0.dr
              Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.pdb4 source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000003.764056703.00000000013F6000.00000004.00000001.sdmp, RegAsm.exe, 0000000B.00000002.919538476.00000000009A2000.00000002.00020000.sdmp, RegAsm.exe, 00000013.00000000.902750258.0000000000B52000.00000002.00020000.sdmp, RegAsm.exe.0.dr
              Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: DHL#DOCUMENTS001010.PDF.exe, luMfCep0DFU7UEPN2W/HgKAT37MHI0lvjZpI3.cs.Net Code: tZfa2g0MM System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: bhjhjkek.exe.0.dr, luMfCep0DFU7UEPN2W/HgKAT37MHI0lvjZpI3.cs.Net Code: tZfa2g0MM System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.ca0000.0.unpack, luMfCep0DFU7UEPN2W/HgKAT37MHI0lvjZpI3.cs.Net Code: tZfa2g0MM System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.DHL#DOCUMENTS001010.PDF.exe.ca0000.0.unpack, luMfCep0DFU7UEPN2W/HgKAT37MHI0lvjZpI3.cs.Net Code: tZfa2g0MM System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 14.2.bhjhjkek.exe.7c0000.0.unpack, luMfCep0DFU7UEPN2W/HgKAT37MHI0lvjZpI3.cs.Net Code: tZfa2g0MM System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Yara detected Costura Assembly LoaderShow sources
              Source: Yara matchFile source: DHL#DOCUMENTS001010.PDF.exe, type: SAMPLE
              Source: Yara matchFile source: 00000000.00000002.767317369.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.910382533.00000000007C2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.644449963.0000000000CA2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.913423269.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.782814633.00000000007C2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.919434619.0000000000292000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.766443926.0000000000CA2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.801027556.0000000000292000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Local\bhjhjkek.exe, type: DROPPED
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.ca0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.7c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.bhjhjkek.exe.7c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.290000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.bhjhjkek.exe.290000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.DHL#DOCUMENTS001010.PDF.exe.ca0000.0.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_00CA2AB4 push ss; iretd 0_2_00CA2AB5
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_016959D6 push edx; ret 0_2_016959D7
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_057D44D3 push D0058366h; ret 0_2_057D44DD
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_057D1AB8 push cs; ret 0_2_057D1ABF
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_05854874 push B8FFFFCBh; ret 0_2_05854879
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_009A4289 push es; retf 11_2_009A4294
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_009A4469 push cs; retf 11_2_009A449E
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_009A44A3 push es; retf 11_2_009A44A4
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_007C2AB4 push ss; iretd 14_2_007C2AB5
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_02B959D6 push edx; ret 14_2_02B959D7
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_052F1AA8 push ds; ret 14_2_052F1AAF
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_05394874 push B8FFFFCBh; ret 14_2_05394879
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00292AB4 push ss; iretd 17_2_00292AB5
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00C959D6 push edx; ret 17_2_00C959D7
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D0508E push edi; ret 17_2_04D0508F
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D04874 push B8FFFFCBh; ret 17_2_04D04879
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_00B544A3 push es; retf 19_2_00B544A4
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_00B54469 push cs; retf 19_2_00B5449E
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_00B54289 push es; retf 19_2_00B54294
              Source: initial sampleStatic PE information: section name: .text entropy: 7.98213921813
              Source: initial sampleStatic PE information: section name: .text entropy: 7.98213921813
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile created: C:\Users\user\AppData\Local\bhjhjkek.exeJump to dropped file
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bhjhjkekJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bhjhjkekJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Uses an obfuscated file name to hide its real file extension (double extension)Show sources
              Source: Possible double extension: pdf.exeStatic PE information: DHL#DOCUMENTS001010.PDF.exe
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.767317369.00000000030F1000.00000004.00000001.sdmp, bhjhjkek.exe, 0000000E.00000002.913423269.0000000002D31000.00000004.00000001.sdmp, bhjhjkek.exe, 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 3389Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 6294Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: foregroundWindowGot 360Jump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe TID: 6996Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 5688Thread sleep time: -16602069666338586s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exe TID: 1004Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: bhjhjkek.exe, 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
              Source: bhjhjkek.exe, 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: bhjhjkek.exe, 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000Jump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000Jump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: BB5008Jump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000Jump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000Jump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000Jump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: CD2008Jump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfkJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfkJump to behavior
              Source: RegAsm.exe, 0000000B.00000002.922298301.0000000003067000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.921219831.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: RegAsm.exe, 0000000B.00000002.927832507.0000000006A4B000.00000004.00000001.sdmpBinary or memory string: Program ManagerA
              Source: RegAsm.exe, 0000000B.00000002.921652035.00000000014E0000.00000002.00000001.sdmp, RegAsm.exe, 00000013.00000002.921219831.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: RegAsm.exe, 0000000B.00000002.921652035.00000000014E0000.00000002.00000001.sdmp, RegAsm.exe, 00000013.00000002.921219831.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: RegAsm.exe, 0000000B.00000002.927426356.000000000640E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
              Source: RegAsm.exe, 0000000B.00000002.927295635.000000000617C000.00000004.00000001.sdmpBinary or memory string: Program Manager (
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpBinary or memory string: Program Managerx
              Source: RegAsm.exe, 0000000B.00000002.921652035.00000000014E0000.00000002.00000001.sdmp, RegAsm.exe, 00000013.00000002.921219831.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpBinary or memory string: Program Manager@2
              Source: RegAsm.exe, 0000000B.00000002.928756312.000000000717E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
              Source: RegAsm.exe, 0000000B.00000002.927366416.00000000062CC000.00000004.00000001.sdmpBinary or memory string: Program Managerram ManagerA
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeQueries volume information: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeQueries volume information: C:\Users\user\AppData\Local\bhjhjkek.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeQueries volume information: C:\Users\user\AppData\Local\bhjhjkek.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923206884.0000000003E7F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Detected Nanocore RatShow sources
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: RegAsm.exeString found in binary or memory: NanoCore.ClientPluginHost
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
              Source: bhjhjkek.exe, 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: bhjhjkek.exe, 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: RegAsm.exe, 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: RegAsm.exe, 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923206884.0000000003E7F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder1Process Injection312Masquerading11Input Capture21Security Software Discovery211Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobDLL Side-Loading1Registry Run Keys / Startup Folder1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information13Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              DHL#DOCUMENTS001010.PDF.exe44%VirustotalBrowse
              DHL#DOCUMENTS001010.PDF.exe31%MetadefenderBrowse
              DHL#DOCUMENTS001010.PDF.exe32%ReversingLabsByteCode-MSIL.Downloader.Seraph
              DHL#DOCUMENTS001010.PDF.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\bhjhjkek.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\RegAsm.exe0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\RegAsm.exe0%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\RegAsm.exe0%ReversingLabs
              C:\Users\user\AppData\Local\bhjhjkek.exe44%VirustotalBrowse
              C:\Users\user\AppData\Local\bhjhjkek.exe31%MetadefenderBrowse
              C:\Users\user\AppData\Local\bhjhjkek.exe32%ReversingLabsByteCode-MSIL.Downloader.Seraph

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              11.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              19.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              11.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              11.2.RegAsm.exe.5dd0000.19.unpack100%AviraTR/NanoCore.fadteDownload File
              19.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              11.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              19.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              startedhere.ddns.net9%VirustotalBrowse
              startedhere.ddns.net0%Avira URL Cloudsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              23.105.131.1425%VirustotalBrowse
              23.105.131.1420%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              startedhere.ddns.nettrue
              • 9%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              23.105.131.142true
              • 5%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://crl.thawte.com/ThawteTimestampingCA.crl0DHL#DOCUMENTS001010.PDF.exefalse
                		high
                http://ocsp.thawte.com0DHL#DOCUMENTS001010.PDF.exefalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                23.105.131.142
                		unknownUnited States
                		396362LEASEWEB-USA-NYC-11UStrue

                General Information

                Joe Sandbox Version:32.0.0 Black Diamond
                Analysis ID:431780
                Start date:09.06.2021
                Start time:09:52:20
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 11m 31s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:DHL#DOCUMENTS001010.PDF.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@7/10@0/1
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 0.6% (good quality ratio 0.4%)
                • Quality average: 34.9%
                • Quality standard deviation: 31.4%
                HCA Information:
                • Successful, ratio: 90%
                • Number of executed functions: 276
                • Number of non-executed functions: 7
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                09:54:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bhjhjkek "C:\Users\user\AppData\Local\bhjhjkek.exe"
                09:54:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bhjhjkek "C:\Users\user\AppData\Local\bhjhjkek.exe"

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                23.105.131.142RFQ27559404D4E5A.PDF.exeGet hashmaliciousBrowse
                  RFQ#21040590409448.pdf.exeGet hashmaliciousBrowse
                    DHL#DOCUMENTS02010910.PDF.exeGet hashmaliciousBrowse
                      QOUTATION#2300003590.PDF.exeGet hashmaliciousBrowse
                        ORDER#INQUIRY000111.PDF.exeGet hashmaliciousBrowse
                          RFQ#QQO2103060.PDF.exeGet hashmaliciousBrowse
                            RFQ#QQO2103060.PDF.exeGet hashmaliciousBrowse
                              AWBSHIPMENT20210000900.PDF.exeGet hashmaliciousBrowse
                                Order#PPO040963RG02.PDF.exeGet hashmaliciousBrowse
                                  iOI0kJwm97.exeGet hashmaliciousBrowse

                                    Domains

                                    No context

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    LEASEWEB-USA-NYC-11US2lt24JqVH4.exeGet hashmaliciousBrowse
                                    • 23.105.131.207
                                    RFQ27559404D4E5A.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    XVIdVNjoHl.exeGet hashmaliciousBrowse
                                    • 23.105.131.173
                                    cKWxEAbeX7.exeGet hashmaliciousBrowse
                                    • 23.105.131.251
                                    apWkH5Vq75.exeGet hashmaliciousBrowse
                                    • 23.105.131.141
                                    RFQ#21040590409448.pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    Urgent Contract Order GH7856648,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    DHL#DOCUMENTS02010910.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    QOUTATION#2300003590.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    Purchase Order.exeGet hashmaliciousBrowse
                                    • 23.105.131.158
                                    Scanned Documents.exeGet hashmaliciousBrowse
                                    • 23.105.131.158
                                    ORDER#INQUIRY000111.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    URGENT ORDER 2T6U545267,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    9849858 PO.exeGet hashmaliciousBrowse
                                    • 23.105.131.166
                                    Yeni sipari_ WJO-001, pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    061195d6_by_Libranalysis.exeGet hashmaliciousBrowse
                                    • 23.105.131.158
                                    URGENT ORDER 2T6U545267,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    ORDER QUOTE CBM787563788265542,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    PO ____-34002174,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.141
                                    RECHNUNGSKAUF Bestellung-46509008.pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    C:\Users\user\AppData\Local\Temp\RegAsm.exekyIfnzzg3E.exeGet hashmaliciousBrowse
                                      flyZab7hHk.exeGet hashmaliciousBrowse
                                        AedJpyQ9lM.exeGet hashmaliciousBrowse
                                          UPDATED SOA.exeGet hashmaliciousBrowse
                                            qdFDmi3Bhy.exeGet hashmaliciousBrowse
                                              RFQ27559404D4E5A.PDF.exeGet hashmaliciousBrowse
                                                Receiptn.exeGet hashmaliciousBrowse
                                                  PURCHASE LIST.exeGet hashmaliciousBrowse
                                                    SecuriteInfo.com.Trojan.PackedNET.783.10804.exeGet hashmaliciousBrowse
                                                      Y6k2VgaGck.exeGet hashmaliciousBrowse
                                                        Bank swift.exeGet hashmaliciousBrowse
                                                          tT1XWdxOYv.exeGet hashmaliciousBrowse
                                                            363IN050790620 BOOKING.exeGet hashmaliciousBrowse
                                                              New Order.exeGet hashmaliciousBrowse
                                                                RFQ#21040590409448.pdf.exeGet hashmaliciousBrowse
                                                                  DHL#DOCUMENTS02010910.PDF.exeGet hashmaliciousBrowse
                                                                    QOUTATION#2300003590.PDF.exeGet hashmaliciousBrowse
                                                                      1p037oXV3S.exeGet hashmaliciousBrowse
                                                                        BaU9m8mMFx.exeGet hashmaliciousBrowse
                                                                          yl77tM4JDg.exeGet hashmaliciousBrowse

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL#DOCUMENTS001010.PDF.exe.log
                                                                            Process:C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):425
                                                                            Entropy (8bit):5.340009400190196
                                                                            Encrypted:false
                                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                                            MD5:CC144808DBAF00E03294347EADC8E779
                                                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                                            Malicious:true
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bhjhjkek.exe.log
                                                                            Process:C:\Users\user\AppData\Local\bhjhjkek.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):425
                                                                            Entropy (8bit):5.340009400190196
                                                                            Encrypted:false
                                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                                            MD5:CC144808DBAF00E03294347EADC8E779
                                                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                            C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            Process:C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):64616
                                                                            Entropy (8bit):6.037264560032456
                                                                            Encrypted:false
                                                                            SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                                                                            MD5:6FD7592411112729BF6B1F2F6C34899F
                                                                            SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                                                                            SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                                                                            SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: kyIfnzzg3E.exe, Detection: malicious, Browse
                                                                            • Filename: flyZab7hHk.exe, Detection: malicious, Browse
                                                                            • Filename: AedJpyQ9lM.exe, Detection: malicious, Browse
                                                                            • Filename: UPDATED SOA.exe, Detection: malicious, Browse
                                                                            • Filename: qdFDmi3Bhy.exe, Detection: malicious, Browse
                                                                            • Filename: RFQ27559404D4E5A.PDF.exe, Detection: malicious, Browse
                                                                            • Filename: Receiptn.exe, Detection: malicious, Browse
                                                                            • Filename: PURCHASE LIST.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Trojan.PackedNET.783.10804.exe, Detection: malicious, Browse
                                                                            • Filename: Y6k2VgaGck.exe, Detection: malicious, Browse
                                                                            • Filename: Bank swift.exe, Detection: malicious, Browse
                                                                            • Filename: tT1XWdxOYv.exe, Detection: malicious, Browse
                                                                            • Filename: 363IN050790620 BOOKING.exe, Detection: malicious, Browse
                                                                            • Filename: New Order.exe, Detection: malicious, Browse
                                                                            • Filename: RFQ#21040590409448.pdf.exe, Detection: malicious, Browse
                                                                            • Filename: DHL#DOCUMENTS02010910.PDF.exe, Detection: malicious, Browse
                                                                            • Filename: QOUTATION#2300003590.PDF.exe, Detection: malicious, Browse
                                                                            • Filename: 1p037oXV3S.exe, Detection: malicious, Browse
                                                                            • Filename: BaU9m8mMFx.exe, Detection: malicious, Browse
                                                                            • Filename: yl77tM4JDg.exe, Detection: malicious, Browse
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                                                                            C:\Users\user\AppData\Local\bhjhjkek.exe
                                                                            Process:C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):607704
                                                                            Entropy (8bit):6.749029364545613
                                                                            Encrypted:false
                                                                            SSDEEP:12288:v3SBz/P5DgjDjNGPZk3Zg1Ke0lC8+lEvKlJfF05Ibmu9EgeIKxAtWO:v3IzJDgjDjNU2Jg1t0lCb3
                                                                            MD5:B7FECE0A9529306A2644CE102FE2D86A
                                                                            SHA1:767FCF70A98DD70D9035DFE4FCCA04E17CDEBFDE
                                                                            SHA-256:F9284667090735ECCB6110C4C9E33122890570B6F10798EF57370740C4D9DB6D
                                                                            SHA-512:04092525491ADD6E159FDD19E720CD0D38CFB4FA037907B1D08AAFF9AA3833A2F0387A1169026831C0F2FE388DBE2C6C0B47EE5814CE6C64680F27A3849D1099
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\bhjhjkek.exe, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: Virustotal, Detection: 44%, Browse
                                                                            • Antivirus: Metadefender, Detection: 31%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 32%
                                                                            Reputation:low
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.....................p........... ........@.. ....................................@.................................p...K.......tl...........*.......`....................................................... ............... ..H............text....... ...................... ..`.rsrc...tl.......n..................@..@.reloc.......`.......(..............@..B........................H.......87..X.......'....e...q............................................9.....:....8....(....8....(....8....*..*..j...:....&(....8....&8....*..*..j...:....&(....8....&8....*..*...*..j...:....&(....8....&8....*..*...*...*...*...*...0..z.......s.....:P...&s.....:N...&s.....:L...&s.........~....r...pr...po....~....rO..pra..po....8.........8.........8.........8....*......:....&:....8....&8....r...p*...:....&o....8....&8....*...0..........(....o.....:....&..:....&8f....8.....8..
                                                                            C:\Users\user\AppData\Local\bhjhjkek.exe:Zone.Identifier
                                                                            Process:C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:true
                                                                            Reputation:high, very likely benign file
                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):232
                                                                            Entropy (8bit):7.024371743172393
                                                                            Encrypted:false
                                                                            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                                            MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                                            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                                            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                                            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:ISO-8859 text, with no line terminators, with escape sequences
                                                                            Category:dropped
                                                                            Size (bytes):8
                                                                            Entropy (8bit):3.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:uh:2
                                                                            MD5:290BBB2342B623C21C98E5B0AFF6126A
                                                                            SHA1:DFFF467E660EB007454A2E677B3C81D60296A296
                                                                            SHA-256:5BC0B7B765A4BA88635ED78FB9EF64DA054F77B354F5B6A0C9370AF18EF83694
                                                                            SHA-512:652B1A33D06529AAF40A063D737039799562D58BBFEB9AAA0744605A11DAC2FEC3598232BFC890A34785D1CC7AA1E27704DA5A27935A82E6FAD2FA804F803DFC
                                                                            Malicious:true
                                                                            Reputation:low
                                                                            Preview: .e=..+.H
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):24
                                                                            Entropy (8bit):4.501629167387823
                                                                            Encrypted:false
                                                                            SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                                                            MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                                                            SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                                                            SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                                                            SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                                                            Malicious:false
                                                                            Preview: 9iH...}Z.4..f..J".C;"a
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):64
                                                                            Entropy (8bit):5.320159765557392
                                                                            Encrypted:false
                                                                            SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                                                            MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                                                            SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                                                            SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                                                            SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                                                            Malicious:false
                                                                            Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):327432
                                                                            Entropy (8bit):7.99938831605763
                                                                            Encrypted:true
                                                                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                            Malicious:false
                                                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):6.749029364545613
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:DHL#DOCUMENTS001010.PDF.exe
                                                                            File size:607704
                                                                            MD5:b7fece0a9529306a2644ce102fe2d86a
                                                                            SHA1:767fcf70a98dd70d9035dfe4fcca04e17cdebfde
                                                                            SHA256:f9284667090735eccb6110c4c9e33122890570b6f10798ef57370740c4d9db6d
                                                                            SHA512:04092525491add6e159fdd19e720cd0d38cfb4fa037907b1d08aaff9aa3833a2f0387a1169026831c0f2fe388dbe2c6c0b47ee5814ce6c64680f27a3849d1099
                                                                            SSDEEP:12288:v3SBz/P5DgjDjNGPZk3Zg1Ke0lC8+lEvKlJfF05Ibmu9EgeIKxAtWO:v3IzJDgjDjNU2Jg1t0lCb3
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................p........... ........@.. ....................................@................................

                                                                            File Icon

                                                                            Icon Hash:74f2dbb284c2e2ee

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x44d7be
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:true
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0x60BFE88A [Tue Jun 8 22:00:42 2021 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v4.0.30319
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Authenticode Signature

                                                                            Signature Valid:false
                                                                            Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                            Error Number:-2146869232
                                                                            Not Before, Not After
                                                                            • 8/25/2016 2:00:00 AM 10/9/2019 2:00:00 PM
                                                                            Subject Chain
                                                                            • CN="OpenVPN Technologies, Inc.", O="OpenVPN Technologies, Inc.", L=Pleasanton, S=California, C=US
                                                                            Version:3
                                                                            Thumbprint MD5:6146F700D6452042DC954108EBA73447
                                                                            Thumbprint SHA-1:21F94C255A8B20D21A323CA5ACB8EBF284E09037
                                                                            Thumbprint SHA-256:BAA11FF9D7FEDEC30BC343F6F0E85B3256EA8155573E862B17C15DCB2596C678
                                                                            Serial:03E49B29AE75DF4C50DC1662670776B9

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x4d7700x4b.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000x46c74.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x92a000x1bd8.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x4b7c40x4b800False0.979075046565data7.98213921813IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x4e0000x46c740x46e00False0.197964891975data4.61492882254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x960000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0x4e1f00x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                                                                            RT_ICON0x902180x25a8data
                                                                            RT_ICON0x927c00x10a8data
                                                                            RT_ICON0x938680x988data
                                                                            RT_ICON0x941f00x468GLS_BINARY_LSB_FIRST
                                                                            RT_GROUP_ICON0x946580x4cdata
                                                                            RT_VERSION0x946a40x3cadata
                                                                            RT_MANIFEST0x94a700x204XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            LegalCopyrightCopyright 2020-2021 by David Xanatos (xanasoft.com)
                                                                            Assembly Version5.49.7.0
                                                                            InternalNameaajfkfkf.exe
                                                                            FileVersion5.49.7.0
                                                                            CompanyNamesandboxie-plus.com
                                                                            LegalTrademarks
                                                                            CommentsSandboxie Installer
                                                                            ProductNameSandboxie
                                                                            ProductVersion5.49.7.0
                                                                            FileDescriptionSandboxie Installer
                                                                            OriginalFilenameaajfkfkf.exe

                                                                            Network Behavior

                                                                            Snort IDS Alerts

                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            06/09/21-09:54:09.372256TCP2025019ET TROJAN Possible NanoCore C2 60B497652092192.168.2.423.105.131.142

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jun 9, 2021 09:54:08.782638073 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:09.211910009 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:09.215245008 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:09.372256041 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:09.727755070 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:09.745654106 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.092402935 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.092494011 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.463592052 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.463695049 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.855688095 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.864427090 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.864485025 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.864582062 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.865509987 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.865871906 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.865947008 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.866056919 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.866791010 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.866902113 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.867202044 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.867774010 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.867863894 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.868021011 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.869138002 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.869234085 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.205307961 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.205905914 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.206022978 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.206166983 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.207259893 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.207340956 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.207451105 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.207829952 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.207967043 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.209439039 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.209494114 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.209574938 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.210508108 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.214895010 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.215133905 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.215157032 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.215893984 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.216005087 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.216089964 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.217145920 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.217256069 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.218518019 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.227308035 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.227349997 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.227386951 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.227425098 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.227474928 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.227515936 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.227559090 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.228423119 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.544219971 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.544275999 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.544454098 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.545114994 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.545875072 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.546020985 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.547298908 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564239979 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564296007 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564342022 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564389944 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.564414024 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.564467907 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564555883 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564636946 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.564660072 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564855099 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564933062 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564990997 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.565083981 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565152884 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.565179110 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565304041 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565365076 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.565444946 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565490007 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565562963 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.565660000 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565759897 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565797091 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565844059 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.565994024 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.566052914 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.566066027 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.566122055 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.566277981 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.566389084 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.566610098 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.566675901 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.567238092 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.567416906 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.567734957 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.567800045 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.568083048 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.568846941 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.568948030 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.569096088 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.569180012 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.570092916 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.570188999 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.570825100 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.579104900 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.579188108 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.579391003 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.579438925 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.579473972 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.579493046 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.579581022 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.579687119 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.579746962 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.579853058 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.621222019 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.959515095 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.959548950 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.959626913 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.960104942 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.960866928 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.961121082 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.961164951 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.962146997 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.962230921 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.962234974 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.963136911 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.963373899 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.963865995 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.964081049 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.964144945 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.964920998 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.965138912 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.965655088 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.965886116 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.966128111 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.966187000 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.976063967 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.976172924 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.976200104 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.976248980 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.976339102 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.976402998 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.976429939 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.976603031 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.976788044 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.976845980 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.976903915 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.976957083 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.977107048 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.977214098 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.977333069 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.977386951 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.977437973 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.977489948 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.977544069 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.977668047 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.977798939 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.977850914 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.977906942 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.977924109 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.977957964 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.978328943 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.978387117 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.978851080 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.979098082 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.979526043 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.979943991 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.980124950 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.980181932 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.980988026 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.981867075 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.981944084 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.981993914 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.983028889 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.983051062 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.983120918 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.984146118 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.984184980 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.984241962 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.985071898 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.985156059 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.985212088 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.986140966 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.986721039 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.986807108 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.987015009 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.987229109 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.987840891 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.988118887 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.988873959 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.988950968 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.361888885 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.361924887 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.362023115 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.362595081 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.363711119 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.363907099 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.363966942 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.364273071 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.364322901 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.364347935 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.364356041 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.364424944 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.364523888 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.364613056 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.364682913 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.365309000 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.365335941 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.365360022 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.365405083 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.367031097 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.367054939 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.367124081 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.367263079 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.367330074 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.368031979 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.368748903 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.369072914 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.369079113 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.369805098 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.370809078 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.370888948 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.371042967 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.371098042 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.374486923 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.374509096 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.374552965 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.374929905 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.374957085 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.374969006 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.375056028 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.375210047 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.375366926 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.376497030 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.376636982 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.376867056 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.377118111 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.377257109 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.377306938 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.377712965 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.378798962 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.378891945 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.379059076 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.380718946 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.380808115 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.381052017 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.382230043 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.382301092 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.382719040 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.383002996 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.383035898 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.383060932 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.383749962 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.385041952 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.385263920 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.385641098 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.385716915 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.385951996 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.386564970 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.386622906 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.387208939 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.396409988 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.396543026 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.396578074 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.396629095 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.396663904 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.396878004 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.448440075 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.702222109 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.702285051 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.702342987 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.703048944 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.703948975 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.704041004 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.704132080 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.704941988 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.705002069 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.705262899 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.705920935 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.706011057 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.711961031 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.712100983 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.712228060 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.713561058 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.713864088 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.713957071 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.714014053 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.714926958 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.715048075 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.715164900 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.715950966 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.716042042 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.716124058 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.718314886 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.718420029 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.727411032 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.727483034 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.727530003 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.727570057 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.727622986 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.727716923 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.727802992 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.727900982 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.727988958 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.728001118 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.728069067 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.728179932 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.728243113 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.728327036 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.728415012 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.728425026 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.728548050 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.728657961 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.728667974 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.728836060 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.729022026 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.729120016 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.729201078 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.729331017 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.729904890 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.730302095 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.730416059 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.731105089 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.731887102 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.731981039 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.732096910 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.733139992 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.733212948 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.733233929 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.734402895 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.734467983 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.734492064 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.735193968 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.735310078 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.735997915 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.736079931 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.736227989 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.736936092 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.737034082 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.737135887 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:12.737910986 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.789566994 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:12.790282965 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.048624039 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.048698902 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.048749924 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.049264908 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.049737930 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.049757004 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.049806118 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.056714058 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.056734085 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.056750059 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.056766033 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.056783915 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.056823015 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.056823969 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.056870937 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.056917906 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.057075024 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.057153940 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.057197094 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.057276964 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.057321072 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.057353973 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.057476997 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.057676077 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.057715893 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.057920933 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.057971954 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.058861971 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.059094906 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.059925079 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.059932947 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.061038017 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.061090946 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.061933994 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.062067986 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.063455105 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.063503981 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.063601017 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.063656092 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.064043999 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.064898968 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.065116882 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.065176010 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.065922022 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.066029072 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.066088915 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.068361044 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.068445921 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.068511963 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.075885057 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.075951099 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.076138973 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.077147007 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.077208996 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.077256918 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.078438997 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.078504086 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.078533888 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.087363958 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.087443113 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.087783098 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.087990046 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.088114023 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.088283062 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.088574886 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.088612080 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.088648081 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.088649988 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.088707924 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.088743925 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.088787079 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.088824987 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.088857889 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.088942051 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.089005947 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.089040995 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.089198112 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.089287043 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.089354992 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.089891911 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.089931965 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:13.089972019 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:13.136015892 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:15.009522915 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:15.382869005 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:15.382983923 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:15.757200956 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:15.904731035 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:15.948810101 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:16.283665895 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:16.336088896 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:16.713723898 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:16.714040041 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:17.048010111 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:17.089515924 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:17.420825005 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:17.464766979 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:17.559874058 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:17.955841064 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:17.955951929 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:17.963700056 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:18.011490107 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:18.340264082 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:19.553865910 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:19.923748016 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:20.621575117 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:21.002773046 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:23.536662102 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:23.605693102 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:24.791708946 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:24.840336084 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:26.622611046 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:26.991678953 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:31.084867001 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:31.137759924 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:31.559191942 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:31.606389999 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:32.622680902 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:33.011527061 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:37.990839958 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:38.044608116 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:38.061058044 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:38.442240000 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:39.582127094 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:39.622867107 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:44.061163902 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:44.435051918 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:44.987807035 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:45.185642004 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:45.421370029 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:45.421520948 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:47.597556114 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:47.685858965 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:49.124973059 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:49.497034073 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:51.793082952 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:51.873668909 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:55.850231886 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:55.971446991 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:56.351844072 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:58.023585081 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:58.186815977 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:02.235824108 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:02.613040924 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:04.036808968 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:04.187371969 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:05.017976046 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:05.187374115 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:08.423984051 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:08.811085939 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:11.741617918 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:11.875473976 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:12.858875036 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:12.984966993 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:14.361284018 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:14.736896038 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:18.072659016 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:18.189692974 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:19.392313957 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:19.775885105 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:21.038001060 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:21.079484940 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:24.376775026 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:55:24.424190998 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:25.393130064 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:55:25.760494947 CEST20924976523.105.131.142192.168.2.4

                                                                            Code Manipulations

                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: DHL#DOCUMENTS001010.PDF.exe PID: 6964 Parent PID: 6008

                                                                            General

                                                                            Start time:09:53:09
                                                                            Start date:09/06/2021
                                                                            Path:C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe'
                                                                            Imagebase:0xca0000
                                                                            File size:607704 bytes
                                                                            MD5 hash:B7FECE0A9529306A2644CE102FE2D86A
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.767317369.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.644449963.0000000000CA2000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.766443926.0000000000CA2000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            Chronological Activities

                                                                            Analysis Process: RegAsm.exe PID: 7020 Parent PID: 6964

                                                                            General

                                                                            Start time:09:54:05
                                                                            Start date:09/06/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
                                                                            Imagebase:0x9a0000
                                                                            File size:64616 bytes
                                                                            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928006695.0000000006AA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928006695.0000000006AA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927717545.00000000068D0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927717545.00000000068D0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927972563.0000000006A90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927972563.0000000006A90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927934540.0000000006A80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927934540.0000000006A80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.923206884.0000000003E7F000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928049608.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928049608.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927902201.0000000006A70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927902201.0000000006A70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.923629464.000000000410E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928268197.0000000006AF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928268197.0000000006AF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928208155.0000000006AE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928208155.0000000006AE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927748989.00000000068E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927748989.00000000068E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.926591236.00000000054A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.926591236.00000000054A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927857463.0000000006A50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927857463.0000000006A50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928087795.0000000006AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928087795.0000000006AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Antivirus matches:
                                                                            • Detection: 0%, Virustotal, Browse
                                                                            • Detection: 0%, Metadefender, Browse
                                                                            • Detection: 0%, ReversingLabs
                                                                            Reputation:high

                                                                            Chronological Activities

                                                                            Analysis Process: bhjhjkek.exe PID: 6868 Parent PID: 3424

                                                                            General

                                                                            Start time:09:54:13
                                                                            Start date:09/06/2021
                                                                            Path:C:\Users\user\AppData\Local\bhjhjkek.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Local\bhjhjkek.exe'
                                                                            Imagebase:0x7c0000
                                                                            File size:607704 bytes
                                                                            MD5 hash:B7FECE0A9529306A2644CE102FE2D86A
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000002.910382533.00000000007C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000002.913423269.0000000002D31000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000000.782814633.00000000007C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\bhjhjkek.exe, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 44%, Virustotal, Browse
                                                                            • Detection: 31%, Metadefender, Browse
                                                                            • Detection: 32%, ReversingLabs
                                                                            Reputation:low

                                                                            Chronological Activities

                                                                            Analysis Process: bhjhjkek.exe PID: 5456 Parent PID: 3424

                                                                            General

                                                                            Start time:09:54:22
                                                                            Start date:09/06/2021
                                                                            Path:C:\Users\user\AppData\Local\bhjhjkek.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Local\bhjhjkek.exe'
                                                                            Imagebase:0x290000
                                                                            File size:607704 bytes
                                                                            MD5 hash:B7FECE0A9529306A2644CE102FE2D86A
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.919434619.0000000000292000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000000.801027556.0000000000292000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            Chronological Activities

                                                                            Analysis Process: RegAsm.exe PID: 5868 Parent PID: 6868

                                                                            General

                                                                            Start time:09:55:09
                                                                            Start date:09/06/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
                                                                            Imagebase:0xb50000
                                                                            File size:64616 bytes
                                                                            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:high

                                                                            Chronological Activities

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >

                                                                              Analysis Process: DHL#DOCUMENTS001010.PDF.exe PID: 6964 Parent PID: 6008 DHL#DOCUMENTS001010.PDF.exeCOMMON

                                                                              Executed Functions

                                                                              Function 057D2D03, Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: H&m[$P.v
                                                                              • API String ID: 0-1193351278
                                                                              • Opcode ID: 3179943ea3ee195a9db461882d05ddb6491ab8a53845ac31b857694fb07305b9
                                                                              • Instruction ID: 0d6f7365662b1c4b19dd2ac33fbbe08a265c74bde39e010e36904a2b71544fa0
                                                                              • Opcode Fuzzy Hash: 3179943ea3ee195a9db461882d05ddb6491ab8a53845ac31b857694fb07305b9
                                                                              • Instruction Fuzzy Hash: 2A610B74B05218CFCB44EFA8E4955AEB7B2FB99340B108539D80BEB355DB346C42DB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D5570, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumChildWindows.USER32(?,?,?), ref: 057D561F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ChildEnumWindows
                                                                              • String ID:
                                                                              • API String ID: 3555792229-0
                                                                              • Opcode ID: d67a35476e3f5021c7845873cdd7fd7cc6f1b759be3c002ce2f3dd91623dd654
                                                                              • Instruction ID: d79633eb1803875f78fa6a293698afac036487e089ae81ebe7b79ce07854aef9
                                                                              • Opcode Fuzzy Hash: d67a35476e3f5021c7845873cdd7fd7cc6f1b759be3c002ce2f3dd91623dd654
                                                                              • Instruction Fuzzy Hash: 4C31CAB4D052189FCB14CFA9E584AEEFBF1BF49310F14A02AE415B7210D739AA45CF68
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D5578, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumChildWindows.USER32(?,?,?), ref: 057D561F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ChildEnumWindows
                                                                              • String ID:
                                                                              • API String ID: 3555792229-0
                                                                              • Opcode ID: 0154eed58ed8a202972ec5f46d28d006dab9e21549bcd2c3185eb0a7847595ad
                                                                              • Instruction ID: 418bb01cb001017770165faa8ad15d2199448ed2b1326c3e2559b86e7b642a90
                                                                              • Opcode Fuzzy Hash: 0154eed58ed8a202972ec5f46d28d006dab9e21549bcd2c3185eb0a7847595ad
                                                                              • Instruction Fuzzy Hash: 4231BBB4D052189FCB14CFA9E584AEEFBF1BF49310F14A02AE415B7210D735AA45CF68
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 058566B0, Relevance: 1.0, Instructions: 1020COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a88867bd22f1a738f1bbb71ff22199a9d29982dce3b605830f821001a330190d
                                                                              • Instruction ID: e72a2f5dcf3d8aa62c53ce005c338b197bdd80d85b6623866f228c0e4fede62d
                                                                              • Opcode Fuzzy Hash: a88867bd22f1a738f1bbb71ff22199a9d29982dce3b605830f821001a330190d
                                                                              • Instruction Fuzzy Hash: 57B2C575E00228DFDB64CF69C984B99BBB2FF89314F1581E9D909AB225D7319E81CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D5748, Relevance: .2, Instructions: 219COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 83be3b65172b5ddc161142c1e1ab4f955eb736a6305d61d686beece5cf51cc11
                                                                              • Instruction ID: 7935e3cea09294b5f002da5c38e74c559c155cdbc225d5ff351b61dab134d6b8
                                                                              • Opcode Fuzzy Hash: 83be3b65172b5ddc161142c1e1ab4f955eb736a6305d61d686beece5cf51cc11
                                                                              • Instruction Fuzzy Hash: E591E1B4D09218CFDB10CFA9D484BEDFBF6BB49314F10906AD41AA7281DB789985DF20
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0585F400, Relevance: .2, Instructions: 177COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ff43725f3fd17051d2ce878e3c15aee7aa3efb23fdd993dbb02afd462e8d83f3
                                                                              • Instruction ID: 54ef7d34dca125580913e7fd6c28faa4729aea6f1a0bd2bc6ccd47f4fdcd5193
                                                                              • Opcode Fuzzy Hash: ff43725f3fd17051d2ce878e3c15aee7aa3efb23fdd993dbb02afd462e8d83f3
                                                                              • Instruction Fuzzy Hash: 0161C1B4D05218CFCB14CFA9D584AADBBF6BF89315F20912AD90AAB355DB306C45CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D0B68, Relevance: .1, Instructions: 125COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 66304369de44a5d16741c46bb2653c9c6633b5bf4dffd4da26d38e0688a22722
                                                                              • Instruction ID: 254b68c45e0024255848a0f67dda0b25e269101bc69801120f42cb7c0a47e09a
                                                                              • Opcode Fuzzy Hash: 66304369de44a5d16741c46bb2653c9c6633b5bf4dffd4da26d38e0688a22722
                                                                              • Instruction Fuzzy Hash: AA418B75C0E2588BDB15DF3A8C147DABBB6AF8A304F05C0F6C4499B256EB304946DF60
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D0BE8, Relevance: .1, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c706ca70b5b06dfa192af57881b4b7a5ce777e97a403220ac1ce92a47975e723
                                                                              • Instruction ID: 9686ddecb759cfae64003a74ca69797930b8285d4bb5d28513e2b5e97b080f40
                                                                              • Opcode Fuzzy Hash: c706ca70b5b06dfa192af57881b4b7a5ce777e97a403220ac1ce92a47975e723
                                                                              • Instruction Fuzzy Hash: 7C31DC79D096288BDB68DF66C8486DDF6FBBFC9300F04D1AA840DA7255DB301A46DF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D5684, Relevance: .1, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cfbc3fee70bd7d3332fe3d755deb696e5fe70405172884027f12ab28a2ed2163
                                                                              • Instruction ID: 354d50460f9aa7c2d48369b9f09f9daa5b9c71d5d16085abd558e01fad9af42f
                                                                              • Opcode Fuzzy Hash: cfbc3fee70bd7d3332fe3d755deb696e5fe70405172884027f12ab28a2ed2163
                                                                              • Instruction Fuzzy Hash: 85218AB8D04218DFCB54CFA9D88499DFBF1BB49320F14A16AE824B7360D7349941DF68
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D5690, Relevance: .1, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e76d20ea239ed72d03a0c830f0ddae21c16f1052932e70bc45b47e16a0aa80da
                                                                              • Instruction ID: 74db28cc218417b6d2d8c332c4c3e30cfeacee45e7822d588d72c395bd4fa0fd
                                                                              • Opcode Fuzzy Hash: e76d20ea239ed72d03a0c830f0ddae21c16f1052932e70bc45b47e16a0aa80da
                                                                              • Instruction Fuzzy Hash: E0214CB8D04218DFDB44CFA9D88499DFBF1BB49320F14A16AE825B7360D7349941DF58
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D3CA4, Relevance: 1.8, APIs: 1, Instructions: 322processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057D3F77
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: 1f17cbc62322bac61863f3db8a253608f5dd89f888f57e4834f2031c51b8072a
                                                                              • Instruction ID: 7c085cace9f5412d2a6bf4b883608e56e019240810baa9211f66fb2e24fc787b
                                                                              • Opcode Fuzzy Hash: 1f17cbc62322bac61863f3db8a253608f5dd89f888f57e4834f2031c51b8072a
                                                                              • Instruction Fuzzy Hash: 3CC13471D0422D8FDB20CFA4C885BEEBBB2BF48304F0085A9D559B7250DB749A85DFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D3CB0, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057D3F77
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: de44ff047ea75c38f8e9042f083102d7c343c9babd5ac5124a89445ed2ab32a0
                                                                              • Instruction ID: 535c235aaf8405dfba781c7a2d8b26e9860c38304a390f1a1ee1d607d7eae6e7
                                                                              • Opcode Fuzzy Hash: de44ff047ea75c38f8e9042f083102d7c343c9babd5ac5124a89445ed2ab32a0
                                                                              • Instruction Fuzzy Hash: 21C12471D0422D8FDB24CFA4C885BEEBBB2BF48304F0085A9D549B7250DB749A85DFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D4E3C, Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0c5619e3fcd5e185ef9fc57fa59962f1782ea3087f279afb85ab968ccc1ae35d
                                                                              • Instruction ID: 71e22a826d2c2f5a88fb2b8bc7afdb6a432b03e441615432802052696877f783
                                                                              • Opcode Fuzzy Hash: 0c5619e3fcd5e185ef9fc57fa59962f1782ea3087f279afb85ab968ccc1ae35d
                                                                              • Instruction Fuzzy Hash: BC61D0B4D04218DFCB24CFA9D884B9DFBF2BB49304F14812AE814A7361DB74A945DF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D4E48, Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 057D4FB7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: BaseModuleName
                                                                              • String ID:
                                                                              • API String ID: 595626670-0
                                                                              • Opcode ID: 6a97e5e024392d9333c9cbabdec1a079363291f48c61a14e87e578aa83e9e88f
                                                                              • Instruction ID: fd743c7a27d056bf95cccb8caee83f386e995e9ccac0cafc93fc139eacda0bb1
                                                                              • Opcode Fuzzy Hash: 6a97e5e024392d9333c9cbabdec1a079363291f48c61a14e87e578aa83e9e88f
                                                                              • Instruction Fuzzy Hash: 9961BFB4D042189FCB14CFA9D884B9DFBF2BB49304F14812AE819AB361DB74A945DF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D0007, Relevance: 1.6, APIs: 1, Instructions: 127fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CopyFileW.KERNELBASE(?,?,?), ref: 057D0116
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CopyFile
                                                                              • String ID:
                                                                              • API String ID: 1304948518-0
                                                                              • Opcode ID: f6f70f7fa3eea77678366658c9843beca6b60e8565afa217c9a3b8145374bcec
                                                                              • Instruction ID: 37d07d04f699d82677c2bc991aa9c5b74680adeb3c7b817c140b7bd3e4a16d81
                                                                              • Opcode Fuzzy Hash: f6f70f7fa3eea77678366658c9843beca6b60e8565afa217c9a3b8145374bcec
                                                                              • Instruction Fuzzy Hash: 1051F1B5D042989FCB01CFA9D884ADDFFF1BB09314F09906AE454B7261E3389945DF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D39F8, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057D3ACB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: cefe917e4e33193af35143a0fda82d2eda15eb659a98f73b906df701d75db46a
                                                                              • Instruction ID: 22ce537abb97c901c8d1d2d574aebf7fb73c69a639e803f7c42e461d80655db8
                                                                              • Opcode Fuzzy Hash: cefe917e4e33193af35143a0fda82d2eda15eb659a98f73b906df701d75db46a
                                                                              • Instruction Fuzzy Hash: 5C41C8B5D012589FCF00CFA9D984AEEFBF1BB49314F14942AE819B7210D739AA45CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D39F0, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057D3ACB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: bf9bd4f1b1ba6c6f70c31c988ccc4e78f36244f65bdeb08439c2a89d9bf36eb7
                                                                              • Instruction ID: 5bf5e1c270d6efe0a862ad93d9b0c9509c02b33cc7c032cbf6cd531a27ea6b00
                                                                              • Opcode Fuzzy Hash: bf9bd4f1b1ba6c6f70c31c988ccc4e78f36244f65bdeb08439c2a89d9bf36eb7
                                                                              • Instruction Fuzzy Hash: C441BAB5D012589FCF00CFA9D984ADEFBF1BB49314F14942AE815B7210D738AA45CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D0040, Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CopyFileW.KERNELBASE(?,?,?), ref: 057D0116
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CopyFile
                                                                              • String ID:
                                                                              • API String ID: 1304948518-0
                                                                              • Opcode ID: 606f5f625a33c301b64692391b22f8c99ea2495fc630025fa731fe28b1b3fc37
                                                                              • Instruction ID: 733213d9e97b4683bd0c13a05759d7e1bb1cd5911992e2541d5f84843f1ad8e3
                                                                              • Opcode Fuzzy Hash: 606f5f625a33c301b64692391b22f8c99ea2495fc630025fa731fe28b1b3fc37
                                                                              • Instruction Fuzzy Hash: D241DCB4D04258DFCB10CFAAD484AEEFBF1BB49310F14906AE418B7260D334AA85CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D38A0, Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057D3952
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: c8434b312adab14db299a49fd7925316eadb423e6e7804043ecf3b60cc2ad3ae
                                                                              • Instruction ID: fcfa0966150b0061891d1720ebd7fc9965ab58189dda4243f09b0654cf38831c
                                                                              • Opcode Fuzzy Hash: c8434b312adab14db299a49fd7925316eadb423e6e7804043ecf3b60cc2ad3ae
                                                                              • Instruction Fuzzy Hash: ED41D8B8D00248DFCF10CFAAD984ADEFBB1BB49314F10942AE824B7210D735A805CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D4528, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32EnumProcesses.KERNEL32(?,?,?), ref: 057D45F0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: EnumProcesses
                                                                              • String ID:
                                                                              • API String ID: 84517404-0
                                                                              • Opcode ID: 8b358d5dafea53b6ff62ca6a28b830c8715d84cc269cb4969f63f87fe98c96ee
                                                                              • Instruction ID: c1e151891ff1b11368ad5e7b84e01c7b11b9724641205daf93acbda55fa93cf1
                                                                              • Opcode Fuzzy Hash: 8b358d5dafea53b6ff62ca6a28b830c8715d84cc269cb4969f63f87fe98c96ee
                                                                              • Instruction Fuzzy Hash: DC4199B5D042589FCF10CFAAD984ADEFBF1BB49310F14902AE819B7210D375AA45CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D38A8, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057D3952
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 82cdfe921267db1c71ebbd0cc3a6bedc8e6b869f7db13c64292e1966539f29b0
                                                                              • Instruction ID: f350c681f12f3ef5573c4ae35ff23f605ee587b83f619dff008ed3610ea436e3
                                                                              • Opcode Fuzzy Hash: 82cdfe921267db1c71ebbd0cc3a6bedc8e6b869f7db13c64292e1966539f29b0
                                                                              • Instruction Fuzzy Hash: 2831A7B8D04258DFCF10CFAAD984ADEFBB1BB49314F10942AE815B7210D735A945CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D4C80, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 057D4D2E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: EnumModulesProcess
                                                                              • String ID:
                                                                              • API String ID: 1082081703-0
                                                                              • Opcode ID: 4d83eac764019c9ad8a229a56c1967512dfbffa0d6778c15a61354a8f56dd8af
                                                                              • Instruction ID: 413e3d29dd57d6eae9b3db8ef732942ab5398f61d2a589fe8ba9e22f90f8224d
                                                                              • Opcode Fuzzy Hash: 4d83eac764019c9ad8a229a56c1967512dfbffa0d6778c15a61354a8f56dd8af
                                                                              • Instruction Fuzzy Hash: 9E31B8B9D042589FCF10CFA9D884ADEFBB1BB09324F14902AE814B7310D375A945CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D4530, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32EnumProcesses.KERNEL32(?,?,?), ref: 057D45F0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: EnumProcesses
                                                                              • String ID:
                                                                              • API String ID: 84517404-0
                                                                              • Opcode ID: 82b062a166e04678299b2c50ad7522566a95086ccd92a496763b4bfb2d4e6ebb
                                                                              • Instruction ID: 0c19b016ea04f8c102d3c9d493c7930793cbe762961f054bfae085f6d77a3db4
                                                                              • Opcode Fuzzy Hash: 82b062a166e04678299b2c50ad7522566a95086ccd92a496763b4bfb2d4e6ebb
                                                                              • Instruction Fuzzy Hash: 244197B5D042589FCF10CFAAD984ADEFBF1BB49310F14902AE419B7210D375AA45CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D4C88, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 057D4D2E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: EnumModulesProcess
                                                                              • String ID:
                                                                              • API String ID: 1082081703-0
                                                                              • Opcode ID: 97f989983bbd5802024311afa53921a041c1ce1cda465e42d17b6989c9c6435f
                                                                              • Instruction ID: 9aeed13a833279a5f63ff8de43e7e1c21a4ffdc138739d97d2943ef06754c03f
                                                                              • Opcode Fuzzy Hash: 97f989983bbd5802024311afa53921a041c1ce1cda465e42d17b6989c9c6435f
                                                                              • Instruction Fuzzy Hash: 1731A6B8D042589FCF10CFA9D984AEEFBB1BB09310F14902AE815B7210D374A945CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0169F9D0, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0169FA74
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.767102176.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: b506843a2c515ce4c2936544c3fbfbcc7c4e492735e296382703d11f618c03e1
                                                                              • Instruction ID: e25be0d37d39767bfa2ade6ef3c33ebabe9037d428e2d880edab8435c790e7dc
                                                                              • Opcode Fuzzy Hash: b506843a2c515ce4c2936544c3fbfbcc7c4e492735e296382703d11f618c03e1
                                                                              • Instruction Fuzzy Hash: 6F31A6B8D00248DFCF14CFA9D980ADEFBB5BB49314F14942AE814B7210D739A945CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D36F0, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetThreadContext.KERNELBASE(?,?), ref: 057D379F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ContextThread
                                                                              • String ID:
                                                                              • API String ID: 1591575202-0
                                                                              • Opcode ID: ef68ec11e26e06ece836ac8664fa880bd690c11b2b225b546384c72dd76e628a
                                                                              • Instruction ID: c1e621540560eefd9c7ff2309cf7756cda0fc0f2fbfe0826eae8e77e7c3c1643
                                                                              • Opcode Fuzzy Hash: ef68ec11e26e06ece836ac8664fa880bd690c11b2b225b546384c72dd76e628a
                                                                              • Instruction Fuzzy Hash: AC31CBB4D002589FDB14CFA9D984AEEFBF1BF48324F14842AE815B7200D738A945CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D36E8, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetThreadContext.KERNELBASE(?,?), ref: 057D379F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ContextThread
                                                                              • String ID:
                                                                              • API String ID: 1591575202-0
                                                                              • Opcode ID: 9ac7e57430311144dd12f869313512beb1a0c14757247056bbbd435a6b1069f8
                                                                              • Instruction ID: 0ed712632f5d2648a0f0bb62af9cd77d5fbdbc82d688cab2acdfe54e9345d80c
                                                                              • Opcode Fuzzy Hash: 9ac7e57430311144dd12f869313512beb1a0c14757247056bbbd435a6b1069f8
                                                                              • Instruction Fuzzy Hash: 9E41A9B5D002589FDB14CFA9D984AEEFBF1BB48324F14842AE815B7200D738A945CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D5121, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 057D51A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ChangeCloseFindNotification
                                                                              • String ID:
                                                                              • API String ID: 2591292051-0
                                                                              • Opcode ID: ca5e570970d2dbf2a3fba7d9f4b72174bf511770b1c96fc90fa6408f8018956c
                                                                              • Instruction ID: b223147b60cad74647b72740c3df2cd6e93d749d80cc586d909d6241648ac157
                                                                              • Opcode Fuzzy Hash: ca5e570970d2dbf2a3fba7d9f4b72174bf511770b1c96fc90fa6408f8018956c
                                                                              • Instruction Fuzzy Hash: B431B8B8D052189FCB10CFA9E984AEEFBF4BB49314F14906AE814B7310D735AA45CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0169FCA0, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0169FD1E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.767102176.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ChangeCloseFindNotification
                                                                              • String ID:
                                                                              • API String ID: 2591292051-0
                                                                              • Opcode ID: 97af6789c132e94a6db112f8bf5172975a0863f7a298653c818e4b49638d7422
                                                                              • Instruction ID: ad8e66a32005d04fb4d255d698bd5062bc5efb11263996dd0ac371d34bbbacb6
                                                                              • Opcode Fuzzy Hash: 97af6789c132e94a6db112f8bf5172975a0863f7a298653c818e4b49638d7422
                                                                              • Instruction Fuzzy Hash: A931CAB5D002189FDF14CFA9E884ADEFBB5AB48314F14942AE915B7310D735A905CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 057D5128, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 057D51A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771165627.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ChangeCloseFindNotification
                                                                              • String ID:
                                                                              • API String ID: 2591292051-0
                                                                              • Opcode ID: e144ce3a5c19a479d75f65ab99e071215cf466375ff098029b1d5cb14681224b
                                                                              • Instruction ID: 5f6a544764e85e6dd1bc6acc4ce2d5e9643b8110b4ea9c6a9b9dbb37c26d285a
                                                                              • Opcode Fuzzy Hash: e144ce3a5c19a479d75f65ab99e071215cf466375ff098029b1d5cb14681224b
                                                                              • Instruction Fuzzy Hash: C531CAB8D052189FCB10CFA9E984AEEFBF4BB49314F14802AE814B3310D735A945CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05859AD0, Relevance: .2, Instructions: 183COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: de153c72e40771b4246bdf20c2f3e5637e2afc51e70a72e31dd32cef3d798ec2
                                                                              • Instruction ID: d64a10d8b73c110031bb2246ab3dc8d0b7b650ba19d4a1e6f61b9c0bf2108838
                                                                              • Opcode Fuzzy Hash: de153c72e40771b4246bdf20c2f3e5637e2afc51e70a72e31dd32cef3d798ec2
                                                                              • Instruction Fuzzy Hash: 4F81C574A00218CFCB14EFA9D590AADBBF2FF89305F208069D805AB761DB39AD45CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0133D5E0, Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.766857514.000000000133D000.00000040.00000001.sdmp, Offset: 0133D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 79fd97dce69ca80d3a0a1f2684af4a290adf7426ebe8b37c7260b63af4ead9c4
                                                                              • Instruction ID: a2e63de2ca8d73eee76652191589ea3e7c1fc0e612aa39328399f6d4f5a4172e
                                                                              • Opcode Fuzzy Hash: 79fd97dce69ca80d3a0a1f2684af4a290adf7426ebe8b37c7260b63af4ead9c4
                                                                              • Instruction Fuzzy Hash: 1D2148B1508344DFDB05DF94D9C0F26BF65FBC8328FA08568E9090B606C336D856DBA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0134D01C, Relevance: .1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.766875947.000000000134D000.00000040.00000001.sdmp, Offset: 0134D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5c76047ce5a9ddff251f28473b1c75c78886a80aa4b30d9c383c780c6e9bed7b
                                                                              • Instruction ID: 3c53bee18a384a0851097fa8be751ede202ab8603db6e2fced26ced755d46d4e
                                                                              • Opcode Fuzzy Hash: 5c76047ce5a9ddff251f28473b1c75c78886a80aa4b30d9c383c780c6e9bed7b
                                                                              • Instruction Fuzzy Hash: 0C2105B16083449FD711DF54D9C0B26BBE9FB94368F20C669D9494B642C336E807C662
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0134D006, Relevance: .1, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.766875947.000000000134D000.00000040.00000001.sdmp, Offset: 0134D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 761a1176e9806c7c427daf96af674fa9706fb85951cf26cfb79dcfa8c54c8d73
                                                                              • Instruction ID: 4cc8c0cd3a827adfabfc6c0d99cef920589ddea0b049c41da5c750fe956d3e92
                                                                              • Opcode Fuzzy Hash: 761a1176e9806c7c427daf96af674fa9706fb85951cf26cfb79dcfa8c54c8d73
                                                                              • Instruction Fuzzy Hash: 6B21B4755083809FD713DF14D994716BFB1EB96324F29C1AAC8848B657C33AE84AC762
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0133D5DB, Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.766857514.000000000133D000.00000040.00000001.sdmp, Offset: 0133D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1690f09ffb32154b7972ec6b078384a41eddaff510e9aa620e0dc1e70aab7d38
                                                                              • Instruction ID: f1a8144c07f84a026c53d82b02862834af38e70eb5e8a6d254e75372e05ebb1f
                                                                              • Opcode Fuzzy Hash: 1690f09ffb32154b7972ec6b078384a41eddaff510e9aa620e0dc1e70aab7d38
                                                                              • Instruction Fuzzy Hash: F811BE76904280CFCB16CF54D9C4B16BF71FB88324F68C6A9D8090B617C33AD45ADBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 058577E8, Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 92cbf92ba86f73799cdd2f9f0e922841e28a93d45fd1c423c3ab6577f6d51cf2
                                                                              • Instruction ID: 2bf3ffd42cbb6ce308c3e73865b8edea51d88a9ffe5ea5f2d6293598daf2cca5
                                                                              • Opcode Fuzzy Hash: 92cbf92ba86f73799cdd2f9f0e922841e28a93d45fd1c423c3ab6577f6d51cf2
                                                                              • Instruction Fuzzy Hash: E7013134E59208DFCB04EFB9D5465ADB7FAEB492A9F10D4B98C09E3201EA346D40CB59
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05858E60, Relevance: .0, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c6cedbeafa235401439c45abaa0c25846470d2580fcdc7a7709121ca933247a6
                                                                              • Instruction ID: f6c0d66225c8fb423db6d5e5694671b306a5d170888bdeff393c66f8f1816663
                                                                              • Opcode Fuzzy Hash: c6cedbeafa235401439c45abaa0c25846470d2580fcdc7a7709121ca933247a6
                                                                              • Instruction Fuzzy Hash: 8701D6B0D052189BEB04DFA5D4587EEBAFABF49318F10812AD815B7290CBB90948CF95
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05859A80, Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 01b1e3ebd468910e871ce686c7fde4e1d98401f6e5ced799dc4d51e08a7eb390
                                                                              • Instruction ID: 5620b33ac4a0b44ec93bf7be668de13fd25546e62d9281849c5334d7d07d0b2d
                                                                              • Opcode Fuzzy Hash: 01b1e3ebd468910e871ce686c7fde4e1d98401f6e5ced799dc4d51e08a7eb390
                                                                              • Instruction Fuzzy Hash: 1BE0C274E04208EFCB54DFA8D541AACBBB9FB88314F10C1A9CC18A3340EB31AE41CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0585F3B0, Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 01b1e3ebd468910e871ce686c7fde4e1d98401f6e5ced799dc4d51e08a7eb390
                                                                              • Instruction ID: a38326b3f32033e6a785a8407a6383790115c5817f1b5493cb3801fc114ff26d
                                                                              • Opcode Fuzzy Hash: 01b1e3ebd468910e871ce686c7fde4e1d98401f6e5ced799dc4d51e08a7eb390
                                                                              • Instruction Fuzzy Hash: 9EE0C274E08208EFCB44DFA8D441AACBBB8EB48314F10C1AA8D18E3340DB31AE01CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0585FF68, Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d4f9eddcfb4d8c2f078f16f62a3e6dceff7d1e6abc2d8e7637c4ea3ae35c65ca
                                                                              • Instruction ID: 36a12fbfe4cda95caeb546201a94c6bad5ab6d1799166e1443a4309936649907
                                                                              • Opcode Fuzzy Hash: d4f9eddcfb4d8c2f078f16f62a3e6dceff7d1e6abc2d8e7637c4ea3ae35c65ca
                                                                              • Instruction Fuzzy Hash: 73E0E5B5D09208EFCB14DFA8D401A9CBBB9FB49305F1085A99D08A2300DB359E50DF80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05856660, Relevance: .0, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2d2f2539d8d12c38daac37fa0e1fe345edeca13baf18603b049c8151099a747f
                                                                              • Instruction ID: 063a0ef9af91abf80097a914eba9de7436c9805acb3a513ea891273b26cb695f
                                                                              • Opcode Fuzzy Hash: 2d2f2539d8d12c38daac37fa0e1fe345edeca13baf18603b049c8151099a747f
                                                                              • Instruction Fuzzy Hash: D3E08CB5904208DFCB20EFF4D80869E7BBDEB0A319F0081A99909A7110EF311E088B96
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05857738, Relevance: .0, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2c8ab69d3d933d7b554d5750cf3ce652614537ec02694294afc6f87034106387
                                                                              • Instruction ID: 458758ecee733075f3b72a8bc98347093471528967a1f1673d37d29ac161cbb5
                                                                              • Opcode Fuzzy Hash: 2c8ab69d3d933d7b554d5750cf3ce652614537ec02694294afc6f87034106387
                                                                              • Instruction Fuzzy Hash: 6CD05E38509108DBC704CBA4E401A69B7ADEB46359F10D09C8C0D93341CB32AE01C680
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 01691B90, Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.767102176.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @
                                                                              • API String ID: 0-2766056989
                                                                              • Opcode ID: e08f4a2a084af065a28f10e6ea42bf5741150a29ad0cf0a8de6ad2566290e4e4
                                                                              • Instruction ID: 9a4788e81a28232b56bd5e087bd6ffe5887fcab014f30ed02b3fbc21b270d01e
                                                                              • Opcode Fuzzy Hash: e08f4a2a084af065a28f10e6ea42bf5741150a29ad0cf0a8de6ad2566290e4e4
                                                                              • Instruction Fuzzy Hash: 79512EB5D056598BEB2CCF6B8D446C9FAF7AFC9304F14C1FA951CA6254DB700A858F40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0585ED78, Relevance: .5, Instructions: 464COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c85bedac2969147425ef0bf3b7619f4b299049c8bd7b06e4906d88a3f0df69e1
                                                                              • Instruction ID: 569693b29f082ca380a7421e31972249a936adadf3fda10649fe7d5d4dafb638
                                                                              • Opcode Fuzzy Hash: c85bedac2969147425ef0bf3b7619f4b299049c8bd7b06e4906d88a3f0df69e1
                                                                              • Instruction Fuzzy Hash: CF22B4B1E046199BDB14CFAAC980A9DFBF2FF88304F24C169D918EB259D7349946CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05850040, Relevance: .2, Instructions: 214COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.771286982.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 527acc6e1790d309f6ef1476f7638bbad9888028c36acc4e1457995c9ce51e80
                                                                              • Instruction ID: 52df0239706a53b13fad3247c4a103d9fee360bfd457f6421597909b75d2ffe3
                                                                              • Opcode Fuzzy Hash: 527acc6e1790d309f6ef1476f7638bbad9888028c36acc4e1457995c9ce51e80
                                                                              • Instruction Fuzzy Hash: AFB1A1B4D05628CFEB64CF26CC4879ABBF6BB88315F0081EAD90DA6254DB351E85CF15
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01691751, Relevance: .2, Instructions: 189COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.767102176.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a30beb56e60b2199f0ce8ec2196c4cf25b23f647cbe7e0e13a5ae5ae99185833
                                                                              • Instruction ID: 1c8608ebfd77737159f7888e5b92f002a26ce2414698e4fb8e1f7a9b9981e354
                                                                              • Opcode Fuzzy Hash: a30beb56e60b2199f0ce8ec2196c4cf25b23f647cbe7e0e13a5ae5ae99185833
                                                                              • Instruction Fuzzy Hash: 7B814C74E052098FD758EFAAE84069EBBF2FFD9304F14C479C505AB269EF7929058B40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01691760, Relevance: .2, Instructions: 181COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.767102176.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d961a7faae7d934247997dfea7e6919d206cec3eedac94b4ccb1fdc880ab2383
                                                                              • Instruction ID: 052b66d613d71fd289853b8b8a78de1a2c13af353e80a0f2b562f02d4cf28c4e
                                                                              • Opcode Fuzzy Hash: d961a7faae7d934247997dfea7e6919d206cec3eedac94b4ccb1fdc880ab2383
                                                                              • Instruction Fuzzy Hash: 5A812B74E052048FD758EFAAE84069ABBF2FFD8304F14C439C505AB369EF7969058B90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 01691737, Relevance: .2, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.767102176.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c065c8791b7130fea46f7a5995af6bbacfd20898f546379d7a9f9f010012b991
                                                                              • Instruction ID: a54a7524849c458bc6ccc9e84a9855333a3f553171fe2a470485953e46799756
                                                                              • Opcode Fuzzy Hash: c065c8791b7130fea46f7a5995af6bbacfd20898f546379d7a9f9f010012b991
                                                                              • Instruction Fuzzy Hash: A0814B74E052058FD718EFAAE48069ABBF2FFD9304F14C439C405AB269EF7929058F50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0169F580, Relevance: .1, Instructions: 114COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.767102176.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 864c591feb358cb5c1aa7de6e86117dc3c7fb4de40a52c993ef8ee302a14047b
                                                                              • Instruction ID: d486692349e1513fc739a153558b701744c365109ea53f2d3150dbc74cb81410
                                                                              • Opcode Fuzzy Hash: 864c591feb358cb5c1aa7de6e86117dc3c7fb4de40a52c993ef8ee302a14047b
                                                                              • Instruction Fuzzy Hash: D141DCB4D003589FDF10CFA9D984AAEBFB5BB49314F24902AE415AB360D7749886CF85
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Analysis Process: RegAsm.exe PID: 7020 Parent PID: 6964 RegAsm.exeCOMMON

                                                                              Executed Functions

                                                                              Function 0618E7E8, Relevance: .5, Instructions: 499COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e0fb1479db33c31f5bdcbd058b36dd079041ef1a2e4365d13ea52f7bcb002fef
                                                                              • Instruction ID: ee51eee2ee25e8e1a676c0d42b055fe6e3d18945ab2d1067c675a43e9d6f2180
                                                                              • Opcode Fuzzy Hash: e0fb1479db33c31f5bdcbd058b36dd079041ef1a2e4365d13ea52f7bcb002fef
                                                                              • Instruction Fuzzy Hash: 8312DC70E14625CFE768EF75D4856ADBBF2BF8A300F558A6AE4129B255CB34D840CF80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06186F50, Relevance: .5, Instructions: 499COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 71a72ef40f5518f6a83da6a3e56c0132fb6f7ae14d7f7bd35f4b13aa6cca83c0
                                                                              • Instruction ID: 6bf377af413911492073a821331681de72f59d18e3455be62bfccd5f5bbfd29c
                                                                              • Opcode Fuzzy Hash: 71a72ef40f5518f6a83da6a3e56c0132fb6f7ae14d7f7bd35f4b13aa6cca83c0
                                                                              • Instruction Fuzzy Hash: 5712E170A14215CFEB58EF29C4946ADBBF2FF89304F258929E016DB291DB35D885CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F400, Relevance: .2, Instructions: 245COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cef81e6c2ac2c1e4cedf1ddbe0e0572e7ad58008df904cce0b802d26c2682203
                                                                              • Instruction ID: f02957f7bade5c48e4d846fd508f9b8ea9749e5a0aaf662f4b67241623c0a5c6
                                                                              • Opcode Fuzzy Hash: cef81e6c2ac2c1e4cedf1ddbe0e0572e7ad58008df904cce0b802d26c2682203
                                                                              • Instruction Fuzzy Hash: 6491D032F011159FD754EB69D980A9EB7E3AFC8354F2A8165E405DB765DF30AC02CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F4BE, Relevance: .2, Instructions: 188COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 97fb647c84636e7cdaed29ce22eab359b17fe7b69055785ee2fcf9549998704c
                                                                              • Instruction ID: c04902abd3d5b5b4fe320a2e90e669e6eceb4dc933430426f61c2dc747216c2a
                                                                              • Opcode Fuzzy Hash: 97fb647c84636e7cdaed29ce22eab359b17fe7b69055785ee2fcf9549998704c
                                                                              • Instruction Fuzzy Hash: E4616832F011159FD754EB69D895B9EB3E3AFC8214F2AC164E409AB765DB34ED02CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618A318, Relevance: .1, Instructions: 144COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6beccd7b99f75e58938a763ab17f7e1adb5857d926359a68eb97a37fefa0c620
                                                                              • Instruction ID: dd17d2d8ed1774f97cdc919774af7927ad06d40082fb72ba211b1f44441017a1
                                                                              • Opcode Fuzzy Hash: 6beccd7b99f75e58938a763ab17f7e1adb5857d926359a68eb97a37fefa0c620
                                                                              • Instruction Fuzzy Hash: 41510374E01208DFDB10EFA5E994AEEBBB2FF49300F10916AE905A7354DB356945CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618A4B1, Relevance: .1, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2247035a18b6d188ec6285b49707b4ebf2ec9020cf49ad7255ecbc9db83ee02d
                                                                              • Instruction ID: 8f6428fddadd605b19b41d9cc3bfdb5ba3725c53eaf6583e80ef408d2ed80cc7
                                                                              • Opcode Fuzzy Hash: 2247035a18b6d188ec6285b49707b4ebf2ec9020cf49ad7255ecbc9db83ee02d
                                                                              • Instruction Fuzzy Hash: F421CF74B042489FDB18AB65E8595EEBF7AAFCA200F194427E606D3285CF348C06CB61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182E30, Relevance: 5.5, Strings: 4, Instructions: 511COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: D!l$D!l$t%l$t%l
                                                                              • API String ID: 0-3946509765
                                                                              • Opcode ID: 8f1a523e44e43028525e49b89061230d2461430f2f041b6c4e4b3190a95e5171
                                                                              • Instruction ID: 0a553a4f0adb31360e762d39a1c26c759f3ad17edfb1f9575559ed61cd5aaf7a
                                                                              • Opcode Fuzzy Hash: 8f1a523e44e43028525e49b89061230d2461430f2f041b6c4e4b3190a95e5171
                                                                              • Instruction Fuzzy Hash: 0A325938B04614CFCB58EF69C485A18B7F2BF99714B268598E94A9B375CB34ED41CF80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061848A8, Relevance: 5.3, Strings: 4, Instructions: 306COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: t%l$t%l$t%l$t%l
                                                                              • API String ID: 0-3191554559
                                                                              • Opcode ID: 3413db17639a9e41bd9082c561fd09e3ed634fff219a318c43cf29ccc254b8f9
                                                                              • Instruction ID: a263462a0daa1529e3c76a135ddf7f5281b5701351d04a3c77ac6926989758a7
                                                                              • Opcode Fuzzy Hash: 3413db17639a9e41bd9082c561fd09e3ed634fff219a318c43cf29ccc254b8f9
                                                                              • Instruction Fuzzy Hash: 5EC1AB30E042568FDB14EFA8C49069DBBF2BF89304B258A69D406AB355DB35ED46CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06187E68, Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $hQ`
                                                                              • API String ID: 0-157799972
                                                                              • Opcode ID: e9d1430b8d226f2e0464216c0937bbd33b361dc30082cd20ebcc3df8e8b6e990
                                                                              • Instruction ID: b45f27df7f63c4ea99ddab230066930e5dd402dfd7526af83a23e87eff62a2a9
                                                                              • Opcode Fuzzy Hash: e9d1430b8d226f2e0464216c0937bbd33b361dc30082cd20ebcc3df8e8b6e990
                                                                              • Instruction Fuzzy Hash: 7F41E431F14105CFDB94EF96D8805AEB7A2EBD0225F398836E1259B781C331D842CBD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E3FB, Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: t%l$t%l
                                                                              • API String ID: 0-4211158430
                                                                              • Opcode ID: 9f967265f042971f0abed853c719d613a8de137997931e68fd119bdca3084520
                                                                              • Instruction ID: 32fc0447e3f7ff270f0db92db50e841f3a747995793fdd2bd40a6c70de7adac3
                                                                              • Opcode Fuzzy Hash: 9f967265f042971f0abed853c719d613a8de137997931e68fd119bdca3084520
                                                                              • Instruction Fuzzy Hash: C721D030B011555BE72972B9A4243EFA6DB9FE6140F09852EE18B9B780CE74AC0503FB
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02E093E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 02E0962E
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921955688.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: c8f24510330ffbdeb058f5d456eba4e5511d36425a280ed9d66946aec06658d1
                                                                              • Instruction ID: afedc44e49214350c5df4a802f6f9e67763a428953eda55c53e474588655138e
                                                                              • Opcode Fuzzy Hash: c8f24510330ffbdeb058f5d456eba4e5511d36425a280ed9d66946aec06658d1
                                                                              • Instruction Fuzzy Hash: 0B713870A00B058FD764DF2AD48079AB7F1FF88608F00892DD586D7A91DB75E886CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02E0FB61, Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E0FD0A
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921955688.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 3c05685aa5d1d897194680235082dcde6fcd7ee559145ee148dc623721853625
                                                                              • Instruction ID: 5400005e7816216ac6c08ce1a6b2556a19ac34233df1a21b4b992f3e1b576464
                                                                              • Opcode Fuzzy Hash: 3c05685aa5d1d897194680235082dcde6fcd7ee559145ee148dc623721853625
                                                                              • Instruction Fuzzy Hash: FC6112B1C04248AFDF15CFA9D880ACEBFB1BF49314F15816AE808AB261D7359995CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02E0DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E0FD0A
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921955688.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 6037d7e4c37bbb64488d3162469c9e47084d620bf2efd58e988600ddcefe2d01
                                                                              • Instruction ID: 23b74d4eebe7afe813583451bdd2dc314a9ef2148f92fdf31c03b269b06a8be0
                                                                              • Opcode Fuzzy Hash: 6037d7e4c37bbb64488d3162469c9e47084d620bf2efd58e988600ddcefe2d01
                                                                              • Instruction Fuzzy Hash: 8251B1B1D003099FDF14CF99C884ADEBBB5BF48314F64812AE819AB650D7749885CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06B43C50, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.928515268.0000000006B40000.00000040.00000001.sdmp, Offset: 06B30000, based on PE: true
                                                                              • Associated: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp Download File
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: dc8514d64f9659b89c190c9616b27dd236b6f535af1d927744ac7852dc8a364f
                                                                              • Instruction ID: 3b898063bff833ab26568e0ecda2f49b2ef5101aabf9849eaaca81dc4bf4e3a6
                                                                              • Opcode Fuzzy Hash: dc8514d64f9659b89c190c9616b27dd236b6f535af1d927744ac7852dc8a364f
                                                                              • Instruction Fuzzy Hash: 5A3131B0D006698FDB54DFA8C8857AEBBB1FF09304F148569E815A7280EB789845CB92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02E0FE02, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02E0FE28,?,?,?,?), ref: 02E0FE9D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921955688.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
                                                                              Similarity
                                                                              • API ID: LongWindow
                                                                              • String ID:
                                                                              • API String ID: 1378638983-0
                                                                              • Opcode ID: 3db13f3adceade4368de291eade7c478e6dbe9fe50893e4497e2acf721302e0c
                                                                              • Instruction ID: 011ef3587af9655d8266b070d9676549c7e5eeeac7614742fa158d1e4f57fd9f
                                                                              • Opcode Fuzzy Hash: 3db13f3adceade4368de291eade7c478e6dbe9fe50893e4497e2acf721302e0c
                                                                              • Instruction Fuzzy Hash: 7C21A9B5800208DFCB11CFA8D984BCABBF4FB18324F04845AE848B7292D334A945CFA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02E0A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E0BCC6,?,?,?,?,?), ref: 02E0BD87
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921955688.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: b3a7cb8b800427f0e29cf02c8dac0c0879a46cf0c846497e09fe9dc46615a025
                                                                              • Instruction ID: eb5a0e9e98562d6bd0a693e2e3376fb7c50e8abe48e44328cc52dacd4ea61f92
                                                                              • Opcode Fuzzy Hash: b3a7cb8b800427f0e29cf02c8dac0c0879a46cf0c846497e09fe9dc46615a025
                                                                              • Instruction Fuzzy Hash: 5721C0B5900248AFDB10CF99D984BEEFBF4FB48314F14846AE954A3350D378A944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02E0BCF9, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E0BCC6,?,?,?,?,?), ref: 02E0BD87
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921955688.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: fb1ea784a24103ee79cf49ca80b4eb163efd2c2aacd7c99b62b89f68582ea498
                                                                              • Instruction ID: 98bd6c535260617b4862f4edf80575096604791cee23df42fcc692c258e83403
                                                                              • Opcode Fuzzy Hash: fb1ea784a24103ee79cf49ca80b4eb163efd2c2aacd7c99b62b89f68582ea498
                                                                              • Instruction Fuzzy Hash: C32100B59002189FDB10CFA9D584BEEFBF4BB48314F14842AE958B3350D378A944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02E08768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02E096A9,00000800,00000000,00000000), ref: 02E098BA
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921955688.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 9fb99cb4a63feef1db2d5d90e7174e1dffba427710ec8339686e5b869750aca7
                                                                              • Instruction ID: 36503a61de61cd05cf90ee8148bbefbdd8e6d5e8ccbbbe4540ecd97d67b39277
                                                                              • Opcode Fuzzy Hash: 9fb99cb4a63feef1db2d5d90e7174e1dffba427710ec8339686e5b869750aca7
                                                                              • Instruction Fuzzy Hash: 9D1103B59002098FDB10CF9AC484BDEFBF4EB48714F14842AD959B7741C375A945CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02E09849, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02E096A9,00000800,00000000,00000000), ref: 02E098BA
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921955688.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 0d51e7220a02b4d0a762f6d2739fce09be213685171c4816d2bb136634df2db2
                                                                              • Instruction ID: d696373ee8d4a33b0dabfe51d305a264fcc841669df1b6329806726d212b96e9
                                                                              • Opcode Fuzzy Hash: 0d51e7220a02b4d0a762f6d2739fce09be213685171c4816d2bb136634df2db2
                                                                              • Instruction Fuzzy Hash: 2D1120B6D002098FDB10CFAAC484BEEFBF4AB58314F15842AD859B7741C374A549CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02E095C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 02E0962E
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921955688.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: ad4945121802fca5b8b4c4d45db1ffe77cdc08aeb07553a4c0a1bf74949847ee
                                                                              • Instruction ID: 0efbbafc2add209f8a0f29ceb16c3196e27f3bd30aae4f10865a7dd5ca63ac8b
                                                                              • Opcode Fuzzy Hash: ad4945121802fca5b8b4c4d45db1ffe77cdc08aeb07553a4c0a1bf74949847ee
                                                                              • Instruction Fuzzy Hash: 67110FB5D002498FDB20CF9AD484BDEFBF4AB88218F10C46AD819B7241D375A546CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02E0DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02E0FE28,?,?,?,?), ref: 02E0FE9D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921955688.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
                                                                              Similarity
                                                                              • API ID: LongWindow
                                                                              • String ID:
                                                                              • API String ID: 1378638983-0
                                                                              • Opcode ID: 28e9fe91adf9227e8b308e59d888e78e62b9de2cf97fd45577888c7dc361f1d1
                                                                              • Instruction ID: f2e7f5783d4cd9d6108ccb147b6e1f8f75d7c298ab94a876c161e5660d57a913
                                                                              • Opcode Fuzzy Hash: 28e9fe91adf9227e8b308e59d888e78e62b9de2cf97fd45577888c7dc361f1d1
                                                                              • Instruction Fuzzy Hash: 911122B59002488FDB20CF89C584BDFBBF8EB48324F10846AE918B3741C374A945CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E538, Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: r*+
                                                                              • API String ID: 0-3221063712
                                                                              • Opcode ID: 007d5df40e7f29d39ec944728a92f7590fd85263853f1f33d10055ff625d4fb7
                                                                              • Instruction ID: 488f15f7bf6525915c0df06122ac127436f5d5b277cbe6aff713a857a09e0d03
                                                                              • Opcode Fuzzy Hash: 007d5df40e7f29d39ec944728a92f7590fd85263853f1f33d10055ff625d4fb7
                                                                              • Instruction Fuzzy Hash: B56128B8D4020A9FEF54DFAAD4849EDBBB1FF48310F10A565E502EB2A0DB319941CF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06186CB8, Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: r*+
                                                                              • API String ID: 0-3221063712
                                                                              • Opcode ID: c3111aec15e18ee6dc8b4b75bcf977a83cd2f36332da0618c03dd0d5f3e1e6f8
                                                                              • Instruction ID: d4fb43f214c2c17e53b40203b9f95f4006e356a6bc6b5f7fb02eccc9a3fa9929
                                                                              • Opcode Fuzzy Hash: c3111aec15e18ee6dc8b4b75bcf977a83cd2f36332da0618c03dd0d5f3e1e6f8
                                                                              • Instruction Fuzzy Hash: 2B61F9B8D0020A9FEF54DFAAD444AADBBB1FF48300F11A565E506EB260DB359941CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F1A8, Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID: 0-3916222277
                                                                              • Opcode ID: b2f0b60c8e2e3074beb67b7da56e15c948a481343361be3baef21961d7f2325f
                                                                              • Instruction ID: e347f8beeb0c43a54f63944095ab20718260428f2bb68453a3adcf546bbf8afb
                                                                              • Opcode Fuzzy Hash: b2f0b60c8e2e3074beb67b7da56e15c948a481343361be3baef21961d7f2325f
                                                                              • Instruction Fuzzy Hash: 51410235F541448FDB94EEB9DC805EEB7A3FBC42A4B2A8836D5169B601C339D843CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618D0A8, Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $%l
                                                                              • API String ID: 0-3241685056
                                                                              • Opcode ID: f7470840685ded4cd9dd4f6aca7739ac0c54938716879c222a8ea82c301b0002
                                                                              • Instruction ID: fe1177f138e147818693b813556956169fbf6a3b08c17043237ea5a5c5c25b47
                                                                              • Opcode Fuzzy Hash: f7470840685ded4cd9dd4f6aca7739ac0c54938716879c222a8ea82c301b0002
                                                                              • Instruction Fuzzy Hash: 8411E271A083118FE358BB31A5556AB77E2FF822007018E99E1479F694DF78AC08CBD6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061876C8, Relevance: .3, Instructions: 295COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b119bc3a4d2e191fc98ee2dc4aa6cffdda7ce18ad3bbc770699eb537daebb8d0
                                                                              • Instruction ID: f879be898b56bd2bd289f7b8ebdf955d633ae15bf74190a95bf1bdb0ad8eeefe
                                                                              • Opcode Fuzzy Hash: b119bc3a4d2e191fc98ee2dc4aa6cffdda7ce18ad3bbc770699eb537daebb8d0
                                                                              • Instruction Fuzzy Hash: 50B1D431E04245DFDB64EF69C884AAEBBF1FF45310F25891AE55A97291D730E840CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061840F0, Relevance: .3, Instructions: 289COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2823c9131ea830a70247d8fa63ec0d6b9a8bb65a20b8d44b51f24f99dba822b9
                                                                              • Instruction ID: b4fe62d7db80379456cf2da1686da5d6f8666dc83da10799fe048fdc72bf3a86
                                                                              • Opcode Fuzzy Hash: 2823c9131ea830a70247d8fa63ec0d6b9a8bb65a20b8d44b51f24f99dba822b9
                                                                              • Instruction Fuzzy Hash: 99C17B31E0465ACFDB14EFB8C4506ADB7F2BF95304F118A99D449AB201EF31E985CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183A80, Relevance: .2, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 39b6608555c4eeb34278c54cccda639b1d2bed5090fa0ba8f6c9ecaba0a639de
                                                                              • Instruction ID: ebd23290aa9500c378a4333a433a25b63561d31f67d12bccb2324b32240a9613
                                                                              • Opcode Fuzzy Hash: 39b6608555c4eeb34278c54cccda639b1d2bed5090fa0ba8f6c9ecaba0a639de
                                                                              • Instruction Fuzzy Hash: 7B718D71B00A158FDB58EBA9C88197BF7F2FF88A04B18891ED56697254CB31E805CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182E1F, Relevance: .2, Instructions: 191COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 15dc314b171dad57c2e7018141a7c92c34b596998a7e3bd52a099dc27201731b
                                                                              • Instruction ID: e977cc2a4d7ea89fdc7a3ca39110c534107829e36ee2b90b9a5577c893085e15
                                                                              • Opcode Fuzzy Hash: 15dc314b171dad57c2e7018141a7c92c34b596998a7e3bd52a099dc27201731b
                                                                              • Instruction Fuzzy Hash: DD814578A40214CFDB55EF69C989EA8BBF1FF49310F218099E90A9B365DB35AD40CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182798, Relevance: .2, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 489ea8921d69180a535fdec152dcd6d137c855b914f1f30f580daabae5246e1b
                                                                              • Instruction ID: 8ff10aa7bfd16a391f02365c219cb09909cac43b30e707d46d16299b4315fc81
                                                                              • Opcode Fuzzy Hash: 489ea8921d69180a535fdec152dcd6d137c855b914f1f30f580daabae5246e1b
                                                                              • Instruction Fuzzy Hash: 7A716A30A04205CFEB69EB65C584BAAB7F2BF89310F158959D456A7260CB71EE41CFD0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061845E0, Relevance: .2, Instructions: 160COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f923b076320ac74be9559127043bb244593f59c7d4f7fc5b713d62f8efd7ae28
                                                                              • Instruction ID: eafbd4f81d429766308922b4e83a31165e8e8f65d783ebe36b3702eb0b0521ed
                                                                              • Opcode Fuzzy Hash: f923b076320ac74be9559127043bb244593f59c7d4f7fc5b713d62f8efd7ae28
                                                                              • Instruction Fuzzy Hash: B5510231A0466A8FDB40FBA8D45489DF7F2FF84210B52CA6AD549AB211EF30ED41CBD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061840E1, Relevance: .1, Instructions: 145COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0a7be7cfa49dd6e212a669c1e61cfdbb5006b220a0938d28374a9521d10435c0
                                                                              • Instruction ID: e3eb0e8221834a9affa724479bd10be66c0aa6516f106ab75b10b65287717fb7
                                                                              • Opcode Fuzzy Hash: 0a7be7cfa49dd6e212a669c1e61cfdbb5006b220a0938d28374a9521d10435c0
                                                                              • Instruction Fuzzy Hash: 8B514C30E0425ACFDB54EF68C4407AEBBF1BF95304F118A99D449AB251EF70A985CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061833E4, Relevance: .1, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 74d093d0ec9d009781ff31c0fb07916794e2e2c77b5e5419f67d41b22ef97a6f
                                                                              • Instruction ID: b07bd4bb318eb55c98dbbedf0b57278e92c73db16bb7747c35cde678ca1f78a2
                                                                              • Opcode Fuzzy Hash: 74d093d0ec9d009781ff31c0fb07916794e2e2c77b5e5419f67d41b22ef97a6f
                                                                              • Instruction Fuzzy Hash: E951E138A40214DFDB54EF69C595E69B7B2BF49700F268098E91A9B365CB35ED40CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185B98, Relevance: .1, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 40af085c28744a826e0f490049600b3260c6661566d13fa360544361965de31a
                                                                              • Instruction ID: 2b0b125e771df2f0989aab81a58ec5b592146ca2cf077dd5a64c18dc066bd4e3
                                                                              • Opcode Fuzzy Hash: 40af085c28744a826e0f490049600b3260c6661566d13fa360544361965de31a
                                                                              • Instruction Fuzzy Hash: 2541B230A08205CFDBD8FF74D9515AEBBB7EF84244B11896DC456AB642DB30A914CFE2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618350E, Relevance: .1, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6bd2f6a0a12c398c21dd0ccd7a8dc949b93db5875d683646fdbefe3d3d32383b
                                                                              • Instruction ID: 7a28a1f39eb075260b0deeec6fe97ad2dda80ef722ce43f8839833d27eba32b3
                                                                              • Opcode Fuzzy Hash: 6bd2f6a0a12c398c21dd0ccd7a8dc949b93db5875d683646fdbefe3d3d32383b
                                                                              • Instruction Fuzzy Hash: 8251DC38A80214DFDB54EF69D599E58B7B1FF49704F228198E90A9B3A5CB35ED40CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182787, Relevance: .1, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 69b10a97921561830eedeed203795bf69dbae6128863fbc9f1b3b658d7b41a29
                                                                              • Instruction ID: c31a27ab1a109b5ede477a01b816a5d8cc6b8e96cab39dd5c398c9f752f46b8b
                                                                              • Opcode Fuzzy Hash: 69b10a97921561830eedeed203795bf69dbae6128863fbc9f1b3b658d7b41a29
                                                                              • Instruction Fuzzy Hash: 0251D230E04204CFEB5AEF65C584BAAB7F2BF49310F258869D45297261CB35AE85CFD0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E51E, Relevance: .1, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ba32afe433e276eedb464fbd18c654d1f00fd49b76e21833de99e2c33d45cc4a
                                                                              • Instruction ID: f7bab5411ea06a164eee00a2613d4df5d6d1fd82879bc5f1570ea41fe403b4dd
                                                                              • Opcode Fuzzy Hash: ba32afe433e276eedb464fbd18c654d1f00fd49b76e21833de99e2c33d45cc4a
                                                                              • Instruction Fuzzy Hash: FF4149B8E4024A9FDF54DFA5D484AEDBBB1BB49310F20A969E502EB290CB319941CF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06186CA8, Relevance: .1, Instructions: 129COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 19eb0d77cf2881047db2ddc6f17dd0ce45ffb1158eef3d6afe0a2d89444459df
                                                                              • Instruction ID: b7902bac068af490ef9a590a01197ba9cc4a258ada1864618d050a0e773b9026
                                                                              • Opcode Fuzzy Hash: 19eb0d77cf2881047db2ddc6f17dd0ce45ffb1158eef3d6afe0a2d89444459df
                                                                              • Instruction Fuzzy Hash: D44149B8D002099FEF54DFA9D884AEDBBB1FB49310F10A569E402EB350DB359945CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183463, Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 37d6e65b58b26152c3f81c668a59416200cc4b869c2a5e56b62bdc8558758cfd
                                                                              • Instruction ID: 58bce966e8309d483f8bff02840f8bc3b0431770096e57eb10f472e9e1f1c04b
                                                                              • Opcode Fuzzy Hash: 37d6e65b58b26152c3f81c668a59416200cc4b869c2a5e56b62bdc8558758cfd
                                                                              • Instruction Fuzzy Hash: E551FE38A40214DFDB54EF69D999E58B7B1FF49704F228198E90AAB3A5CB35ED40CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061834BE, Relevance: .1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4a9a2c7b0bb509745024e25ca96414ea79877dce503d414cdddcb33922f9c7f4
                                                                              • Instruction ID: d90d1c6c83531caeeb8dc24d759a12370eba0dc4c8dcaf2469cfd6db6032e74e
                                                                              • Opcode Fuzzy Hash: 4a9a2c7b0bb509745024e25ca96414ea79877dce503d414cdddcb33922f9c7f4
                                                                              • Instruction Fuzzy Hash: 8F51CD38A40214DFDB54EF69D999E58B7B1FF49704F228098E90A9B3A5CB75AD40CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183587, Relevance: .1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 81d37b0bb8c0cb294415f044673d2355bbec6014b6d933fd5bdf6619362e2042
                                                                              • Instruction ID: db0546c01b1c2626151e9feff15fbf18f42c7023449236af92a173a86e309d5a
                                                                              • Opcode Fuzzy Hash: 81d37b0bb8c0cb294415f044673d2355bbec6014b6d933fd5bdf6619362e2042
                                                                              • Instruction Fuzzy Hash: 2E51EF38B40214DFDB54EF69D599F68B7B2BF49714F268098E90A9B3A5CB35AD40CF00
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061838C0, Relevance: .1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6ef1fd2493fbbe238d5032d75bef4900500ad8cafd12a4bd0a2b8685a89f44fa
                                                                              • Instruction ID: a8a6ffd24ce4c5f992e3b7d40a394cbad9b451f4a82a28d8f62dc7a653959a95
                                                                              • Opcode Fuzzy Hash: 6ef1fd2493fbbe238d5032d75bef4900500ad8cafd12a4bd0a2b8685a89f44fa
                                                                              • Instruction Fuzzy Hash: AC41FB35A041049FDB44EBA8C480EEDBBF1BF88724F1A9499D915AB365DB35EC41CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183E98, Relevance: .1, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 44c7288e6fcbefef7c011beae1e7c878e826a50c297f2a73c56601b0d3906d1a
                                                                              • Instruction ID: 6c910fa9ffb816c2d998cfda8902034831b9986fe533d81dcf93efd6783c4b09
                                                                              • Opcode Fuzzy Hash: 44c7288e6fcbefef7c011beae1e7c878e826a50c297f2a73c56601b0d3906d1a
                                                                              • Instruction Fuzzy Hash: F8315532B042158FC744FBEE94405AAF7B5EFC9610B198A76D029E7200E7319842CBE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182B67, Relevance: .1, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5c57fcfedde030f1db8bbe7cf7112b357d6a0437ca0cdb3bb7918d11fe0dfc75
                                                                              • Instruction ID: 500f00429ed5099ddc2dbcffd694115af25655818836d0f0b7dca152365cc91f
                                                                              • Opcode Fuzzy Hash: 5c57fcfedde030f1db8bbe7cf7112b357d6a0437ca0cdb3bb7918d11fe0dfc75
                                                                              • Instruction Fuzzy Hash: 4031DF32A112298FCB16BFB8D8545EDB7B1FF88210B018A5AD446B7250EF35AA45CBD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06187D30, Relevance: .1, Instructions: 106COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4337c81dd2ec4a408781ad5a4e48c218407c235d97f48ba401c38c724c6a8d31
                                                                              • Instruction ID: 5d0f96a06b78608f04eccd6ad088917d5a962f0fec404c111a2f4d27c38bca7c
                                                                              • Opcode Fuzzy Hash: 4337c81dd2ec4a408781ad5a4e48c218407c235d97f48ba401c38c724c6a8d31
                                                                              • Instruction Fuzzy Hash: A6312731A081419FC799EB78C8945BC7BE0AB461187314BAAD51ACB7E1DB319C05CFD2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182261, Relevance: .1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e70444e75e2de7808ffa224ab6cb3c9095ffc4f400a9d972652d8b62960dff4f
                                                                              • Instruction ID: 0c66f7410990f78262b4d07884a85e9fb912cd190cdb9697515145d5a6d3d1e9
                                                                              • Opcode Fuzzy Hash: e70444e75e2de7808ffa224ab6cb3c9095ffc4f400a9d972652d8b62960dff4f
                                                                              • Instruction Fuzzy Hash: 5831D034B143049FDB96EB758840AAEBBF6AF89200B50492EE442DB351DB35DD02CBE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06180390, Relevance: .1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d40581dd77a8850c9a6a4432b602a497e127438a625536ad24fada2087bb878c
                                                                              • Instruction ID: fc2775b8c4a08b0d3bb61da5e5a50bf7d283b75de38c0262a3c6408a56ca2e8d
                                                                              • Opcode Fuzzy Hash: d40581dd77a8850c9a6a4432b602a497e127438a625536ad24fada2087bb878c
                                                                              • Instruction Fuzzy Hash: 0A312772B042148FC744EB69D884969BBB5EFCD32571281AAD519DB362DB30EC0ACBD0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061814B0, Relevance: .1, Instructions: 91COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 63b588bd7e32233ab2d0f12f14486fba7373c17144abebb6cb0e38e22f8064e1
                                                                              • Instruction ID: aa75b87863eb166ff95781847dc990e7d533ee0b20aee7e3273e194e8dd10522
                                                                              • Opcode Fuzzy Hash: 63b588bd7e32233ab2d0f12f14486fba7373c17144abebb6cb0e38e22f8064e1
                                                                              • Instruction Fuzzy Hash: 753143752087518FC37AEF31C5514867BF2EFA22043408A6ED09BCB604DB76A80ACFD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06180810, Relevance: .1, Instructions: 91COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 61dc0264ad497d135585574d89865f3d0f5993612543a8d42528effe038c70e4
                                                                              • Instruction ID: bb077809df48f9167433e22538d01dc6b7a2bd13f23719e803a589bd1fb0154b
                                                                              • Opcode Fuzzy Hash: 61dc0264ad497d135585574d89865f3d0f5993612543a8d42528effe038c70e4
                                                                              • Instruction Fuzzy Hash: FB317C70E10218DFEB64EF68C488BAEBBF5AF48711F158069E805B7390DB749949CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061869ED, Relevance: .1, Instructions: 91COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 49491733f892e3c5f29187600d97c1b393d6eb601211b7f1b358dea620038fed
                                                                              • Instruction ID: 48b2204965d7218d77e1fce8761129da8b2751020590780bc22f7d473c4b8214
                                                                              • Opcode Fuzzy Hash: 49491733f892e3c5f29187600d97c1b393d6eb601211b7f1b358dea620038fed
                                                                              • Instruction Fuzzy Hash: 154152346107118F9369EF24E11819A77F2FF952083008E6CD55BABB58DBB6AC0ACF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182575, Relevance: .1, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a91e3dbac88bd481936a67c2cb3f3d864326c7277cd03f6229c1f1df2ee70969
                                                                              • Instruction ID: 94a3045c55ddc587f45f366205dbe8bf656e31255fad9555414bb274721ccf19
                                                                              • Opcode Fuzzy Hash: a91e3dbac88bd481936a67c2cb3f3d864326c7277cd03f6229c1f1df2ee70969
                                                                              • Instruction Fuzzy Hash: 1C3146B1D002499FCB15DFA9D590ADEBFF5AF48300F24842AE819BB250DB389A00CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06181608, Relevance: .1, Instructions: 89COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 767efdc2887441cbdd112a3b85c66face2abe8413a726e7b6d6c8e5e0fe72bfb
                                                                              • Instruction ID: a31d841bf28d76fc7b5d25a34150721cfc21f8479aa2832f801dfcecf391a37e
                                                                              • Opcode Fuzzy Hash: 767efdc2887441cbdd112a3b85c66face2abe8413a726e7b6d6c8e5e0fe72bfb
                                                                              • Instruction Fuzzy Hash: 3B31E235B043859FC749BB76940E2AD7FF2AF84201B148829E05AC7340DF794842CF99
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182D18, Relevance: .1, Instructions: 89COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b01619602005eb73815578cdd5e0f754b89963025be3bebd48c5b908f4579a81
                                                                              • Instruction ID: ec3844a7892df0e966d4cb911203c316039735498a86175f399ed8c3a097a4d1
                                                                              • Opcode Fuzzy Hash: b01619602005eb73815578cdd5e0f754b89963025be3bebd48c5b908f4579a81
                                                                              • Instruction Fuzzy Hash: 53318131E043099FDB56EF69C8406DDFBB5FF89200F11862AD40AA7201EB35A645CBE5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183A73, Relevance: .1, Instructions: 88COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 20369b0a21b86f998652835192d101806f861afc245be131079ff8ef20d2132d
                                                                              • Instruction ID: b079fc8fbd70e11d76ef08a303c9923b0b2d244f238ba0412a438d337c659313
                                                                              • Opcode Fuzzy Hash: 20369b0a21b86f998652835192d101806f861afc245be131079ff8ef20d2132d
                                                                              • Instruction Fuzzy Hash: 4231AF70A04A01DFDB59EAA8C88196ABBF1FB84B00F198E59D576C7261C731E841CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182B78, Relevance: .1, Instructions: 87COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 902760e4b4311b18d7aa7164fdbfb68a6151aa0aecc8e3e182e1fc94497d1901
                                                                              • Instruction ID: 496b968406d5e4d1ae538b8bfeeb8012f775c9e14fa35babd26839d3d1fde9fa
                                                                              • Opcode Fuzzy Hash: 902760e4b4311b18d7aa7164fdbfb68a6151aa0aecc8e3e182e1fc94497d1901
                                                                              • Instruction Fuzzy Hash: 5431AD32D1062A8ECB15BB79D8141EDB7B2FF84210B064A6AD44A77240EF34AA95CBC1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06186538, Relevance: .1, Instructions: 84COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f56ac5f551f654efe6190eb931ca16a1533cb58bfac96776a982524968672c5e
                                                                              • Instruction ID: 49c62792f1819e9c213e11a5e5059a8965d07e6bf97386fcbc7b004a9b6009c8
                                                                              • Opcode Fuzzy Hash: f56ac5f551f654efe6190eb931ca16a1533cb58bfac96776a982524968672c5e
                                                                              • Instruction Fuzzy Hash: 2221E72240F3D19FE793A764ACA1DC63F219E2319431B48D7D182CB1A7D715990ADBE2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182270, Relevance: .1, Instructions: 84COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c32c1adb71fbf643a0e1558040d91b0f147f37cdbe46b923a6df1fa96dbcd076
                                                                              • Instruction ID: 19562afc3783aba83f8e6b30faef3ccc6c335b4e6e014265790884a227d0f6f5
                                                                              • Opcode Fuzzy Hash: c32c1adb71fbf643a0e1558040d91b0f147f37cdbe46b923a6df1fa96dbcd076
                                                                              • Instruction Fuzzy Hash: 64317C34B043048FD755EB75C450AAEBBF6EF89200B50892EE9429B750DB35ED42CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061823B8, Relevance: .1, Instructions: 84COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d63434e6a674a7f0a88e7489323da52b2eae3aabd3e4d8fce158c533bb161488
                                                                              • Instruction ID: e7801f95a9177e9ddde4fc5ee76a83a5b2ed1086d240b27c63151d58652fbbdb
                                                                              • Opcode Fuzzy Hash: d63434e6a674a7f0a88e7489323da52b2eae3aabd3e4d8fce158c533bb161488
                                                                              • Instruction Fuzzy Hash: AF21AC309082118FE3ABB6629464275B680DBC6204B198DABD59ECF512D375CA45CFF1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061846B0, Relevance: .1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: be54d3fc1eab5c9a36a0636d1f1c395a100c78237635175230ec0cfb0cde996d
                                                                              • Instruction ID: dbaed07e0b2fa5a7930647c501a0c9a5b63372ed23a1e14eb3687ed7e43e2615
                                                                              • Opcode Fuzzy Hash: be54d3fc1eab5c9a36a0636d1f1c395a100c78237635175230ec0cfb0cde996d
                                                                              • Instruction Fuzzy Hash: 8D21D031E0061A9FDB48EFA8D45449DF7F2FF852047618A2AE51AA7320EF34A945CF81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182580, Relevance: .1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 87011ba9b4b911826f6d8f8727ba517132b47676d7928829db746aba1a024a70
                                                                              • Instruction ID: 8a9354d9975b8b9e498b43e193db8244d7b3390ca1706df8abe34421d8a1b09f
                                                                              • Opcode Fuzzy Hash: 87011ba9b4b911826f6d8f8727ba517132b47676d7928829db746aba1a024a70
                                                                              • Instruction Fuzzy Hash: F73135B0D002489FDB15DFAAD484ADEFBF5AF48304F24842AE819BB250DB389941CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06181F78, Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2da9be977f08838ca87eb33e299279c0c27f4137021bd3db03b35086c99745b6
                                                                              • Instruction ID: 2ee037978203927530423afd8ebc5c347a5b70c339295dace7762960cc326ebb
                                                                              • Opcode Fuzzy Hash: 2da9be977f08838ca87eb33e299279c0c27f4137021bd3db03b35086c99745b6
                                                                              • Instruction Fuzzy Hash: EB21D232A04224DFDB5AAB64C4142EEB7B2FB88301F01493AD446EB640CB759909CBE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06181618, Relevance: .1, Instructions: 80COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5b337fdda4ddf66bf43e829ebe85474feac00f074e9a97feb7a77d4301f61391
                                                                              • Instruction ID: b880336828827bd7fd00cf5c75c8d0809c27f9f71913754c55abbf864a736a3b
                                                                              • Opcode Fuzzy Hash: 5b337fdda4ddf66bf43e829ebe85474feac00f074e9a97feb7a77d4301f61391
                                                                              • Instruction Fuzzy Hash: 14218035B14345AFD749BB76D00E2AD7BF2AF84201B148429E04AD7390DF794942CF99
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F338, Relevance: .1, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c91c7541cfbae3c0e37e6adf9c0e1a8fa77367ac480d8897cb7e1c9dda99dd6f
                                                                              • Instruction ID: 1fd95e44903b0dbd011710eebb5caf294e33293cc3137ef1f8fec6ccb0b6aa17
                                                                              • Opcode Fuzzy Hash: c91c7541cfbae3c0e37e6adf9c0e1a8fa77367ac480d8897cb7e1c9dda99dd6f
                                                                              • Instruction Fuzzy Hash: FF219D717181108FA798EB79D44497973E5EF886A470688BAE80ACB770DB20DC02CFD3
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06187178, Relevance: .1, Instructions: 77COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f59690d4a5f46ba4c10dda9a15e683baf3636f98ebca56a64aea428fd18f1c53
                                                                              • Instruction ID: 017248fc22b6fbbca99deae6975cd0a5b67c75e83b65f97d3bf2b52d47f1ac44
                                                                              • Opcode Fuzzy Hash: f59690d4a5f46ba4c10dda9a15e683baf3636f98ebca56a64aea428fd18f1c53
                                                                              • Instruction Fuzzy Hash: DB315730D10309CFDB54DF65C189A9DBBF2FF45314F269469D016AB2A1CB74884ACF55
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618EA10, Relevance: .1, Instructions: 77COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 412013c4f16b685c30b7613983ae3abe7b63b2328a2ff8fa890f6b32ab22bf73
                                                                              • Instruction ID: ded16ada02601d825c04f809ea7a1e0ec3a9302f7b7eef6044f9eb9f8a9ba727
                                                                              • Opcode Fuzzy Hash: 412013c4f16b685c30b7613983ae3abe7b63b2328a2ff8fa890f6b32ab22bf73
                                                                              • Instruction Fuzzy Hash: 7F314830E90319CFDB64DF61D48AA9DBBF2BF45314F158469D406AB2A1CB749844CF45
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06180800, Relevance: .1, Instructions: 77COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: daeadf685b4e054494ca11dbb3fa08aa4cc37cf95e6598f5c3e58de285b1c883
                                                                              • Instruction ID: 007159fe99037596eae8cd10cdc06f98899d93923641c0040b6e2f973356142b
                                                                              • Opcode Fuzzy Hash: daeadf685b4e054494ca11dbb3fa08aa4cc37cf95e6598f5c3e58de285b1c883
                                                                              • Instruction Fuzzy Hash: 2F316770D002189FDB64DFA8D4887EDBBF4AF48311F14846AE816A7390DB749849CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0107D1D8, Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921351196.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b8461f11e46d8da5af7c6a11ffc6dba9cbff62116068cef704146bda3f2f0325
                                                                              • Instruction ID: f29c1c17dca82689969cb5df1eb17d2a0d1b8c4e2bb935709daf7ae671263e03
                                                                              • Opcode Fuzzy Hash: b8461f11e46d8da5af7c6a11ffc6dba9cbff62116068cef704146bda3f2f0325
                                                                              • Instruction Fuzzy Hash: C921D6B1908340DFDB45CF94D9C0B2ABBA5FF94324F24C5A9E9454B246C336D457CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182D28, Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 61626ec208e06ea25ecd13df09174ba3450c7f350aa511a82f1bf296043bfd3a
                                                                              • Instruction ID: f8c0cccdeeac784e0275216722d60feefa218bbc0b8a70f34ec26863b6e98472
                                                                              • Opcode Fuzzy Hash: 61626ec208e06ea25ecd13df09174ba3450c7f350aa511a82f1bf296043bfd3a
                                                                              • Instruction Fuzzy Hash: 3A214131E042099FDB55EF79C4506DEF7B5FF89300F11862AE10AA7600DB35A645CBD5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0107D4A0, Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921351196.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3bfc41f8fc66a79a9d23d4bfe79cdb9f59878fa8dd4e86f589d927a4700e2eab
                                                                              • Instruction ID: 7b1dbd33c58c8e2128e1fc765bddf857043f4bbb575ca748a340181d86c0b8f1
                                                                              • Opcode Fuzzy Hash: 3bfc41f8fc66a79a9d23d4bfe79cdb9f59878fa8dd4e86f589d927a4700e2eab
                                                                              • Instruction Fuzzy Hash: EE213AB1904240DFDB15CF94D9C0F26BFA5FF84328F24C5A9D9494B216C336E856CBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0108D01C, Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921399925.000000000108D000.00000040.00000001.sdmp, Offset: 0108D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8455c90190d9813d82e16a5ba49504c1f9ec32547d6151dfc4757f336140a2ab
                                                                              • Instruction ID: fe882f469036c931ade6f36aa7bf9ca7149151791a4acbbae0d9f40de79d3324
                                                                              • Opcode Fuzzy Hash: 8455c90190d9813d82e16a5ba49504c1f9ec32547d6151dfc4757f336140a2ab
                                                                              • Instruction Fuzzy Hash: F8210370508340DFDB15EF94D8C0B26BBA1EB84354F20C6A9E9C94B286C736D807CB61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06180738, Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 83f3548d9fc45cb1eb9bcc4102ae670c85ced54a657ea7a4bb522fb85dd11ccf
                                                                              • Instruction ID: 61ae9710a2e4864d79092f7f31cf88b9a092a4e9ff6f9bea613a9e593806e329
                                                                              • Opcode Fuzzy Hash: 83f3548d9fc45cb1eb9bcc4102ae670c85ced54a657ea7a4bb522fb85dd11ccf
                                                                              • Instruction Fuzzy Hash: 2E11AF357041249F9758EB69D85097EB3ABEFC86143158429E60ADB350CF32AC06CBA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E140, Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5e294d995cfe139e178927bbe6f26b01cce020105ac03a872951963e3c456aa1
                                                                              • Instruction ID: 7a5443095f78da37561c59f17daa9f12e600b6a6d8e047f5cd42204b3f680880
                                                                              • Opcode Fuzzy Hash: 5e294d995cfe139e178927bbe6f26b01cce020105ac03a872951963e3c456aa1
                                                                              • Instruction Fuzzy Hash: D421C532E10619AFCB05EFB8C4144EEB7B2AF89310B51C62AE4067B210EF31A954CBD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E2A0, Relevance: .1, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4a64fd9055f41791907407e233e7016cb4b137fbf68483d44bb75878b7122356
                                                                              • Instruction ID: 9846fd9e89cf2e10e8dcd4489816d5baf778ffef2f1d9d77e2b509e2eff9fcd3
                                                                              • Opcode Fuzzy Hash: 4a64fd9055f41791907407e233e7016cb4b137fbf68483d44bb75878b7122356
                                                                              • Instruction Fuzzy Hash: CF21067091C261CFD36D7B7094255BA7F33EB822417068C57E9928A451CB798C42CFD7
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183A17, Relevance: .1, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a28055f39cf22f77b67f4c9a1d60cac422f4590983a0b01277aa25d641873c22
                                                                              • Instruction ID: 4927cac8a5e9aed09f55de3a42fedeb15c04f839165ef9c69de50319eeb766c6
                                                                              • Opcode Fuzzy Hash: a28055f39cf22f77b67f4c9a1d60cac422f4590983a0b01277aa25d641873c22
                                                                              • Instruction Fuzzy Hash: BE31B735A001059FDB44DBA8C580EEDBBF1BF88324F1A4594EA15AB366DB36EC45CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182A78, Relevance: .1, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 58d64482fe0992ea98193ebbfe53de5d7beb07254fdfa425c26a1583766a8aa5
                                                                              • Instruction ID: 532b7028566423126a506789a2b834b1e5faa0b2f7c3d5f8e27cc300c97e3d4d
                                                                              • Opcode Fuzzy Hash: 58d64482fe0992ea98193ebbfe53de5d7beb07254fdfa425c26a1583766a8aa5
                                                                              • Instruction Fuzzy Hash: FB21D130A05205CFDBAEEA6884417A9B7A1EF88714F058879C00ADBA60CB769642CFD0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061853B9, Relevance: .1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 860b8ed98ff5d8cf97304a234758a51711c9e05808c867b6541816535d352fb3
                                                                              • Instruction ID: dbd8fe2337e4526cb533e7b491e924ac7f66a311f0cc89e680ac3025a2b801d2
                                                                              • Opcode Fuzzy Hash: 860b8ed98ff5d8cf97304a234758a51711c9e05808c867b6541816535d352fb3
                                                                              • Instruction Fuzzy Hash: A711D331B042158FEBDDBA60C8516EE7BB7FB84214F06492ED4026B681DB70A900CFE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061847D0, Relevance: .1, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d071c059efd73a2d7287e3b97b2f0d7f7dbb6493aefb92c276d28c66bee64015
                                                                              • Instruction ID: 2fd6436f52ac69e316a1f909e5bb622f829dc22364559848d7d673097c8fd901
                                                                              • Opcode Fuzzy Hash: d071c059efd73a2d7287e3b97b2f0d7f7dbb6493aefb92c276d28c66bee64015
                                                                              • Instruction Fuzzy Hash: 2B215C32C00B4ADACB11EBA9C8501D9F7B1EF96310F118A4AD5A977510EF70B6D9CBD0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182A88, Relevance: .1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: feb7cb0154b33581a5f156107644cd0cf8ada37e81aa7a16a0734863c59fdf99
                                                                              • Instruction ID: 74f30c612572cdfd4b9e18c8de17bbbe2878198e1eba789dbed48fca01e866d3
                                                                              • Opcode Fuzzy Hash: feb7cb0154b33581a5f156107644cd0cf8ada37e81aa7a16a0734863c59fdf99
                                                                              • Instruction Fuzzy Hash: 0311B430A05215CFEBAEEB6884407A9BBE1FF89304F15887DC10ADB650DB759A42CFD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183CC0, Relevance: .1, Instructions: 62COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1b8e8898dabf80b2700799887fbcab94f3ac1a99063aed275d37f591fac19542
                                                                              • Instruction ID: aea43a6f22dba46034b61ea46041fcabb904e9623d502dab4ce3be3ba686da33
                                                                              • Opcode Fuzzy Hash: 1b8e8898dabf80b2700799887fbcab94f3ac1a99063aed275d37f591fac19542
                                                                              • Instruction Fuzzy Hash: 17110636404218EFCF069FD0E808CE8BFB2FB49310B4A8495E6156B072D722C925EF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06188D28, Relevance: .1, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d43775cbc0566ea6fa90924f0ba1b8a2e53de02af7f0f3fa761f6ffebdcc6283
                                                                              • Instruction ID: f0a419d27f34ef503efe0bf813a5cfe4c87f053a28de2c8f6ee97286214fe57a
                                                                              • Opcode Fuzzy Hash: d43775cbc0566ea6fa90924f0ba1b8a2e53de02af7f0f3fa761f6ffebdcc6283
                                                                              • Instruction Fuzzy Hash: D1010C31B082949EDBD8B23598502BA3AC65FD1154F494A6FD05ACB281DF25D900CFD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061809E0, Relevance: .1, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6edd03b5bdb3090d33a611bed1de68aafac47ca3fcde33f5d32a45ca3bd4c8ae
                                                                              • Instruction ID: 54359e1780dd832381d51e3ab29da4850013f1ef72a4d768fb939b456e843ee8
                                                                              • Opcode Fuzzy Hash: 6edd03b5bdb3090d33a611bed1de68aafac47ca3fcde33f5d32a45ca3bd4c8ae
                                                                              • Instruction Fuzzy Hash: 111104303082149FD318A72590501AA73A6DFC5249786C91ED10F8B650CF72EC0ACBD9
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185679, Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 56f09593e5bd0adcde4adcb63dd3851aa63f14bc74ce07015cf6558fd7595d30
                                                                              • Instruction ID: 296013749b84fd479d73ffdbbefcfd464fe8b5aad8056871de12707cfd11974d
                                                                              • Opcode Fuzzy Hash: 56f09593e5bd0adcde4adcb63dd3851aa63f14bc74ce07015cf6558fd7595d30
                                                                              • Instruction Fuzzy Hash: F6112339108300CFE3ADABA0D8940AA7BB7FB84211756486ED0478B741DF369C05CB86
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06180C38, Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d64ab390cc241929a7fb86d2ad6fce80fcb5f36caf3ccbf9332b5564b04ff597
                                                                              • Instruction ID: dc4da94d9ef3fddaa725308f0dca94676aaa8dee9af6359fbde3e929b28c9821
                                                                              • Opcode Fuzzy Hash: d64ab390cc241929a7fb86d2ad6fce80fcb5f36caf3ccbf9332b5564b04ff597
                                                                              • Instruction Fuzzy Hash: CB11BF34300604AFD764EA56C490D6AF3AAEFCC225B54C55AD45A83B92CB31FC46CFA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183CD0, Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4af81587c5bf886f7f0f59a73cfbc0cf766113b825afc9f260ed8a28219e066d
                                                                              • Instruction ID: 3db15d56bf3999fa4f7b695d3740df0618a92ee94fb14812c239c3395341c30a
                                                                              • Opcode Fuzzy Hash: 4af81587c5bf886f7f0f59a73cfbc0cf766113b825afc9f260ed8a28219e066d
                                                                              • Instruction Fuzzy Hash: 4811B236500218EFCF0A9FD0E908CE9BFB2FB48311B4A8495F2256B071D722D525EF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185AF1, Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dc76d34876f23f86f939cddbe686c4601842344d377988547971cea3a42d790e
                                                                              • Instruction ID: 982a9920c34aefa9d3c18fd07dd0bf7b97725d571a4deb258f367588364381c2
                                                                              • Opcode Fuzzy Hash: dc76d34876f23f86f939cddbe686c4601842344d377988547971cea3a42d790e
                                                                              • Instruction Fuzzy Hash: 00110A71A081149FEBD8AA40C8516FDB7B3DF94210F05C56AD412B7281DB759901CFD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0107D1D3, Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921351196.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 62f96a4a7a9fb61fe890602b5d09666bf0b4a5f0fe2a879e2aa94b79ddac9420
                                                                              • Instruction ID: 0fb6a90051d74f99282fd59c0696405c3d05a2b2d00df2be2c0248460e9890fe
                                                                              • Opcode Fuzzy Hash: 62f96a4a7a9fb61fe890602b5d09666bf0b4a5f0fe2a879e2aa94b79ddac9420
                                                                              • Instruction Fuzzy Hash: B1218C76904280DFCB56CF54D984B16BFA1FB84320F24C2AADC480B656C33AD45BCBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061837B0, Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4c406fcd37f117d5646b4c9cdd410193d49b7ed6fee8d5e50b49116c71dfd730
                                                                              • Instruction ID: 88817b584b7dffa4d2c04d0527ba00d31b217444b9fa586ec4342d64150a5d2c
                                                                              • Opcode Fuzzy Hash: 4c406fcd37f117d5646b4c9cdd410193d49b7ed6fee8d5e50b49116c71dfd730
                                                                              • Instruction Fuzzy Hash: 2711C870F08248CFE718BBA4C0547FEBBB2AB45A14F18056DC052A7640CFB59845DFD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0107D49B, Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921351196.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ac20c3e7fe9e17dc8e9da5162155df0f967bef9466bf771b1d96ae3908117eaa
                                                                              • Instruction ID: e201ceb50abeaa6bd2eed05340999f839cc4e3ccaf08e92ca8f35325e273c65a
                                                                              • Opcode Fuzzy Hash: ac20c3e7fe9e17dc8e9da5162155df0f967bef9466bf771b1d96ae3908117eaa
                                                                              • Instruction Fuzzy Hash: 9811AF76804280CFDB12CF54D5C4B16BFA2FB84324F24C6A9D9454B616C336D456CBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061847E0, Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4f25e7363ba8b5583c305bb42971eda4f1bb217ea24f18f75c0b501da8ce9f11
                                                                              • Instruction ID: 44a59bbf1b613a1aa47fdbe8fe326095414ebf5fa3c7ea085c84ce260003e763
                                                                              • Opcode Fuzzy Hash: 4f25e7363ba8b5583c305bb42971eda4f1bb217ea24f18f75c0b501da8ce9f11
                                                                              • Instruction Fuzzy Hash: 59210832D00B4ADADB11ABA9C8104D9F7B1EF95310F128B1AD59937510EF70B2D9CBC0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618A4C0, Relevance: .1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f10e8e6981ae4801a80d9ef160dc721e23075002b4f33ea1be7e19c7f2ba2445
                                                                              • Instruction ID: cef18806f464c933a754bfe98f2d0b23c3cbfdda5eb338d615d643ccec313f3c
                                                                              • Opcode Fuzzy Hash: f10e8e6981ae4801a80d9ef160dc721e23075002b4f33ea1be7e19c7f2ba2445
                                                                              • Instruction Fuzzy Hash: C201D8317143445FD7082A7A68145BFBEAFAFCA210F154477F247C7285CE388C458765
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06184899, Relevance: .1, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 81359744defa10f1b6c7bc48ce350cd2b30c1b263151b4be05784d7b7c20320c
                                                                              • Instruction ID: f34209b3d0de599fd2cb6e38a0c7c68d2331e47443160a2b53f107ac44f1cb05
                                                                              • Opcode Fuzzy Hash: 81359744defa10f1b6c7bc48ce350cd2b30c1b263151b4be05784d7b7c20320c
                                                                              • Instruction Fuzzy Hash: F411E330E082868FEB58EBE8E4446ADBFF1FB85300F14842AD2069B255DF318800DFC5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0108D017, Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.921399925.000000000108D000.00000040.00000001.sdmp, Offset: 0108D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 889957332081d45f9b701f1301b3758af728ad9c84ad9efedadc26ffa306f557
                                                                              • Instruction ID: 815ed946c7c18f65bc6e7c6cde326a4e9d9c202e28f96712424c0efcc8adf3d3
                                                                              • Opcode Fuzzy Hash: 889957332081d45f9b701f1301b3758af728ad9c84ad9efedadc26ffa306f557
                                                                              • Instruction Fuzzy Hash: AC11BE75508280CFDB12CF54D5C4B15FBA1FB44314F24C6AAE8894B696C33AD44BCF62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F329, Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 149e52063614ec81b12a2c0f358476e1e235bc0260f6fd45b38601815366b7b0
                                                                              • Instruction ID: 32ba3a5dcaa79596ff1f32e85dbd8ed0f7344c1a5b9bfc1fc0319d4019500479
                                                                              • Opcode Fuzzy Hash: 149e52063614ec81b12a2c0f358476e1e235bc0260f6fd45b38601815366b7b0
                                                                              • Instruction Fuzzy Hash: FB015B717081008FE798EB69D540A7963E59B89694B16886AE846CB671DB24DC02CE93
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183DF8, Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 52550ee1e3f38e40adb45309654db04b2640233c8bdb94d50511cd8b3d4208a5
                                                                              • Instruction ID: ea2e80d25d247eb2bce0869de06579ddf9e7e92a3b03fca8fd65c9b24552f3ed
                                                                              • Opcode Fuzzy Hash: 52550ee1e3f38e40adb45309654db04b2640233c8bdb94d50511cd8b3d4208a5
                                                                              • Instruction Fuzzy Hash: 1511AB30609344CFD75EB7B794197657F627B45904F0D455BD0668B192DB358C44CFC2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185718, Relevance: .1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 977136baad5e01534def209fd2defd57817681fe29c46a3fe39a0b10d8e3c125
                                                                              • Instruction ID: e108a769dd9cb821c84ed761351fff8563dcc526ae86757c370fe14d5e8a2330
                                                                              • Opcode Fuzzy Hash: 977136baad5e01534def209fd2defd57817681fe29c46a3fe39a0b10d8e3c125
                                                                              • Instruction Fuzzy Hash: 80012431A483418FD3896BB88C851D8BBA3EFC2654346C96ED05BDB600EF744C44CBD8
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06180478, Relevance: .0, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 10ee8b9b8a81cceac4ab5fd01741c39b481a08088346348b1295fb8ae0cbb7d5
                                                                              • Instruction ID: 99790a0b425add925b2df0c0c654826f2217c03ddada1c219f89c68a25a80017
                                                                              • Opcode Fuzzy Hash: 10ee8b9b8a81cceac4ab5fd01741c39b481a08088346348b1295fb8ae0cbb7d5
                                                                              • Instruction Fuzzy Hash: FA1127707403609FE329EB24D1597D53FF2EF65200B454589E48ACF246CB349C44CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183DE8, Relevance: .0, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 40f0772478156d0e984374d0da9e8917a40654272ca8faa41b43baae4a9d6b46
                                                                              • Instruction ID: 8d5dd140873c296e075d6c32ea620e9680badc0ac79dc22c71e3cc63d233732f
                                                                              • Opcode Fuzzy Hash: 40f0772478156d0e984374d0da9e8917a40654272ca8faa41b43baae4a9d6b46
                                                                              • Instruction Fuzzy Hash: 22110830A08300CFE7AEBAA6E0193A4BB92BB45B04F0D4917D07687295DB748C41CFC2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185688, Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 870c1229dd5e50199837a6d134f3926b3cdbfc48e9a61968f90df7f692d67960
                                                                              • Instruction ID: 276bd4feb2083dc2f0987b700629fef0d236784ba9ae530a1195eceeccbcbc4d
                                                                              • Opcode Fuzzy Hash: 870c1229dd5e50199837a6d134f3926b3cdbfc48e9a61968f90df7f692d67960
                                                                              • Instruction Fuzzy Hash: 0201DE39248200CFE76DAB30D8D45AAB7F3FBC4210751492AE0078BB40EF36AC05CB96
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06180468, Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 08b09e0511e72f108e0a7bd8e02a72df9af0e7293f3242886a93e57146149b0d
                                                                              • Instruction ID: 371f12b4ef18890727df424b8ee13c42511b770008d29af381a933c41f2026f2
                                                                              • Opcode Fuzzy Hash: 08b09e0511e72f108e0a7bd8e02a72df9af0e7293f3242886a93e57146149b0d
                                                                              • Instruction Fuzzy Hash: 6E1159B0A483E49FE31AAB74E1192903FF1AF65101B0905DED88ACB257C7348C48CF54
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06181DE0, Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 28aa27b668f6031954ae22eb625b981153da586a9294901c9b1fa779274a8785
                                                                              • Instruction ID: c27cda8074fc82e3a02141cdb76179181f665ac8e74832b24be8075f49937903
                                                                              • Opcode Fuzzy Hash: 28aa27b668f6031954ae22eb625b981153da586a9294901c9b1fa779274a8785
                                                                              • Instruction Fuzzy Hash: EF01F936710260AFD7197B7AE85E6AB7ADAEB8C650301453EF51EC7701DE358C018BD0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185B00, Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a1d12938d6457bf9a73bc1ad5b42df341cf0031729263d413a87790b6323068d
                                                                              • Instruction ID: 4570388b18617c07bc7e364f46e9a80750b3124b37860d4303947c11a93e7ec7
                                                                              • Opcode Fuzzy Hash: a1d12938d6457bf9a73bc1ad5b42df341cf0031729263d413a87790b6323068d
                                                                              • Instruction Fuzzy Hash: CB01BC31A081188FEBD8AA44C8506FEB7B3DB84610F16892EC403AB280CB75A906CFD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06184060, Relevance: .0, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 79ac7f9e1dd87e86dba3b226a7a39d8e697a5c173fdec3237e39387e78f02d19
                                                                              • Instruction ID: 20eb18842fa2d4867e749eaeb641d599daf639769c3737a1fc9597c6601dbdf8
                                                                              • Opcode Fuzzy Hash: 79ac7f9e1dd87e86dba3b226a7a39d8e697a5c173fdec3237e39387e78f02d19
                                                                              • Instruction Fuzzy Hash: D801F231E043469EE785B675CC046EBB7B2AFD6210F058B5AE145AB151FF749488CBC2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618A290, Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d0ece6ff0347a4d94a65d6d3f370dcd45056fd1e9664cca372bb0828474e0af2
                                                                              • Instruction ID: 82b36674576fa61ba141adc1e944f534c532398f1d89217ce0d29fa86c6cac3e
                                                                              • Opcode Fuzzy Hash: d0ece6ff0347a4d94a65d6d3f370dcd45056fd1e9664cca372bb0828474e0af2
                                                                              • Instruction Fuzzy Hash: E8018B3090A208EFD710EF64D944D99BFB5EF06348F118699E544AB361C734AE49CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E12F, Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 515e6f03f081e2b74f61c82c6c018002ae966daef972c8cc9dc6132df8b978bb
                                                                              • Instruction ID: f4afd6680151d8c09a38777a0ea2f975d17b52d85cf835133568bdbf2c8d928b
                                                                              • Opcode Fuzzy Hash: 515e6f03f081e2b74f61c82c6c018002ae966daef972c8cc9dc6132df8b978bb
                                                                              • Instruction Fuzzy Hash: 93F0FF32A20214EFD758BA78C9009F9B779AF95241F058D6BE852AB250EF308452CBE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06186B90, Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6626014d484fdd64b8f65e4a35238269f754a31b448dc80bb99c01986b243cf0
                                                                              • Instruction ID: 4f2724f94cba9d37987af8f3d3aa82c74959a4fc3dec2f8656cd364794c33e1b
                                                                              • Opcode Fuzzy Hash: 6626014d484fdd64b8f65e4a35238269f754a31b448dc80bb99c01986b243cf0
                                                                              • Instruction Fuzzy Hash: 8401D83160C6409FA349E734D1545D93BE2EBC62103018ABEE40ACF611CF345C4ACBD5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06184508, Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9b35451e5d0b4f2a729c3120786374add782a6d4a65bc3b0a7b1356216aa66db
                                                                              • Instruction ID: 7b5c8b4e4390b7ee559e473b2f4ad41ed826d4395e0cfad700275877763e7f2e
                                                                              • Opcode Fuzzy Hash: 9b35451e5d0b4f2a729c3120786374add782a6d4a65bc3b0a7b1356216aa66db
                                                                              • Instruction Fuzzy Hash: 8201DE71E14302CEEB65BB74E4043ADBBF1AF81300F108A5AE045A7550EF3499C0CF81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06181DF0, Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b7ee07f1ffaec5c1c34be81c0aeb1c6d348500ecc0b1d7994155c6d6301323bd
                                                                              • Instruction ID: a2b231401cd442bc9c985afabce87eac6ea0db6e526ab3387c94c0e84bd8e790
                                                                              • Opcode Fuzzy Hash: b7ee07f1ffaec5c1c34be81c0aeb1c6d348500ecc0b1d7994155c6d6301323bd
                                                                              • Instruction Fuzzy Hash: 51F06236710220AF97197B7AA80A4AB7ADEEB88661341453EF50FC7701DE359C018BA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185728, Relevance: .0, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ca4a5ce3153f2d4eebc5c24c9144baf9ff8e161a169a7d7b06cb9eb0dbb01f26
                                                                              • Instruction ID: 2b32269b1b29a20d290a4f4dad90fde7fc3454b7074630d6a61347ac03517172
                                                                              • Opcode Fuzzy Hash: ca4a5ce3153f2d4eebc5c24c9144baf9ff8e161a169a7d7b06cb9eb0dbb01f26
                                                                              • Instruction Fuzzy Hash: EEF0A431A487058FD3986B799881599BBE7EFC12143568A2EE14B9B600DF705C40CBD9
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06186BA0, Relevance: .0, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4f682e6fb9ec75ca96efeb21dc960c2ba7f45f7c212644be38d1cd2afdef1a62
                                                                              • Instruction ID: 4102be4c8a4445218d206bbbe9aa72eb4f7ad27bdc97649c8aa5034d42218510
                                                                              • Opcode Fuzzy Hash: 4f682e6fb9ec75ca96efeb21dc960c2ba7f45f7c212644be38d1cd2afdef1a62
                                                                              • Instruction Fuzzy Hash: D2F0D131608600AFA358B629D01499933E2EBC62103018E79E50ACB600DF31AC4ACBEA
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06188D18, Relevance: .0, Instructions: 40COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d18660f3490c72cbc03424be60c5516f6d6606d4f03163fef184ec891fc5caea
                                                                              • Instruction ID: 7ee46451a5ec5560c22031be9c20da03fefe3269b4c1d9517b20e3bca334e0e0
                                                                              • Opcode Fuzzy Hash: d18660f3490c72cbc03424be60c5516f6d6606d4f03163fef184ec891fc5caea
                                                                              • Instruction Fuzzy Hash: 33F0503610C394AFC7D9F3354C544253FD94FD206074A46ABD049CB152DB259C04CFE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182511, Relevance: .0, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3a876bdfc2f2d0cf4f0a3e21305f0e5d1ca2bfdc2b7980727d354e66e3289e17
                                                                              • Instruction ID: 2201bb46d1270e8359d1852da1d348a1c28aaa5e0959712677edff6037581f8c
                                                                              • Opcode Fuzzy Hash: 3a876bdfc2f2d0cf4f0a3e21305f0e5d1ca2bfdc2b7980727d354e66e3289e17
                                                                              • Instruction Fuzzy Hash: 52F05977A8E3905FD7AB30695C782E17F888787111B1B04ABE859D318BE6708904CBE0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185CBF, Relevance: .0, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fd072a01dbf500641042cfffe68670c692cccf7132222caa4c3c89a9b3ab894a
                                                                              • Instruction ID: dbf71058bda6b32bf78ecc92afe554ee17ba79f4cff97883d84b03a839cacf28
                                                                              • Opcode Fuzzy Hash: fd072a01dbf500641042cfffe68670c692cccf7132222caa4c3c89a9b3ab894a
                                                                              • Instruction Fuzzy Hash: D6F0F930B002164FDF88FB70C401ADE7362EFC4204F108A59C5016F244DFB0A9418BD0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E291, Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4eaee5230fea1f1f09efa1910416f510bd256fac91bbad6b1b0b151a810a1b02
                                                                              • Instruction ID: ff00f7d9caac6ae6d46ac885b8a13a3fa62f71c5d41b51462f98e85dc2b3179f
                                                                              • Opcode Fuzzy Hash: 4eaee5230fea1f1f09efa1910416f510bd256fac91bbad6b1b0b151a810a1b02
                                                                              • Instruction Fuzzy Hash: 70F0A9B1A18122CFE79C7AA490183797B73BB81201B068C17E58396940CB7C9C51CF86
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06189930, Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 18af5865d94b80c4361ab65719e9e1a8b3a6cf3b7ed478753acc41e5d116a6b1
                                                                              • Instruction ID: 47befd5f7d7d9ef0815a020b9fc2087e3715593e9504ce34a4c115ee7ae4a395
                                                                              • Opcode Fuzzy Hash: 18af5865d94b80c4361ab65719e9e1a8b3a6cf3b7ed478753acc41e5d116a6b1
                                                                              • Instruction Fuzzy Hash: C2F0543090A2099FDB10EF74EA01EEABF75BB42305F015596E50457651C7301B48CBB6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E058, Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 35e821ccb7c8c231cb3dd756545371c37b8745a4760a20c3982e46b91b91ee7a
                                                                              • Instruction ID: 77ca39d65cc0d39878930d9d24deae4ac76bcbae0c4c32edf18fa0a6f7a85180
                                                                              • Opcode Fuzzy Hash: 35e821ccb7c8c231cb3dd756545371c37b8745a4760a20c3982e46b91b91ee7a
                                                                              • Instruction Fuzzy Hash: C4018C30228348DFD348AF64E8199EA3F35EB91341B058D4AF04BC7151DF748AA1CF92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06184070, Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cb96438ed704358fc85a42d3919828b35f0139bdc54672ab075d0a7d2e948a6f
                                                                              • Instruction ID: 1d4e26c670b5aad635c78c879bfde8e7d46b84e13f589c71d1dad2b687039f90
                                                                              • Opcode Fuzzy Hash: cb96438ed704358fc85a42d3919828b35f0139bdc54672ab075d0a7d2e948a6f
                                                                              • Instruction Fuzzy Hash: 1FF0AF31E107068ED744B6B9C8005EBF3B6AFD6210F008B2AE1456B104EF70A594CBC2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183A28, Relevance: .0, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3b7c18a1ee14bfe33e7d7dca22851d31c3803283dec547338df99309162c7d8a
                                                                              • Instruction ID: 429a129bc37fb473659c314d1d8502fcbad84316b1e92a891589113d816dd360
                                                                              • Opcode Fuzzy Hash: 3b7c18a1ee14bfe33e7d7dca22851d31c3803283dec547338df99309162c7d8a
                                                                              • Instruction Fuzzy Hash: DBF0B431509780CFABDE75D189404627BA56B41E00349989BD477C6A71E765E901CFC2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182520, Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7a7e3098bdac004a9f89ed60211277f8dcfb0234c6717fba9a38eeba3de9f4dd
                                                                              • Instruction ID: 98c812c14f600c5c984ab6e748965bcedbc3d5130abd6daed9bb2a7d5ec54353
                                                                              • Opcode Fuzzy Hash: 7a7e3098bdac004a9f89ed60211277f8dcfb0234c6717fba9a38eeba3de9f4dd
                                                                              • Instruction Fuzzy Hash: 0AE02733B883200EEB6A305D78683E5A784D382221F060476E94EC714586304904C7E0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061876C6, Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5b5bad90c213ab347b9a2942c17c5435a86927ba51894c5e15c0c1e75ced00b2
                                                                              • Instruction ID: 8d37c8a396358fe5be8779f11da72ae91341a7d8eea73727c46a9c77f06bc661
                                                                              • Opcode Fuzzy Hash: 5b5bad90c213ab347b9a2942c17c5435a86927ba51894c5e15c0c1e75ced00b2
                                                                              • Instruction Fuzzy Hash: 52F0E936A10114AFEB59E594EC408EDB3A9EB48220F200B2BE516E32C0D7205400CEA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F3F0, Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4d8797ea49b0e0e0c2d8065e87e569a2ded848623fe7fa5faeadbadccfe870d2
                                                                              • Instruction ID: 3f0ba0fb591071c13bad7072027baf6cf5918e3fafbe7c006090852667c40720
                                                                              • Opcode Fuzzy Hash: 4d8797ea49b0e0e0c2d8065e87e569a2ded848623fe7fa5faeadbadccfe870d2
                                                                              • Instruction Fuzzy Hash: 63F02032B4011A8FDF54F6A8D9846EE73B9DF84360F914421E602EB255EB30DC4AC792
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06180C28, Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7ce0e1d925e517c443a7f29c3934d93fcecfa0e3acc0daa55588e63a1bfddd02
                                                                              • Instruction ID: 34ee145217d14359402f1a7ade7f1cc7aba1d51689880b88de18df9373dda9bb
                                                                              • Opcode Fuzzy Hash: 7ce0e1d925e517c443a7f29c3934d93fcecfa0e3acc0daa55588e63a1bfddd02
                                                                              • Instruction Fuzzy Hash: 71F055367046046FC3119945C880926FB66EFCA230338C8AAD45E87703C7229C07CEB0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06182491, Relevance: .0, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 528ac6be5ad1af14e8106cae4f71297a8cb96dd3a6c9a05cf70206356d137096
                                                                              • Instruction ID: 243909a84951df5038fdaf4178583d186a14bbe97acd6763d933ddb9d89dac8e
                                                                              • Opcode Fuzzy Hash: 528ac6be5ad1af14e8106cae4f71297a8cb96dd3a6c9a05cf70206356d137096
                                                                              • Instruction Fuzzy Hash: A6F0E5313082501F8757B31594204A97BB5CBC6664345889FD95ACB711DB71CE06CFF0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06184B01, Relevance: .0, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5dcbc554d0e514ee01d3164b711071f09be06104dd6c7b1fb3499a9d3d523d25
                                                                              • Instruction ID: ffc5d6c1aede35186931fa4dd5080a5aba8ede3bf2729ddd922c9905bdef1463
                                                                              • Opcode Fuzzy Hash: 5dcbc554d0e514ee01d3164b711071f09be06104dd6c7b1fb3499a9d3d523d25
                                                                              • Instruction Fuzzy Hash: D4F06731F106168EDB45BBB5C8001A9F3B2AFD5200F11CA6AE11A6B204EF35A584CAC1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618A2A0, Relevance: .0, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 15fd726edd2c368f4adce5ba52017e1cf41608b68107c6480829abb522572f5c
                                                                              • Instruction ID: 11cd3b4a2b8ea01005c29a72b97c38dc5cf5a3fed82e907ad390e67dafbdc8d2
                                                                              • Opcode Fuzzy Hash: 15fd726edd2c368f4adce5ba52017e1cf41608b68107c6480829abb522572f5c
                                                                              • Instruction Fuzzy Hash: 63F09030909209DFD710EFA4D544E9DBBB1FF05348F10D999D544AB364C734AE48DB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06180BDE, Relevance: .0, Instructions: 30COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 96c1183ba6ecd7347cb7938e6843956b04b588f3adb9e0e75ea01d06ea49d5c9
                                                                              • Instruction ID: 6eeb6d72af218777075fedeaba50b891824bd02f318ed14ade386c5a94c68286
                                                                              • Opcode Fuzzy Hash: 96c1183ba6ecd7347cb7938e6843956b04b588f3adb9e0e75ea01d06ea49d5c9
                                                                              • Instruction Fuzzy Hash: 27E02B2170A1148FE3897A64A4513A43760DF4E626F2208D7C15ACB253CB558C0ACBE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061855D9, Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cc2ff8d25d041ed8c6a238ccd1a28e58ff930b3ba52ed8f0efb759ad41bda467
                                                                              • Instruction ID: 5cc0d0ebb93701b48e72eed969d347336e12cce13eb07960b982cf61911b840c
                                                                              • Opcode Fuzzy Hash: cc2ff8d25d041ed8c6a238ccd1a28e58ff930b3ba52ed8f0efb759ad41bda467
                                                                              • Instruction Fuzzy Hash: 1AF0303000C384CFE7C5BB54E9058643B67FB91744312CD96A1568B156EBB1A519DF92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06189991, Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6a20106bb27c21347aeaffdfe6d59f5e665cd1098d229136c90795ab6297839c
                                                                              • Instruction ID: 9fc848ad0f0e2858fdd928da473e13449210d2a29ba20a333b722a0859f9cd53
                                                                              • Opcode Fuzzy Hash: 6a20106bb27c21347aeaffdfe6d59f5e665cd1098d229136c90795ab6297839c
                                                                              • Instruction Fuzzy Hash: 03E0D830D0B30CFFDB10EF749900FAA7BB99B02208F0109DBA908D7511DB354A44C7A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E068, Relevance: .0, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9af8d917c9d94f7a33fbea9e4f2cc802dca579e515d5317b4ca4ef1345cabd1b
                                                                              • Instruction ID: 9ca146b664b2cb54a9b8d0b48c5899afa86e166f213fc719a413452404076c07
                                                                              • Opcode Fuzzy Hash: 9af8d917c9d94f7a33fbea9e4f2cc802dca579e515d5317b4ca4ef1345cabd1b
                                                                              • Instruction Fuzzy Hash: 89F0E230228748CFD748BF64E4294E97B71EB81341B41891AF54B87151DFB09AA1CE85
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185630, Relevance: .0, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 17b16e417f29e035bc6d9b37e03ee455726edcf666e6ee3960176f90685520ec
                                                                              • Instruction ID: a749bc688e5e1c54fc33257866a0ab0a42b543ebd45d454edf87392da519529a
                                                                              • Opcode Fuzzy Hash: 17b16e417f29e035bc6d9b37e03ee455726edcf666e6ee3960176f90685520ec
                                                                              • Instruction Fuzzy Hash: 8EE0923158A290CFD38A7BA0AC950E43F26EB522113251E5BD00AC7122CB754C05CF95
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061824E0, Relevance: .0, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 45dcd0cd28797f981844964c09f436925e2243622d781f4fc95845f38ca1f3fd
                                                                              • Instruction ID: a5f73884e396452e144a39e382ba8c7ad6c4a3da14f210dc8580cf82d8209468
                                                                              • Opcode Fuzzy Hash: 45dcd0cd28797f981844964c09f436925e2243622d781f4fc95845f38ca1f3fd
                                                                              • Instruction Fuzzy Hash: 99E0927A54D340CFD38B66109C954A07B20ABC935131A088BE40ECB216D736CA03CFE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061824A0, Relevance: .0, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 41fe4820c2a633f3a1f1eb183f49a355bf201703ede56feed728fb474a7706a5
                                                                              • Instruction ID: d35f475d921f16dd670b5e93f54f849ac980a3f50bd381c227f702055e7428ae
                                                                              • Opcode Fuzzy Hash: 41fe4820c2a633f3a1f1eb183f49a355bf201703ede56feed728fb474a7706a5
                                                                              • Instruction Fuzzy Hash: DAE026313041145F5716F25AD4508AA73EADBC4B68381886FD80FCB700DF72ED028BE0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E398, Relevance: .0, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9e91bf7f9e8807bad583e023bb890d2307f9644d8f01ea51f76957b18a940c83
                                                                              • Instruction ID: 75024314c832ec8f44ee24696f71cb4d224f73dbb716ed11264503203e1aac59
                                                                              • Opcode Fuzzy Hash: 9e91bf7f9e8807bad583e023bb890d2307f9644d8f01ea51f76957b18a940c83
                                                                              • Instruction Fuzzy Hash: E1E06570A14316DFA79CB765540966E3EACA7582447010829FC1BE6250EB205D00CFF7
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F170, Relevance: .0, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 694cee802a00529a95cb0c20d3ed34a13f929f7cff9aefe79e79641e49758173
                                                                              • Instruction ID: 961abe37c57f2703ddd576620db60aeeca3996ad8bf83747e037bbe8f0fca64e
                                                                              • Opcode Fuzzy Hash: 694cee802a00529a95cb0c20d3ed34a13f929f7cff9aefe79e79641e49758173
                                                                              • Instruction Fuzzy Hash: 0EE0C2A1AAA3406EEB561A70AD06BF23F75D703391F0905C6B40DDB083E7248021CAA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183A38, Relevance: .0, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: edec905361440f804ea227377b888fcb064b046ba31f0b8bb3529f468a0441ee
                                                                              • Instruction ID: 79ea721919226f024c0d316dcf5aa67e3a2e27d7c19743ec305a01f17acea08c
                                                                              • Opcode Fuzzy Hash: edec905361440f804ea227377b888fcb064b046ba31f0b8bb3529f468a0441ee
                                                                              • Instruction Fuzzy Hash: 49E04831219704CF6FDC75D58580832B2A5AB80D0434A9D5AD537C6970D776F941DEC1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06189940, Relevance: .0, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b635f5711568ff1fb5d050cff0818dff2b52cbf35a9045c0d6a81358bd4a86e
                                                                              • Instruction ID: db16602abb9a2af9f6c033f7f443e2032eb0d5aea06da50203d8591a853f883f
                                                                              • Opcode Fuzzy Hash: 2b635f5711568ff1fb5d050cff0818dff2b52cbf35a9045c0d6a81358bd4a86e
                                                                              • Instruction Fuzzy Hash: 16E06D30C09209DFEB00FF64E644E9EBBB5AB42309F019569D60467624D7305A48CB99
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06187DD8, Relevance: .0, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ac48be83fe4814c91d38c83babc297e989d2ad0711e8521404acae3bb8e5db30
                                                                              • Instruction ID: 8a2eb8a2d8a90814971453496c8fd1fd17fc6c91e6acbea86c608b687800f425
                                                                              • Opcode Fuzzy Hash: ac48be83fe4814c91d38c83babc297e989d2ad0711e8521404acae3bb8e5db30
                                                                              • Instruction Fuzzy Hash: 50E022B09082854FC782EBB4C9540DC7FE09B071207301AC9C4A5DB2C2D7310902DB01
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185988, Relevance: .0, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 422add074318a936aa35ac83f722ce5a0b41683a75d88b4a1d6abbbbc52dd214
                                                                              • Instruction ID: a762aba842bde55e1782c91556c3d67ff7600ffdb015517d8c44c10d5aa8d3bb
                                                                              • Opcode Fuzzy Hash: 422add074318a936aa35ac83f722ce5a0b41683a75d88b4a1d6abbbbc52dd214
                                                                              • Instruction Fuzzy Hash: 34E06DB190E340CFE3DE6B24E5594207F32EB013323860C9AE08B8B2A1D7259C00CF81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E330, Relevance: .0, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e8d91e5088aba0446193b21ccd10122fad37c7af7d1937e0446e9e4226799b29
                                                                              • Instruction ID: 55c6ae9d886b63725213b3d744b4603b391f9b7c417a7b4612767a36983f717d
                                                                              • Opcode Fuzzy Hash: e8d91e5088aba0446193b21ccd10122fad37c7af7d1937e0446e9e4226799b29
                                                                              • Instruction Fuzzy Hash: 73E0D8B0848124CF936CBE449515069B776EB42295314C866E99545120DB728C43CFDA
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F128, Relevance: .0, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b1ce27f640ef5850b82271d3b7f8f85bcf4d7a620447752add4a7c743a83cf4b
                                                                              • Instruction ID: c700a63689d5657cac1ea871247295dfa3a20715955ad40d3c995b083dafea7e
                                                                              • Opcode Fuzzy Hash: b1ce27f640ef5850b82271d3b7f8f85bcf4d7a620447752add4a7c743a83cf4b
                                                                              • Instruction Fuzzy Hash: 7CE01AB0E04209EF8B84EFB8D9455DCBBF4EB48240F2445AAA909E3344EB309F04DB95
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618D051, Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cd0106a02109e2f98a394e13cd73c1236705068985fc6f47b3b83e92903dbd51
                                                                              • Instruction ID: 980fc7b82e8291a877271c885b0c751c0197bc85dd0961e378bb2f01f878a69e
                                                                              • Opcode Fuzzy Hash: cd0106a02109e2f98a394e13cd73c1236705068985fc6f47b3b83e92903dbd51
                                                                              • Instruction Fuzzy Hash: 63E06D3090831ACFE7A4FE20F940DA53326FF50608B228D06A202CB598D731260ACFA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185998, Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 103727f71afa0d2ac91d54957e0aa1e20299edfd3c6621c28973070eb845a479
                                                                              • Instruction ID: 4b58746c4a8d6702ccb5b877a48cfd43be90c3c1672d5cab5e155b1ae3910631
                                                                              • Opcode Fuzzy Hash: 103727f71afa0d2ac91d54957e0aa1e20299edfd3c6621c28973070eb845a479
                                                                              • Instruction Fuzzy Hash: 30E01AB081A300DFE3DD6A24D4458607B7BEB013713820C99E04B4B250DB22AC00CFD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E250, Relevance: .0, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eaef641de1e8bf75ad3242f9044db91600d8501a8eb9f60a94b1385fa73a8a6e
                                                                              • Instruction ID: a9086766b5d57a02d284ee01a888f430320b9584fda9a4be0d8a3ca1b1e10c65
                                                                              • Opcode Fuzzy Hash: eaef641de1e8bf75ad3242f9044db91600d8501a8eb9f60a94b1385fa73a8a6e
                                                                              • Instruction Fuzzy Hash: 57E086611481818FFB896764C912A913F67AB152607054997F48F9A153C72E4822CEC2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F122, Relevance: .0, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c7586ca13b36501ce29d8ea67f9f2bec0baf505f20926edc2b4a4e1530ea0f62
                                                                              • Instruction ID: 0ce36bfb518ada8107b4d00f08e369754f3826708592387aaeb32c7f453b26e9
                                                                              • Opcode Fuzzy Hash: c7586ca13b36501ce29d8ea67f9f2bec0baf505f20926edc2b4a4e1530ea0f62
                                                                              • Instruction Fuzzy Hash: BBE046B4E00208EF8B84EFB8D9451DCBBF1EB08201F2041A9AC09E7300EB308F009B99
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E199, Relevance: .0, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2627fb3e25f6deea9aac47d4e33494d1e2d62a5ac9ec533f1cdc41a1e76fddea
                                                                              • Instruction ID: 06337f90278d8723bcc0651763e16b47ef7e7697897381429eef3eba72df46ce
                                                                              • Opcode Fuzzy Hash: 2627fb3e25f6deea9aac47d4e33494d1e2d62a5ac9ec533f1cdc41a1e76fddea
                                                                              • Instruction Fuzzy Hash: 33E0C232B181308FA748BBA99485AFD73B2DFC8210B460857D113D3240CF609D928BE2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06187E30, Relevance: .0, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 32ef8824c187c40a463368451cbff24198675ab2b99e00ec4d051d74b582a6bd
                                                                              • Instruction ID: 4559ad832d8b6491506bd19c6469c47beb2e100675c49b94ad388d0ba041035c
                                                                              • Opcode Fuzzy Hash: 32ef8824c187c40a463368451cbff24198675ab2b99e00ec4d051d74b582a6bd
                                                                              • Instruction Fuzzy Hash: B1D0A73508D748AEF7E931621C667EE3B2E5302605F362C42F20A842D257502C04CFE2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06186560, Relevance: .0, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 45455917992015462aaca1b0d6e2ee8bc853ab7cad0f612a607c5a5ae9cc1cad
                                                                              • Instruction ID: e12db20e04dfc99bd9db0b0a4c49a9789bea8155234ac30747a929af3b759e39
                                                                              • Opcode Fuzzy Hash: 45455917992015462aaca1b0d6e2ee8bc853ab7cad0f612a607c5a5ae9cc1cad
                                                                              • Instruction Fuzzy Hash: 8EE0BF3050C306DFA7D4FA55F441C693365BB5068C7128D16A2478B62ED771A915CFD2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061855E8, Relevance: .0, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5ea3b99a0e4f4309718976cf1751e75e36eec615b339645f468aa1de2ad19e64
                                                                              • Instruction ID: 85e922bf0da43f4e6fe84f3b0c9d580a3f34efdab4a4a85fc0f7513028d7d550
                                                                              • Opcode Fuzzy Hash: 5ea3b99a0e4f4309718976cf1751e75e36eec615b339645f468aa1de2ad19e64
                                                                              • Instruction Fuzzy Hash: 86E0B63051C289CFEBD8FE19D541CA43367FB513483528D62A6478B269EBB1A905CFD2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618D060, Relevance: .0, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2df92d88af511ec86e01a0722027927d1df04ab799587d34f495f2b88c297a62
                                                                              • Instruction ID: 237b370a376f41c66f13b59d9875e971b09de6bed4a90828eb477a625357716f
                                                                              • Opcode Fuzzy Hash: 2df92d88af511ec86e01a0722027927d1df04ab799587d34f495f2b88c297a62
                                                                              • Instruction Fuzzy Hash: ECE0863090C309CFB7D4FE55F840C653365FF502087228D129242CB698D7316506CFE2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06180BF8, Relevance: .0, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fffbf7dfddf8c0772c48769a22de294d563651fd38bd45b1589f6d0a69a65c6e
                                                                              • Instruction ID: bb1c10bd81606046528be38a3f73fc54ce5edec3facd125c85fc5e7fb38e9202
                                                                              • Opcode Fuzzy Hash: fffbf7dfddf8c0772c48769a22de294d563651fd38bd45b1589f6d0a69a65c6e
                                                                              • Instruction Fuzzy Hash: 17D02B30314018CF538CBA58A0505E833A89B4E52231208D6D40A8B311CF925C08CBE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183D90, Relevance: .0, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0043988c5403bae62eca911f7a801fd7e6c77639f1ed6c9ba3733d4b23556b5f
                                                                              • Instruction ID: 363870f77b7184a50d2615337dcce34a8b5a5d5b73c3239865cc62f950c8f76f
                                                                              • Opcode Fuzzy Hash: 0043988c5403bae62eca911f7a801fd7e6c77639f1ed6c9ba3733d4b23556b5f
                                                                              • Instruction Fuzzy Hash: 8DE01A30124108DFD75CAF90E95D4A83F35EB40701788C920F5278AA94CF70AE82CF88
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061859D1, Relevance: .0, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b72531331f77c67c58e1c8dead56dc2a4c5b79fdf12a99c175419c292b560399
                                                                              • Instruction ID: f2276d886dfbb63d32522c2854f07de103fa2a4519e0de9fe683e6a52e1ae7fa
                                                                              • Opcode Fuzzy Hash: b72531331f77c67c58e1c8dead56dc2a4c5b79fdf12a99c175419c292b560399
                                                                              • Instruction Fuzzy Hash: ABE08631409680CEE3DD67A0A9914A17F22DB8626634688DFC0EB06922CB625802DF41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185640, Relevance: .0, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 937fdc887f4db3c21e6cf25b921008ec88c1379571694e16905532b6e9fc304a
                                                                              • Instruction ID: b3c3b104a98c91666d271dee758a5eac643efb96aed1f24946eb1ad62486111d
                                                                              • Opcode Fuzzy Hash: 937fdc887f4db3c21e6cf25b921008ec88c1379571694e16905532b6e9fc304a
                                                                              • Instruction Fuzzy Hash: 09D0C731285220CF838A7765A8808E837AAEB823063104E2AE00B87200CFA26C048BD9
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E260, Relevance: .0, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3cd60247328c69ac7ff14da18eb0764601830b53b7d4cb4a9f6d3df8daf7c553
                                                                              • Instruction ID: b2206204806bf4d9ad7c34a3991824afc2bd88966f5aa276f4741001fd8758ed
                                                                              • Opcode Fuzzy Hash: 3cd60247328c69ac7ff14da18eb0764601830b53b7d4cb4a9f6d3df8daf7c553
                                                                              • Instruction Fuzzy Hash: 41D0177148C10ACEEBCC7A60D804A31B32BA760224F02CE57E00A08420872F98A3CFCA
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618C388, Relevance: .0, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 572c9b8386f10161969fffbf052786700ba1cc121184bbe63dfeeb6a3494dc6d
                                                                              • Instruction ID: 1cb30e146e59d3097e0d3c8126e47cc72bc2c1083f8be3457319400ac10bd76e
                                                                              • Opcode Fuzzy Hash: 572c9b8386f10161969fffbf052786700ba1cc121184bbe63dfeeb6a3494dc6d
                                                                              • Instruction Fuzzy Hash: B4E0C23290C515CFEB88FF54D4009D83B12FB70205B268E67AA02CB670D3310D2ACBE6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618D177, Relevance: .0, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d93caadc76ce5e9bec62c0b71b73147d2872cda555fe770d29ca3598ce4115eb
                                                                              • Instruction ID: c12089e76824dc883b79dc2f828765dab6c91d6c62bc53d8dc8f827ff0ca5a14
                                                                              • Opcode Fuzzy Hash: d93caadc76ce5e9bec62c0b71b73147d2872cda555fe770d29ca3598ce4115eb
                                                                              • Instruction Fuzzy Hash: 76D05E3000E3882EC34233706C1589B3FA69E431097498182E0988F573D7188518C7A3
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06185AC8, Relevance: .0, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2989224d9b7b5d6072d34db9aba46509cd0839d4bb7341f566ea8d6fe2075b90
                                                                              • Instruction ID: 3f4ef040161be082c49eddeadabfaf07b5427a897d9a6750e9f0790a1878a4b3
                                                                              • Opcode Fuzzy Hash: 2989224d9b7b5d6072d34db9aba46509cd0839d4bb7341f566ea8d6fe2075b90
                                                                              • Instruction Fuzzy Hash: 82D017311092449FEB8DAA60A4802763B479B8520CF7884A9800C0E662C667C493DBE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061859E0, Relevance: .0, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ba72cfd58de7e18597eeb05006e4f7089aeb16278fad94d33299224ba5567b33
                                                                              • Instruction ID: 624f51bd1e30f35652711f86bce0c2b0565126c9ce1603227eb4cb8d770d3bbf
                                                                              • Opcode Fuzzy Hash: ba72cfd58de7e18597eeb05006e4f7089aeb16278fad94d33299224ba5567b33
                                                                              • Instruction Fuzzy Hash: 7ED05E30018344CFD7EC7654D8918A27B6BDB452663428D6BD09B02510CBA2A802CFD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618C398, Relevance: .0, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1e5e740ed7c24b8ad838fd16bf8e5c0cb1c5ffc967eedabe2b33b0fa472be54b
                                                                              • Instruction ID: 27466d3879bfbc2a08bb1fa23b352d265691c99b4099617d41f7590245a5a68a
                                                                              • Opcode Fuzzy Hash: 1e5e740ed7c24b8ad838fd16bf8e5c0cb1c5ffc967eedabe2b33b0fa472be54b
                                                                              • Instruction Fuzzy Hash: 59D0A73140C616CFE388FB09D440C987315B7602043128E12AA0287224D7706D1ACEF7
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06184D1D, Relevance: .0, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0192b9b6b23e97f3d755718a2bdc2a34929cbc66a96acb2d55ecded60eda2a33
                                                                              • Instruction ID: 703e5c504f069ab1f4e548bac45a34c0209f9fcebd8f411911fbac97b2eccf5e
                                                                              • Opcode Fuzzy Hash: 0192b9b6b23e97f3d755718a2bdc2a34929cbc66a96acb2d55ecded60eda2a33
                                                                              • Instruction Fuzzy Hash: CAD0C93AF002198F8FA8A7F0A4550EEB362EBC025DB1045AAD51697244DF369925CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061809B1, Relevance: .0, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 17167376d783d86bf721db837890046d4d5269102ddbbd37260b1b72a9bc1f0a
                                                                              • Instruction ID: 6eef4bd983c77b4d387c35ae18608cfe88ae8dfd81caeae839139458a56da531
                                                                              • Opcode Fuzzy Hash: 17167376d783d86bf721db837890046d4d5269102ddbbd37260b1b72a9bc1f0a
                                                                              • Instruction Fuzzy Hash: 11D0A775C1E3988ED7562320081A0C03F305B8230638915CB5469C4253E35A800ADF12
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06183D81, Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7e2dc7694e6c16389c64ef72337ea918a084c55e727e0db51b7a80aa1ae7aea6
                                                                              • Instruction ID: 85eb54659533c18f1e16dad85f4c8f568c6be4dbe9111d3af7fe2b63ac50d065
                                                                              • Opcode Fuzzy Hash: 7e2dc7694e6c16389c64ef72337ea918a084c55e727e0db51b7a80aa1ae7aea6
                                                                              • Instruction Fuzzy Hash: 8DD0223389010C8FE3A488D0EF077D13771E38D215B68E94AE45AABA02C33082438EC8
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061824F0, Relevance: .0, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e4809f5c04e7b99d001f7a54d5b140ebef4792adbdc4cd3baf7be50af76c04a9
                                                                              • Instruction ID: 36f5789179a8d5057c03cffacf54156ea39b67693d2d221e9a1a519eef55a08f
                                                                              • Opcode Fuzzy Hash: e4809f5c04e7b99d001f7a54d5b140ebef4792adbdc4cd3baf7be50af76c04a9
                                                                              • Instruction Fuzzy Hash: 53D01234248304CFD78E7B61D8588B57764A7C83153224C59E00F4B219D777EA43CED0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F180, Relevance: .0, Instructions: 11COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bf6ee6b1bb375b99bef1f67565ce21d54c78e2e41f247c1776dc0ebfae7ed2b1
                                                                              • Instruction ID: 0f366d829a700330b1a57d1669f1f3391bf6fa9ab8aaed0c530fac1aca1507fc
                                                                              • Opcode Fuzzy Hash: bf6ee6b1bb375b99bef1f67565ce21d54c78e2e41f247c1776dc0ebfae7ed2b1
                                                                              • Instruction Fuzzy Hash: 2DC092F86AC309FEF7DC3190EE0AB74377C8308B95E820C22B60F284845B812012CCDA
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618D188, Relevance: .0, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2d5d1ef5ab98bf7e0c9395ad21f193fb4162e34e97ae080a4c2310f840babe36
                                                                              • Instruction ID: 4cf290a0ea5aaa9c7f99197e68e28a0e385df194b7cd8d31d28628fab346a71d
                                                                              • Opcode Fuzzy Hash: 2d5d1ef5ab98bf7e0c9395ad21f193fb4162e34e97ae080a4c2310f840babe36
                                                                              • Instruction Fuzzy Hash: 7BB092320022089E43C8B7B6A90A80FBBE99F81109389C090D02C4B532AB25E860CFE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061869D4, Relevance: .0, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9e1699f90bcb75f93d615f3e00e1d4d0398915624fe825a4fde75f02f7199a5a
                                                                              • Instruction ID: 14c028e56e684b675af622f825827e42afc9bd2399b502e368e37f09440a1d26
                                                                              • Opcode Fuzzy Hash: 9e1699f90bcb75f93d615f3e00e1d4d0398915624fe825a4fde75f02f7199a5a
                                                                              • Instruction Fuzzy Hash: B2C04C306085108F7799B760A8142AC2292E7513443528E5AF103975D4DFA51D0D9BD9
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 061814E0, Relevance: .0, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5a412e406dcc98eab5fb6b49e0d6d2943ee5593193fe71afda14aeea3c4971de
                                                                              • Instruction ID: d283174c96863f79871e99c99505087eda510a41e45dfb3255cedd08ba44380e
                                                                              • Opcode Fuzzy Hash: 5a412e406dcc98eab5fb6b49e0d6d2943ee5593193fe71afda14aeea3c4971de
                                                                              • Instruction Fuzzy Hash: 41B0923100C215AFB2A9BB52DA87C697A2EEB522543428D10E203421A85BB569068DE6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618F310, Relevance: .0, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 951e6dfb0f7e1fde145ea228f088fc13dcb917d77113115c0fbcfc5d6ec47083
                                                                              • Instruction ID: 1f3861a78bcdb6522edaeee72ef5b06141f413205558ec23d21b5dbbdb8848bc
                                                                              • Opcode Fuzzy Hash: 951e6dfb0f7e1fde145ea228f088fc13dcb917d77113115c0fbcfc5d6ec47083
                                                                              • Instruction Fuzzy Hash: B2B012303A430C4F1690F6F22D05662378C86004893800021EC0CC0000FA50DC00C549
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 06187FD0, Relevance: .0, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f08e9b32bfa70dc97415f13f34bb3b6475fca14ae86da8de4e583fcf23258895
                                                                              • Instruction ID: 545e37ede2015c4a106dc971faa077fed7eb489b3c9df67ce8773c9bcd14259c
                                                                              • Opcode Fuzzy Hash: f08e9b32bfa70dc97415f13f34bb3b6475fca14ae86da8de4e583fcf23258895
                                                                              • Instruction Fuzzy Hash: 2CB012313243080E57D066B33A09A16378C46008043400420F40CC0401FA40D4014558
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0618E3E7, Relevance: .0, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.927320200.0000000006180000.00000040.00000001.sdmp, Offset: 06180000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b3fd782c75a2d2201e4dcd6cc1ea0d1a5aeceb1a771a49549c00940e657f9f5d
                                                                              • Instruction ID: 20adf4c3b286b5711405d18870972d2bce2cd0059db90ddb7e02472a2521710c
                                                                              • Opcode Fuzzy Hash: b3fd782c75a2d2201e4dcd6cc1ea0d1a5aeceb1a771a49549c00940e657f9f5d
                                                                              • Instruction Fuzzy Hash: 2BB0122831C308DFB74822B040A812CA49187082043020C15284387781FF244C008D90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Analysis Process: bhjhjkek.exe PID: 6868 Parent PID: 3424 bhjhjkek.exeCOMMON

                                                                              Executed Functions

                                                                              Function 052F5558, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumChildWindows.USER32(?,?,?), ref: 052F5607
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ChildEnumWindows
                                                                              • String ID:
                                                                              • API String ID: 3555792229-0
                                                                              • Opcode ID: ff213515ad4678e529a2944bc4f4020fbe54a66bb91a0684de062e98b180c570
                                                                              • Instruction ID: 2d230d5fad254aba000bf5a24c58b85489e56bac3f8b2d20c0d5493d3c609768
                                                                              • Opcode Fuzzy Hash: ff213515ad4678e529a2944bc4f4020fbe54a66bb91a0684de062e98b180c570
                                                                              • Instruction Fuzzy Hash: CE31CAB5D052189FCB10CFA9E984AEEFBF1AF49310F24902AE514B7210D774AA45CF58
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F5560, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumChildWindows.USER32(?,?,?), ref: 052F5607
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ChildEnumWindows
                                                                              • String ID:
                                                                              • API String ID: 3555792229-0
                                                                              • Opcode ID: 5d39f7c6daf08a2a913a65263f8ea5361dd13aa8aa91f1a3437e79003eef8bd1
                                                                              • Instruction ID: e033603e62e889d965d9182cb7488a49f7b28c2496225fa706f2bb449a653296
                                                                              • Opcode Fuzzy Hash: 5d39f7c6daf08a2a913a65263f8ea5361dd13aa8aa91f1a3437e79003eef8bd1
                                                                              • Instruction Fuzzy Hash: C031DBB4D052189FCB10CFA9E984AEEFBF1BF49310F24902AE514B7210D734AA45CF58
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 053966B0, Relevance: 1.0, Instructions: 1020COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919165504.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6c570fed820988af44ba7b8be37134bc014d760007d603fa277f20e6259f9a29
                                                                              • Instruction ID: 5dfb6b6680d6ec8c60abde7331492908b3e7d94e1882aafc6ac2c0a78a1c4166
                                                                              • Opcode Fuzzy Hash: 6c570fed820988af44ba7b8be37134bc014d760007d603fa277f20e6259f9a29
                                                                              • Instruction Fuzzy Hash: 04B2C275A00228DFDB64CF69C984B99BBB2FF89304F1581E9D509AB365DB319E81CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0539F400, Relevance: .2, Instructions: 177COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919165504.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 79a440e0fd89029e718c5d4c7f9a7228f8c9ea9ef181ac42d660ccde19563a2e
                                                                              • Instruction ID: 47b7a725ed88415ff515c81861dd58fcad819067def3a3339a3e28059676b022
                                                                              • Opcode Fuzzy Hash: 79a440e0fd89029e718c5d4c7f9a7228f8c9ea9ef181ac42d660ccde19563a2e
                                                                              • Instruction Fuzzy Hash: 8261D2B4D09218CFCF19CFA9D584AADBBFABF89305F209529D409EB255DB709852CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F3C8E, Relevance: 1.8, APIs: 1, Instructions: 322processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 052F3F5F
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: 60e81461ae3c8c5655504235e547a454f736b4ffcf890f9e2fd975ffb0dd12f0
                                                                              • Instruction ID: a430b0c9759a4ba5156daeb085b6ef3c506b5025ff66e0d575028d4b106cdeb2
                                                                              • Opcode Fuzzy Hash: 60e81461ae3c8c5655504235e547a454f736b4ffcf890f9e2fd975ffb0dd12f0
                                                                              • Instruction Fuzzy Hash: 8FC13371D1422D8FDB24DFA4D881BEEBBB1BF49304F0085A9DA19B7240DB749A85CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F3C98, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 052F3F5F
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: 9c3cc6c51eb9c535308025e6c0c87e332fd98833de1e0fa6975fa9f0c378171d
                                                                              • Instruction ID: d8ffc446e07d90090f55cb06d8d6e8bd6ec6b71a62a07fe666ac9456017648a0
                                                                              • Opcode Fuzzy Hash: 9c3cc6c51eb9c535308025e6c0c87e332fd98833de1e0fa6975fa9f0c378171d
                                                                              • Instruction Fuzzy Hash: D6C13371D1422D8FDB24DFA4D880BEEBBB1BF49304F0085A9DA19B7240DB749A85CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F4E30, Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 052F4F9F
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: BaseModuleName
                                                                              • String ID:
                                                                              • API String ID: 595626670-0
                                                                              • Opcode ID: 3508f1c435eef35c21ef4e77a01b587f14540aa5859d54240c34be9374cb62ce
                                                                              • Instruction ID: 06ac2881c8ad9f809259d649817953294ea1ca5d9bd5b9b18a3fe2742fb15db7
                                                                              • Opcode Fuzzy Hash: 3508f1c435eef35c21ef4e77a01b587f14540aa5859d54240c34be9374cb62ce
                                                                              • Instruction Fuzzy Hash: E461DFB4D142189FDB14CFA9D984B9EFBF1BF49304F10812AE819AB350DB74A941CF84
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F4E24, Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 052F4F9F
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: BaseModuleName
                                                                              • String ID:
                                                                              • API String ID: 595626670-0
                                                                              • Opcode ID: afb9ef417a6858f6ae30ee9b04470097314d6386480c575abde1c34798608607
                                                                              • Instruction ID: 3024806488978b6b8acd4a81f2ad4344a50dc4b938fc2c58301ed9d51d0a587f
                                                                              • Opcode Fuzzy Hash: afb9ef417a6858f6ae30ee9b04470097314d6386480c575abde1c34798608607
                                                                              • Instruction Fuzzy Hash: 0861DFB4D142189FDB14CFA9D984B9EFBF1BF49304F14812AE818AB351DB74A941CF81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F39D8, Relevance: 1.6, APIs: 1, Instructions: 119injectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 052F3AB3
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: 93fc0f1cd0bcf082d3f2f0d9966a99443ce2d12c75dcefce6fc978fc0c98f515
                                                                              • Instruction ID: e20aeee736e79f4193c9a50a3d23ad7ee160285fad079ffe8c82f4ce076483ba
                                                                              • Opcode Fuzzy Hash: 93fc0f1cd0bcf082d3f2f0d9966a99443ce2d12c75dcefce6fc978fc0c98f515
                                                                              • Instruction Fuzzy Hash: 8C41A8B5D002589FCF00CFA9D984ADEFBF1BB49314F14942AE919B7210D778AA45CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F39E0, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 052F3AB3
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: 2c34a620603a6198a6ef7636332e0b8b38eb05b2fda88788708aacb89ff3c537
                                                                              • Instruction ID: 3efcc161e7ecdbbf2fb844a84ba8b95bc2f536868c03f84efd1297965f35c8a6
                                                                              • Opcode Fuzzy Hash: 2c34a620603a6198a6ef7636332e0b8b38eb05b2fda88788708aacb89ff3c537
                                                                              • Instruction Fuzzy Hash: A441A8B5D002589FCF00CFA9D984ADEFBF1BB49314F14942AE919B7200D738AA45CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F05F0, Relevance: 1.6, APIs: 1, Instructions: 110fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CopyFileW.KERNELBASE(?,?,?), ref: 052F06CE
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CopyFile
                                                                              • String ID:
                                                                              • API String ID: 1304948518-0
                                                                              • Opcode ID: 7f0bb8dc0f09af21c4537fc50a9d77d0650a2f75a3586bcb4050c1e30e58b20d
                                                                              • Instruction ID: 93aa5607e3dc2b0c9caec2bde36f68e1108703ff900ecd246396f2783ca87ba8
                                                                              • Opcode Fuzzy Hash: 7f0bb8dc0f09af21c4537fc50a9d77d0650a2f75a3586bcb4050c1e30e58b20d
                                                                              • Instruction Fuzzy Hash: BA41BBB4D042599FCB10CFAAD484AEEFBF1BF48314F14806AE419B7261D374AA86CF54
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F05F8, Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CopyFileW.KERNELBASE(?,?,?), ref: 052F06CE
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CopyFile
                                                                              • String ID:
                                                                              • API String ID: 1304948518-0
                                                                              • Opcode ID: dae6b75b2f629a466c494102680af857a3c0698bee23adfa52843b14ea142e75
                                                                              • Instruction ID: 365e25b0768a3d6c987d98a586a95a9a92c6fc10e547dea68bffab7f79d8516d
                                                                              • Opcode Fuzzy Hash: dae6b75b2f629a466c494102680af857a3c0698bee23adfa52843b14ea142e75
                                                                              • Instruction Fuzzy Hash: BB41BAB4D042599FCB10CFAAD484AEEFBF1BF48310F14806AE419B7261D334AA86CF54
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F388A, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 052F393A
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 2b0675b291fc98300495b945dab6110305b22c5e52b12b145cc8856458529635
                                                                              • Instruction ID: 82a3d5575ab9d3084d371b4a9b5b1b61a25c65c42e44792c465b1d05748600c4
                                                                              • Opcode Fuzzy Hash: 2b0675b291fc98300495b945dab6110305b22c5e52b12b145cc8856458529635
                                                                              • Instruction Fuzzy Hash: 8831A6B9D042589FCF00CFA9E880ADEFBB1BB49310F10942AE915B7300D735A942CF55
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F3890, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 052F393A
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 57e2e2f357a87ac6f2f53fb37800f341a26eaf27773d3b2ae3654e9018f27dc7
                                                                              • Instruction ID: 533b374195067c87488bf6e0ce76b286c89d71924bbd79b7c0a41147ac2f3e71
                                                                              • Opcode Fuzzy Hash: 57e2e2f357a87ac6f2f53fb37800f341a26eaf27773d3b2ae3654e9018f27dc7
                                                                              • Instruction Fuzzy Hash: AD31B5B9D042589FCF00CFA9E880ADEFBB1BB49310F10942AE915B7200D735A902CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F4511, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32EnumProcesses.KERNEL32(?,?,?), ref: 052F45D8
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: EnumProcesses
                                                                              • String ID:
                                                                              • API String ID: 84517404-0
                                                                              • Opcode ID: 95e780114d79a2372cb8c42de44f3900b7fea8d86d8c845e22fde3fee6f95fa2
                                                                              • Instruction ID: 1f8db8f8a9221778de60cad6f2b2d135de3abd3e3ae2d7c006470748bfcc5fc8
                                                                              • Opcode Fuzzy Hash: 95e780114d79a2372cb8c42de44f3900b7fea8d86d8c845e22fde3fee6f95fa2
                                                                              • Instruction Fuzzy Hash: 794199B5D042589FCB10CFA9D584ADEFBF1BB49310F14802AE518B7210D775A945CF95
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F4518, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32EnumProcesses.KERNEL32(?,?,?), ref: 052F45D8
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: EnumProcesses
                                                                              • String ID:
                                                                              • API String ID: 84517404-0
                                                                              • Opcode ID: ab65b7db19bc7365c4057081e5009ee56991244a56a050cf63c566c0dc383da1
                                                                              • Instruction ID: de5f8a83d75db342bf5279a3a4223a88d35d1988c8c260c2e4e435e071bc32d1
                                                                              • Opcode Fuzzy Hash: ab65b7db19bc7365c4057081e5009ee56991244a56a050cf63c566c0dc383da1
                                                                              • Instruction Fuzzy Hash: 6F4197B4D042589FCF10CFAAD984ADEFBF1BB49310F14802AE918B7210D775AA45CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F4C70, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 052F4D16
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: EnumModulesProcess
                                                                              • String ID:
                                                                              • API String ID: 1082081703-0
                                                                              • Opcode ID: af98d345392f9fcb47d7c7abec9f92ec986cb371c7ede5e2670aa9f1ee990576
                                                                              • Instruction ID: 840db3200f3c1248e3f9e9afaab198b4b57c44f07da64294aef8e1b99a21a143
                                                                              • Opcode Fuzzy Hash: af98d345392f9fcb47d7c7abec9f92ec986cb371c7ede5e2670aa9f1ee990576
                                                                              • Instruction Fuzzy Hash: AA31A6B9D042589FCF10CFA9D984ADEFBB0BF09310F14902AE814B7210D374AA45CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F36D0, Relevance: 1.6, APIs: 1, Instructions: 97threadinjectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetThreadContext.KERNELBASE(?,?), ref: 052F3787
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ContextThread
                                                                              • String ID:
                                                                              • API String ID: 1591575202-0
                                                                              • Opcode ID: 373487766dd0a4c4ab291880988478ce8da0638d7a5cd88357864c1b4dd23272
                                                                              • Instruction ID: 6900dd896b96d7cdd68e94aa050b9e7972d1f404b9d65a8d21b9ba4a69443a4c
                                                                              • Opcode Fuzzy Hash: 373487766dd0a4c4ab291880988478ce8da0638d7a5cd88357864c1b4dd23272
                                                                              • Instruction Fuzzy Hash: 9341B9B5D002589FDB10CFAAD884AEEFBB1BF49314F14842AE919B7200D778A945CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02B9F9D0, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02B9FA74
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.912965679.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: c5a59d8948fc5d62f266040576f7cf934d4d6801aca16572cc8683e44de1ed2a
                                                                              • Instruction ID: 9af25e085813e58bc79d9278d50b6577ebc7c1a7fb66893d63ccd4bd3400afee
                                                                              • Opcode Fuzzy Hash: c5a59d8948fc5d62f266040576f7cf934d4d6801aca16572cc8683e44de1ed2a
                                                                              • Instruction Fuzzy Hash: D131B8B9D002489FCF14CFA9D980AEEFBB1BF49324F14942AE814B7210D735A945CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F4C69, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 052F4D16
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: EnumModulesProcess
                                                                              • String ID:
                                                                              • API String ID: 1082081703-0
                                                                              • Opcode ID: b515b7a880f986ddeab7dca531c52357fb4794f625cf12986e985298400283d2
                                                                              • Instruction ID: e8578dcfdfa8d71e328307e16fd3ae41681f806aadc3fd3fdbfdbecbee294f31
                                                                              • Opcode Fuzzy Hash: b515b7a880f986ddeab7dca531c52357fb4794f625cf12986e985298400283d2
                                                                              • Instruction Fuzzy Hash: 8A3195B9D042589FCF00CFA9D984AEEFBB0BF09310F14902AE914B7210D374AA45CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F36D8, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetThreadContext.KERNELBASE(?,?), ref: 052F3787
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ContextThread
                                                                              • String ID:
                                                                              • API String ID: 1591575202-0
                                                                              • Opcode ID: b80d14013ef30e6f34455e774adaba034484523dbbe31ae7454f9741f58fd28b
                                                                              • Instruction ID: 71c03e0257112bd329ae333816ff504e70138a754a8eaf70c76dabefc9ab606f
                                                                              • Opcode Fuzzy Hash: b80d14013ef30e6f34455e774adaba034484523dbbe31ae7454f9741f58fd28b
                                                                              • Instruction Fuzzy Hash: EF31C8B4D002589FDB10CFAAD884AEEFBF1BF48314F14842AE919B7200C738A945CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02B9FCA0, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ResumeThread.KERNELBASE(?), ref: 02B9FD1E
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.912965679.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: 270813be77b88a7c5d13d07d90d3f2b5157c5bd55cc6545a1e0b21f1a68ea3e4
                                                                              • Instruction ID: d762c5905bb52cf6ed0d62dc7839b5efe8e69cbdc92f8f5e97505bf4b203a565
                                                                              • Opcode Fuzzy Hash: 270813be77b88a7c5d13d07d90d3f2b5157c5bd55cc6545a1e0b21f1a68ea3e4
                                                                              • Instruction Fuzzy Hash: 9A31CAB4D002189FDF14CFA9D984AEEFBB4AF48324F14846AE915B7300D735A901CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F5108, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 052F518D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ChangeCloseFindNotification
                                                                              • String ID:
                                                                              • API String ID: 2591292051-0
                                                                              • Opcode ID: fe29532d63e9e71396968a22e6ad1117d0e525bde7aba1c3ac2c8de34acbd56b
                                                                              • Instruction ID: 968882b207cfd8d0b56e71d107614fd7c6ef58a3e1b5dba5db8527decabf9ad8
                                                                              • Opcode Fuzzy Hash: fe29532d63e9e71396968a22e6ad1117d0e525bde7aba1c3ac2c8de34acbd56b
                                                                              • Instruction Fuzzy Hash: C531D8B8D042189FDB10CFA9E984AEEFBB0AF08314F14842AE815B3210D374A940CF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 052F5110, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 052F518D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919059062.00000000052F0000.00000040.00000001.sdmp, Offset: 052F0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ChangeCloseFindNotification
                                                                              • String ID:
                                                                              • API String ID: 2591292051-0
                                                                              • Opcode ID: a3b2d5f76e0afd8f32ae4ed51cafd3c5960ff64f1431e555336fcf4578a28323
                                                                              • Instruction ID: 044b5563739fd55cfa9c32c7dd976f31a8d12930c962e07227a0dd47f95198b2
                                                                              • Opcode Fuzzy Hash: a3b2d5f76e0afd8f32ae4ed51cafd3c5960ff64f1431e555336fcf4578a28323
                                                                              • Instruction Fuzzy Hash: 1731C9B4D042589FDB10CFA9E984AEEFBF4AF09314F14802AE915B3310D774A941CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05399AD0, Relevance: .2, Instructions: 183COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919165504.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b1ea47d08a0e6d0516c58a8a7825a51b227f3822418443bca8bbcc7142a3659e
                                                                              • Instruction ID: 123a272ad1b46aef704287e8e12ee3e545174afcc851532301e3a4b561283afb
                                                                              • Opcode Fuzzy Hash: b1ea47d08a0e6d0516c58a8a7825a51b227f3822418443bca8bbcc7142a3659e
                                                                              • Instruction Fuzzy Hash: 36818D75E002188FCB14EFA9D990AADBBF2FF89305F208469E405AB364DB35AD45CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02A0D4F4, Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.912611288.0000000002A0D000.00000040.00000001.sdmp, Offset: 02A0D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2e4efa6ff3b77c2c26e18884dd7a5e24dece1695452f5f585fd7c50872ae5c74
                                                                              • Instruction ID: 8c34a0dd3248c12c4f510c5a87185222149d5433dc40c1bcc42de7c4488cba21
                                                                              • Opcode Fuzzy Hash: 2e4efa6ff3b77c2c26e18884dd7a5e24dece1695452f5f585fd7c50872ae5c74
                                                                              • Instruction Fuzzy Hash: C8213AB2504640DFDB14CF54E9C0F2ABF75FB88328F248569ED054B286C736E456CBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02A1D01C, Relevance: .1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.912683268.0000000002A1D000.00000040.00000001.sdmp, Offset: 02A1D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 81c8122e314765432188cd4680861efb6f3a137a0dd1789fd180c28a848690b0
                                                                              • Instruction ID: c0adbe9854190de94405ec485daf4107ed0133f01177f49508ea5f3f3488abdb
                                                                              • Opcode Fuzzy Hash: 81c8122e314765432188cd4680861efb6f3a137a0dd1789fd180c28a848690b0
                                                                              • Instruction Fuzzy Hash: D22105B1508B449FDB14DF14D5C0B26BBA5FB84334F24C669D94A5B245CB36E807C662
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02A1D006, Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.912683268.0000000002A1D000.00000040.00000001.sdmp, Offset: 02A1D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0e9531bd99fbc6476bedae74dc98480d4d313a100b791f8ad38e08521e417b47
                                                                              • Instruction ID: cdc281394e89c72ad6fce57a2f09eeabdcc87b7b4ccf83967c2fe5c5603a7113
                                                                              • Opcode Fuzzy Hash: 0e9531bd99fbc6476bedae74dc98480d4d313a100b791f8ad38e08521e417b47
                                                                              • Instruction Fuzzy Hash: EB21B1755097C08FC712CF24DAD4716BF71EB86324F28C6ABC8458B657C33A980ACB62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02A0D4EF, Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.912611288.0000000002A0D000.00000040.00000001.sdmp, Offset: 02A0D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1690f09ffb32154b7972ec6b078384a41eddaff510e9aa620e0dc1e70aab7d38
                                                                              • Instruction ID: 58dfe7f250e7ceaa16215a396bc1cf5377739ff50f7e3e34e584e53c91775afe
                                                                              • Opcode Fuzzy Hash: 1690f09ffb32154b7972ec6b078384a41eddaff510e9aa620e0dc1e70aab7d38
                                                                              • Instruction Fuzzy Hash: AA11D376404680CFCB11CF54E5C4B1ABF71FB88328F28C6A9DC050B656C336E456CBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 053977E8, Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919165504.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c4113c5cf241b97050db283619797417df9ea3cdaa74933c201d61ed06a52d51
                                                                              • Instruction ID: f31be4b1811c3b639a0faf2d09a078305c2fdb0dd12f1d1f5b1395bb3802fa00
                                                                              • Opcode Fuzzy Hash: c4113c5cf241b97050db283619797417df9ea3cdaa74933c201d61ed06a52d51
                                                                              • Instruction Fuzzy Hash: E6011DB4E6D2089ACF09EFB9D5465FDB7FEEB4A241F1094A5C409D3680EA346900CA50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05398E60, Relevance: .0, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919165504.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 094a751f4816a358fa2a0daa2a82918036c51e0d0f44144368eb8902cd7db4db
                                                                              • Instruction ID: 8bc59e86512265755ec5915e3d6557721b3addfaa33dcdd4ca75eb4b5582b4a8
                                                                              • Opcode Fuzzy Hash: 094a751f4816a358fa2a0daa2a82918036c51e0d0f44144368eb8902cd7db4db
                                                                              • Instruction Fuzzy Hash: 2801D6B0D052189AEB08CF96D5287EEFAFABF89304F10852DC01577290CBB90948CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0539F3B0, Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919165504.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5b32ab1c5ede921bd6f845621cf25b9db2268e33987630b19bf2fee8a6809052
                                                                              • Instruction ID: 259fa35d91d3a7a967cad943cea4980fe9916bbc71ad18d8bb749a017c8e9e59
                                                                              • Opcode Fuzzy Hash: 5b32ab1c5ede921bd6f845621cf25b9db2268e33987630b19bf2fee8a6809052
                                                                              • Instruction Fuzzy Hash: D7E0ED74E04208EFCB44DFA8D44069CBBF8FB48304F10C1A98818D3340D7359A11CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05399A80, Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919165504.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5b32ab1c5ede921bd6f845621cf25b9db2268e33987630b19bf2fee8a6809052
                                                                              • Instruction ID: 3718bc81e341da4893e6036ad49006541c8989b93f3ac83a0589df1deafa1000
                                                                              • Opcode Fuzzy Hash: 5b32ab1c5ede921bd6f845621cf25b9db2268e33987630b19bf2fee8a6809052
                                                                              • Instruction Fuzzy Hash: 2AE0C278E05208AFCB44DFA8D540AACBBB9FB88304F10C1A98818A3340DB319E12CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05396660, Relevance: .0, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919165504.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1cd9efcf930942e0052bb624a05c786ecfdf7caa21534d5a4e3932e43effbf1f
                                                                              • Instruction ID: d9591b737030cf7358bb2e3d4bacfba5723466ed5431d096927e05cf00fc7c24
                                                                              • Opcode Fuzzy Hash: 1cd9efcf930942e0052bb624a05c786ecfdf7caa21534d5a4e3932e43effbf1f
                                                                              • Instruction Fuzzy Hash: 4AE08CB19052089FCB04EFB8D80869EBBADEB05315F0040A5D509A3110EF314A10DA92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 05397738, Relevance: .0, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.919165504.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: de67bce670208929ac3a6dd48ca56ff36717ef269b782c8264b973c4889d247d
                                                                              • Instruction ID: 5a8bdca2feb289962b8bbd74c041a81497f1a612220563e26d739cf894050295
                                                                              • Opcode Fuzzy Hash: de67bce670208929ac3a6dd48ca56ff36717ef269b782c8264b973c4889d247d
                                                                              • Instruction Fuzzy Hash: 67D0A77C519108DFCB08CB94D401E79B7ADFB47354F10909C880D93381CF329D02C680
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Analysis Process: bhjhjkek.exe PID: 5456 Parent PID: 3424 bhjhjkek.exeCOMMON

                                                                              Executed Functions

                                                                              Function 04D066B0, Relevance: 1.0, Instructions: 1020COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.924252476.0000000004D00000.00000040.00000001.sdmp, Offset: 04D00000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1d3a70f30252677c3a15de34ffd8ba889f0c82925c5f6cd2e8a46b43df54bf7c
                                                                              • Instruction ID: 4a81d9d1905672f64d11427738962dd64f56b5f22d010f05a4c8aea8f8297506
                                                                              • Opcode Fuzzy Hash: 1d3a70f30252677c3a15de34ffd8ba889f0c82925c5f6cd2e8a46b43df54bf7c
                                                                              • Instruction Fuzzy Hash: 3FB2C575E00228CFDB64CF69C984B99BBB2FF89304F1581E9D509AB265D731AE81CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04D0F400, Relevance: .2, Instructions: 177COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.924252476.0000000004D00000.00000040.00000001.sdmp, Offset: 04D00000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c26b5e51ba2275925a3f38faeba5f5dc1afec508b18d3f94ad0e6ca2e812cc1a
                                                                              • Instruction ID: 4f040a8b13a586ebac80509edc0aee713b1bf8b00b95c0e94d4d56b111e76164
                                                                              • Opcode Fuzzy Hash: c26b5e51ba2275925a3f38faeba5f5dc1afec508b18d3f94ad0e6ca2e812cc1a
                                                                              • Instruction Fuzzy Hash: B461C674E05218CFCB24CFA5D584AEDBBF6BF89304F24952DD449AB2A5EB70A841CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00C9F9D0, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C9FA74
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.921453938.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: 393e3eab941f03866f13c6e58544202985be10d1c2c5c828d43294c7144cd99d
                                                                              • Instruction ID: c262479c664bbe0793e610e40b7348896f653825b39e744adb276f7dd105874a
                                                                              • Opcode Fuzzy Hash: 393e3eab941f03866f13c6e58544202985be10d1c2c5c828d43294c7144cd99d
                                                                              • Instruction Fuzzy Hash: AA31B6B8D002089FCF14CFA9D984ADEFBB1BF49314F14942AE818B7210DB75A945CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00C9FCA0, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 00C9FD1E
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.921453938.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false
                                                                              Similarity
                                                                              • API ID: ChangeCloseFindNotification
                                                                              • String ID:
                                                                              • API String ID: 2591292051-0
                                                                              • Opcode ID: 7e189ab745913be9a306e9a35da5496e8862fdba30ad68bd8db40e715f017cb7
                                                                              • Instruction ID: 84a71558c0063791e27cd0f17b5f35843a1649d4f6a8cc116117deffd4e639eb
                                                                              • Opcode Fuzzy Hash: 7e189ab745913be9a306e9a35da5496e8862fdba30ad68bd8db40e715f017cb7
                                                                              • Instruction Fuzzy Hash: B931CAB5D002189FDF14CFAAD884ADEFBB5AF48314F10842AE815B7300D775A901CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04D09AD0, Relevance: .2, Instructions: 183COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.924252476.0000000004D00000.00000040.00000001.sdmp, Offset: 04D00000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 74d3deb2072b1fcc21d54ec5302a1785aab21bf798b7d8527fcca30d442e59f4
                                                                              • Instruction ID: d42831eb7efa192f5d2ead3811a8708ad52735023d6964fe81dfab8224e28d7d
                                                                              • Opcode Fuzzy Hash: 74d3deb2072b1fcc21d54ec5302a1785aab21bf798b7d8527fcca30d442e59f4
                                                                              • Instruction Fuzzy Hash: 7081A7B5A00218CFCB54EFA9D590AADBBF2FF89305F208069D405AB365DB35AD49CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04D077E8, Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.924252476.0000000004D00000.00000040.00000001.sdmp, Offset: 04D00000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aa026562d3f73a80b61df094cdf49ccec2411e3a3b8b9a0649528042b8d07833
                                                                              • Instruction ID: 455fff1f34e055d44c2d9573bf8acef0192d37918ff0071aeb173280bdb73f95
                                                                              • Opcode Fuzzy Hash: aa026562d3f73a80b61df094cdf49ccec2411e3a3b8b9a0649528042b8d07833
                                                                              • Instruction Fuzzy Hash: 99011D70F452089FC724EFB5D5457ADB7F9FB49244F10D4A58449D7290FA30B941DA50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04D08E60, Relevance: .0, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.924252476.0000000004D00000.00000040.00000001.sdmp, Offset: 04D00000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c200106d91760d60a35d7d3a730821e73d4bc4b8f5adbc6e0c9de2e1f6fff49f
                                                                              • Instruction ID: 2ca160469564008463a6adad3e80a39426a23cee88a30bde0adadb15be2f6d80
                                                                              • Opcode Fuzzy Hash: c200106d91760d60a35d7d3a730821e73d4bc4b8f5adbc6e0c9de2e1f6fff49f
                                                                              • Instruction Fuzzy Hash: 8601DAB0D052189AEB04DFA5D4187EEBAF5BF49304F108119D05577290DBBA1948DFA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04D09A80, Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.924252476.0000000004D00000.00000040.00000001.sdmp, Offset: 04D00000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 412cab80f66553d7b92f21744a67dd31b9fdad7fba54566743b2f97a825b7e22
                                                                              • Instruction ID: 776b2510c30105b8a0dcfe4a0ac71fb6d7082960d1c328bcfc4952f33f69d670
                                                                              • Opcode Fuzzy Hash: 412cab80f66553d7b92f21744a67dd31b9fdad7fba54566743b2f97a825b7e22
                                                                              • Instruction Fuzzy Hash: E4E05274E05208AFCB54DFA9D555AACBBB8FB88304F10C1A99858A3341E735AA51DB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04D0F3B0, Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.924252476.0000000004D00000.00000040.00000001.sdmp, Offset: 04D00000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 412cab80f66553d7b92f21744a67dd31b9fdad7fba54566743b2f97a825b7e22
                                                                              • Instruction ID: 5fb04146131ee981a20d5b5d7afead79094e101f2375b7ba788aa0c97161874e
                                                                              • Opcode Fuzzy Hash: 412cab80f66553d7b92f21744a67dd31b9fdad7fba54566743b2f97a825b7e22
                                                                              • Instruction Fuzzy Hash: 12E0C234E04208EFCB54DFA8D440AACBBB9FB48314F20C1AA8858A3340E771AA11CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04D06660, Relevance: .0, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.924252476.0000000004D00000.00000040.00000001.sdmp, Offset: 04D00000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 82b851500b8b2d991974fdfc1adb04d0c6aa4416e7fa5cdc9e09f820d52dd839
                                                                              • Instruction ID: 48ba49d57f8f692d9068bbe8f934a1b37201b85e7a78e92abdfe7d9f7fedf93a
                                                                              • Opcode Fuzzy Hash: 82b851500b8b2d991974fdfc1adb04d0c6aa4416e7fa5cdc9e09f820d52dd839
                                                                              • Instruction Fuzzy Hash: C1E08CB1504108AFC700EBF0D8047DE7BBDFF09309F0080A9D649A3160EF311A549AA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 04D07738, Relevance: .0, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000011.00000002.924252476.0000000004D00000.00000040.00000001.sdmp, Offset: 04D00000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 16dd5c4233ab04d1d72af15ee7529289a160aef3d1479055b8e6d58b247e0861
                                                                              • Instruction ID: 834d2a8a0ddaa0af00a83365a4e10f8d37f896822f102f667a251c3b782042ca
                                                                              • Opcode Fuzzy Hash: 16dd5c4233ab04d1d72af15ee7529289a160aef3d1479055b8e6d58b247e0861
                                                                              • Instruction Fuzzy Hash: D3D05E34609108DBC704CB94D801B69B7ACEB85344F10D09C884C57381DB32BD02C680
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Analysis Process: RegAsm.exe PID: 5868 Parent PID: 6868 RegAsm.exeCOMMON

                                                                              Executed Functions

                                                                              Function 02EBB6C0, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32 ref: 02EBB730
                                                                              • GetCurrentThread.KERNEL32 ref: 02EBB76D
                                                                              • GetCurrentProcess.KERNEL32 ref: 02EBB7AA
                                                                              • GetCurrentThreadId.KERNEL32 ref: 02EBB803
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: Current$ProcessThread
                                                                              • String ID:
                                                                              • API String ID: 2063062207-0
                                                                              • Opcode ID: ffec35ca2e184cc0871e3eeeea8e7f1436fff35e6740a988994bedb0275ee6db
                                                                              • Instruction ID: 52a23fdb769df22dd448679bf52ec6abad7a405d976b42c38c23858d3cdb38a4
                                                                              • Opcode Fuzzy Hash: ffec35ca2e184cc0871e3eeeea8e7f1436fff35e6740a988994bedb0275ee6db
                                                                              • Instruction Fuzzy Hash: C35134B49002598FDB10CFAAD5887DEBFF5AF48308F20C56EE419A7250DB749844CF66
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EBB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32 ref: 02EBB730
                                                                              • GetCurrentThread.KERNEL32 ref: 02EBB76D
                                                                              • GetCurrentProcess.KERNEL32 ref: 02EBB7AA
                                                                              • GetCurrentThreadId.KERNEL32 ref: 02EBB803
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: Current$ProcessThread
                                                                              • String ID:
                                                                              • API String ID: 2063062207-0
                                                                              • Opcode ID: 3fc592187cba1a4e00c4d21f78546c402e43a5f0ccf4cf371b61ae2814d6e181
                                                                              • Instruction ID: 2e6e39770e3cab60881201d316e2ed7a9d951429f0bc898e42f4907000c348bd
                                                                              • Opcode Fuzzy Hash: 3fc592187cba1a4e00c4d21f78546c402e43a5f0ccf4cf371b61ae2814d6e181
                                                                              • Instruction Fuzzy Hash: 0A5113B49002598FDB14CFAAD588BDEBBF5AF48308F20C56DE419B7250DB749844CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EB93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02EB962E
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: 0237724eae3e0831af9d15ee9f5c7b015d357343a2d585ed11757167dc2e3836
                                                                              • Instruction ID: 41d526ef004a71180aceecd61bbeb6b794aedb01e6681c47a2e2ffaa00fe1bcc
                                                                              • Opcode Fuzzy Hash: 0237724eae3e0831af9d15ee9f5c7b015d357343a2d585ed11757167dc2e3836
                                                                              • Instruction Fuzzy Hash: 9D711370A00B158FD725DF2AD48179BBBF6BF88208F00892ED58AD7A50DB75E805CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EBFB98, Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02EBFD0A
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 4db4f4d820eb2455b1210a9278b18fa9052954f785218112020c39461b94196d
                                                                              • Instruction ID: a11a100bc6c89cc6019a0add2814bfee98fde4a1c4ab8259759d1cd0fada4955
                                                                              • Opcode Fuzzy Hash: 4db4f4d820eb2455b1210a9278b18fa9052954f785218112020c39461b94196d
                                                                              • Instruction Fuzzy Hash: 9F51F0B1C04249EFDF06CFA9D980ADEBFB1BF49304F24816AE808AB221D7719945CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EBFB61, Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02EBFD0A
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: e017d0a3cc0eb6c73a2803de2f3ff30ea6c4f67939e870b5f8829be35fecd8ab
                                                                              • Instruction ID: a67fce632d46d4286c6f9de7cac20bfa5804dd000f2aa8d8632387accecd2f81
                                                                              • Opcode Fuzzy Hash: e017d0a3cc0eb6c73a2803de2f3ff30ea6c4f67939e870b5f8829be35fecd8ab
                                                                              • Instruction Fuzzy Hash: 2551E4B1D00349EFDB15CFA9D8846DEBBB1FF49304F24856AE405AB210D774A945CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EBFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02EBFD0A
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 5176f9f5e5f0cf0f654fa54fd848d03eb0c67670905c68da0de9ca2e65a9a2fa
                                                                              • Instruction ID: ceaccfa545372c28609753f861cf74ea89e47912aa2cb34e4e30f884aab20b20
                                                                              • Opcode Fuzzy Hash: 5176f9f5e5f0cf0f654fa54fd848d03eb0c67670905c68da0de9ca2e65a9a2fa
                                                                              • Instruction Fuzzy Hash: 4241AFB1D00209EFDB15CFA9D884ADEFBB5FF48314F24852AE819AB210D775A945CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EBBCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EBBD87
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: 627933bc7b78b0e3e5a1fe7edfc6bc46e185d5e2fdc3ef84b6f45eb71bcd6543
                                                                              • Instruction ID: 5a871314e5c4ddd33c4ec82e7562e94eec4dc90b3c2184ac5f4399390d7f6416
                                                                              • Opcode Fuzzy Hash: 627933bc7b78b0e3e5a1fe7edfc6bc46e185d5e2fdc3ef84b6f45eb71bcd6543
                                                                              • Instruction Fuzzy Hash: 5A21D2B5900249AFDB10CFAAD984BDEBFF4EF49314F14845AE958A3310D378A944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EBBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EBBD87
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: a070ed5de46761b00371a63d577ee5fb4c8fe2476519fe43ef829cb0fa218d09
                                                                              • Instruction ID: 164529c235eca80dd3ffb3a2dc556ee39706aa65b94c78b8318a526f700144e5
                                                                              • Opcode Fuzzy Hash: a070ed5de46761b00371a63d577ee5fb4c8fe2476519fe43ef829cb0fa218d09
                                                                              • Instruction Fuzzy Hash: 4921B3B5900249AFDB10CFAAD984BDEFBF4EB49314F14841AE958A3310D378A944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EB8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02EB96A9,00000800,00000000,00000000), ref: 02EB98BA
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 2ba73827e509f756bdde9fde756b2e86cc1bd2d0774b777b8da0b089c491e8f8
                                                                              • Instruction ID: c8055f036601efce57365baf0161b49189427b02f6addeaa2b81f37ce4600850
                                                                              • Opcode Fuzzy Hash: 2ba73827e509f756bdde9fde756b2e86cc1bd2d0774b777b8da0b089c491e8f8
                                                                              • Instruction Fuzzy Hash: F111F2B59002099FDB10CF9AD444BDEFBF4EF49314F10842ED919A7600C375A945CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EB9849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02EB96A9,00000800,00000000,00000000), ref: 02EB98BA
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 30714f39a5b678e89f70ed5d9063f0c2fc9038aa19e3f903ba857cc80b1121aa
                                                                              • Instruction ID: aa07137906774ac6732d8a5a9b80266e561f569d18da6f699427b657ea50df38
                                                                              • Opcode Fuzzy Hash: 30714f39a5b678e89f70ed5d9063f0c2fc9038aa19e3f903ba857cc80b1121aa
                                                                              • Instruction Fuzzy Hash: 1C1100B6D002499FDB10CFAAD844BDEFBF4EF89314F14842AE919A7200C775A545CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EB95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02EB962E
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: 5465b05f2be946d7e680f960d4ea7f793f6303e052a07f08a34ad558ee733e35
                                                                              • Instruction ID: 8d6a2d730732d389e4feec5e60830786782c50a952ba6216c8b342d6db51a6e7
                                                                              • Opcode Fuzzy Hash: 5465b05f2be946d7e680f960d4ea7f793f6303e052a07f08a34ad558ee733e35
                                                                              • Instruction Fuzzy Hash: F5110FB5C002498FDB10CFAAD844BDFFBF4EF89218F10842AD819A7200C375A545CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EBFE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowLongW.USER32(?,?,?), ref: 02EBFE9D
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: LongWindow
                                                                              • String ID:
                                                                              • API String ID: 1378638983-0
                                                                              • Opcode ID: c1927acaf2e24a511606e98656ec6d97fa857daed4977dadf51dd086a6345aa4
                                                                              • Instruction ID: 6754f368a85eeff051a58d3ed4187c9993e8db2d8c3860a5b40c2543abf81227
                                                                              • Opcode Fuzzy Hash: c1927acaf2e24a511606e98656ec6d97fa857daed4977dadf51dd086a6345aa4
                                                                              • Instruction Fuzzy Hash: 3911F2B58002499FDB10CF99D985BDFFBF8EB88324F10845AE858A7641C374A944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02EBFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowLongW.USER32(?,?,?), ref: 02EBFE9D
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.921381161.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                                              Similarity
                                                                              • API ID: LongWindow
                                                                              • String ID:
                                                                              • API String ID: 1378638983-0
                                                                              • Opcode ID: b76dbc79e9b4ee40d5a1a0eec942d9b5fc850b3fa6d9a7199c88cdc2797ba47b
                                                                              • Instruction ID: 4f21380e8d639fc2810094e211a3adf73ff65fabb18c8fdb97b43bb93983ca8a
                                                                              • Opcode Fuzzy Hash: b76dbc79e9b4ee40d5a1a0eec942d9b5fc850b3fa6d9a7199c88cdc2797ba47b
                                                                              • Instruction Fuzzy Hash: CA1112B58002499FDB10CF9AD985BDFFBF8EB48324F10845AE818A7700C374A944CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0112D1D8, Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.920104908.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3c91aa3e7c89e6515a382a208f5e8243dd97a8c5e535f95cd6c40976d760632c
                                                                              • Instruction ID: 08996efc899b1e439893d78ad41e0e3a2d15341e0f7c3297a0bb7b86fe7dc71b
                                                                              • Opcode Fuzzy Hash: 3c91aa3e7c89e6515a382a208f5e8243dd97a8c5e535f95cd6c40976d760632c
                                                                              • Instruction Fuzzy Hash: 88210A71508340DFDF09CF94E9C4F26BB65FB85324F24C5A9E9054B246C336D466CBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0112D4A0, Relevance: .1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.920104908.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a7caa191b52b53ff766e9f4cd09bf601711ca1662f9091a34e652a83e1282b67
                                                                              • Instruction ID: e370019837a80643af18ec6ce9d80bbbec9c5d4a79271c03fd59b2ac4c741827
                                                                              • Opcode Fuzzy Hash: a7caa191b52b53ff766e9f4cd09bf601711ca1662f9091a34e652a83e1282b67
                                                                              • Instruction Fuzzy Hash: 222128B1504240DFDF09CF94E9C0B26BF75FB84318F21C5A9E9054B216C376E866CBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0113D01C, Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.920176840.000000000113D000.00000040.00000001.sdmp, Offset: 0113D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ca4251168ba87b4dc557b73e89cbeb113fc67efda6210a2657633ae86a5a58c4
                                                                              • Instruction ID: f786a7b76b83a1daf062a9fdc09fef43c7ec7ee17b79474a37b8db2cc8b44c46
                                                                              • Opcode Fuzzy Hash: ca4251168ba87b4dc557b73e89cbeb113fc67efda6210a2657633ae86a5a58c4
                                                                              • Instruction Fuzzy Hash: AA2100B0608240DFDF19CFA4E8C0B26FB65FB84754F60C5A9E9494B24AC336D807CB62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0113D006, Relevance: .1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.920176840.000000000113D000.00000040.00000001.sdmp, Offset: 0113D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4425b349cb8b148f0741dde02fbd38f5ce0b0d3f36cb6a49f532d83bc71e5f55
                                                                              • Instruction ID: 39e1633832a847adc4fc84574758848a4f1a23e4f04f75ddb29bf052a47d00a8
                                                                              • Opcode Fuzzy Hash: 4425b349cb8b148f0741dde02fbd38f5ce0b0d3f36cb6a49f532d83bc71e5f55
                                                                              • Instruction Fuzzy Hash: 642180754083809FCB06CF64D994B11BF71EB86314F28C5EAD8498F267C33AD85ACB62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0112D1D3, Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.920104908.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 62f96a4a7a9fb61fe890602b5d09666bf0b4a5f0fe2a879e2aa94b79ddac9420
                                                                              • Instruction ID: 8844a8343800464f05bb20d07ccbc1cbabf13b56cc38f0c5c309b1fa81203e3c
                                                                              • Opcode Fuzzy Hash: 62f96a4a7a9fb61fe890602b5d09666bf0b4a5f0fe2a879e2aa94b79ddac9420
                                                                              • Instruction Fuzzy Hash: D8218C76504280DFCF16CF54E984B16BF61FB85320F24C6A9D8484B656C33AD46ACBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0112D49B, Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.920104908.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ac20c3e7fe9e17dc8e9da5162155df0f967bef9466bf771b1d96ae3908117eaa
                                                                              • Instruction ID: 8983e60158f91769a1a7adcb20ef7e0aa3f6f3a3294aec631a41be341fe5de73
                                                                              • Opcode Fuzzy Hash: ac20c3e7fe9e17dc8e9da5162155df0f967bef9466bf771b1d96ae3908117eaa
                                                                              • Instruction Fuzzy Hash: CE11AF76904280CFDF16CF54E5C4B16BF71FB84324F24C6A9D9054B616C376D466CBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions