Play interactive tour

Edit tour

Analysis Report CONTRACT.exe

Overview

General Information

Sample Name:	CONTRACT.exe
Analysis ID:	431926
MD5:	02430d34be900990fbf6a7efe35a7c64
SHA1:	00b40170c46ae026cf518588d5b6177538bb1036
SHA256:	80ca460c629559cf38e1244983877ed9c041c636c1f2e7e388ae2f9ba4d06788
Tags:	exeNanoCore
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected AntiVM3

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

CONTRACT.exe (PID: 6344 cmdline: 'C:\Users\user\Desktop\CONTRACT.exe' MD5: 02430D34BE900990FBF6A7EFE35A7C64)

schtasks.exe (PID: 6092 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp99D6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

CONTRACT.exe (PID: 6168 cmdline: {path} MD5: 02430D34BE900990FBF6A7EFE35A7C64)

schtasks.exe (PID: 5892 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9F3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

CONTRACT.exe (PID: 4600 cmdline: C:\Users\user\Desktop\CONTRACT.exe 0 MD5: 02430D34BE900990FBF6A7EFE35A7C64)

schtasks.exe (PID: 6440 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp372F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

CONTRACT.exe (PID: 5952 cmdline: {path} MD5: 02430D34BE900990FBF6A7EFE35A7C64)

CONTRACT.exe (PID: 1388 cmdline: {path} MD5: 02430D34BE900990FBF6A7EFE35A7C64)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "30b6fbac-dd0d-47bd-b8ab-6df66b01", "Group": "Default", "Domain1": "kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu", "Domain2": "", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.415", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x236cb:$a: NanoCore 0x23724:$a: NanoCore 0x23761:$a: NanoCore 0x237da:$a: NanoCore 0x2372d:$b: ClientPlugin 0x2376a:$b: ClientPlugin 0x24068:$b: ClientPlugin 0x24075:$b: ClientPlugin 0x1b453:$e: KeepAlive 0x23bb5:$g: LogClientMessage 0x23b35:$i: get_Connected 0x156fd:$j: #=q 0x1572d:$j: #=q 0x15769:$j: #=q 0x15791:$j: #=q 0x157c1:$j: #=q 0x157f1:$j: #=q 0x15821:$j: #=q 0x15851:$j: #=q 0x1586d:$j: #=q 0x1589d:$j: #=q
00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa8645:$x1: NanoCore.ClientPluginHost 0xa8682:$x2: IClientNetworkHost 0xac1b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa83ad:$a: NanoCore 0xa83bd:$a: NanoCore 0xa85f1:$a: NanoCore 0xa8605:$a: NanoCore 0xa8645:$a: NanoCore 0xa840c:$b: ClientPlugin 0xa860e:$b: ClientPlugin 0xa864e:$b: ClientPlugin 0xa8533:$c: ProjectData 0xa8f3a:$d: DESCrypto 0xb0906:$e: KeepAlive 0xae8f4:$g: LogClientMessage 0xaaaef:$i: get_Connected 0xa9270:$j: #=q 0xa92a0:$j: #=q 0xa92bc:$j: #=q 0xa92ec:$j: #=q 0xa9308:$j: #=q 0xa9324:$j: #=q 0xa9354:$j: #=q 0xa9370:$j: #=q
0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000F.00000002.507246807.0000000005330000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000F.00000002.507246807.0000000005330000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d5a5:$x1: NanoCore.ClientPluginHost 0x13ffc5:$x1: NanoCore.ClientPluginHost 0x10d5e2:$x2: IClientNetworkHost 0x140002:$x2: IClientNetworkHost 0x111115:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x143b35:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10d30d:$a: NanoCore 0x10d31d:$a: NanoCore 0x10d551:$a: NanoCore 0x10d565:$a: NanoCore 0x10d5a5:$a: NanoCore 0x13fd2d:$a: NanoCore 0x13fd3d:$a: NanoCore 0x13ff71:$a: NanoCore 0x13ff85:$a: NanoCore 0x13ffc5:$a: NanoCore 0x10d36c:$b: ClientPlugin 0x10d56e:$b: ClientPlugin 0x10d5ae:$b: ClientPlugin 0x13fd8c:$b: ClientPlugin 0x13ff8e:$b: ClientPlugin 0x13ffce:$b: ClientPlugin 0x10d493:$c: ProjectData 0x13feb3:$c: ProjectData 0x10de9a:$d: DESCrypto 0x1408ba:$d: DESCrypto 0x115866:$e: KeepAlive
0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49ab5:$a: NanoCore 0x49b0e:$a: NanoCore 0x49b4b:$a: NanoCore 0x49bc4:$a: NanoCore 0x5d26f:$a: NanoCore 0x5d284:$a: NanoCore 0x5d2b9:$a: NanoCore 0x7626b:$a: NanoCore 0x76280:$a: NanoCore 0x762b5:$a: NanoCore 0x49b17:$b: ClientPlugin 0x49b54:$b: ClientPlugin 0x4a452:$b: ClientPlugin 0x4a45f:$b: ClientPlugin 0x5d02b:$b: ClientPlugin 0x5d046:$b: ClientPlugin 0x5d076:$b: ClientPlugin 0x5d28d:$b: ClientPlugin 0x5d2c2:$b: ClientPlugin 0x76027:$b: ClientPlugin 0x76042:$b: ClientPlugin
0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3ab5:$a: NanoCore 0x3b0e:$a: NanoCore 0x3b4b:$a: NanoCore 0x3bc4:$a: NanoCore 0x1726f:$a: NanoCore 0x17284:$a: NanoCore 0x172b9:$a: NanoCore 0x3026b:$a: NanoCore 0x30280:$a: NanoCore 0x302b5:$a: NanoCore 0x3b17:$b: ClientPlugin 0x3b54:$b: ClientPlugin 0x4452:$b: ClientPlugin 0x445f:$b: ClientPlugin 0x1702b:$b: ClientPlugin 0x17046:$b: ClientPlugin 0x17076:$b: ClientPlugin 0x1728d:$b: ClientPlugin 0x172c2:$b: ClientPlugin 0x30027:$b: ClientPlugin 0x30042:$b: ClientPlugin
00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x74f15:$x1: NanoCore.ClientPluginHost 0x74f52:$x2: IClientNetworkHost 0x78a85:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x74c7d:$a: NanoCore 0x74c8d:$a: NanoCore 0x74ec1:$a: NanoCore 0x74ed5:$a: NanoCore 0x74f15:$a: NanoCore 0x74cdc:$b: ClientPlugin 0x74ede:$b: ClientPlugin 0x74f1e:$b: ClientPlugin 0x74e03:$c: ProjectData 0x7580a:$d: DESCrypto 0x7d1d6:$e: KeepAlive 0x7b1c4:$g: LogClientMessage 0x773bf:$i: get_Connected 0x75b40:$j: #=q 0x75b70:$j: #=q 0x75b8c:$j: #=q 0x75bbc:$j: #=q 0x75bd8:$j: #=q 0x75bf4:$j: #=q 0x75c24:$j: #=q 0x75c40:$j: #=q
Process Memory Space: CONTRACT.exe PID: 6168	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa1329:$x1: NanoCore.ClientPluginHost 0x150864:$x1: NanoCore.ClientPluginHost 0x1b7104:$x1: NanoCore.ClientPluginHost 0x2e6216:$x1: NanoCore.ClientPluginHost 0x2ebdd5:$x1: NanoCore.ClientPluginHost 0x2fd197:$x1: NanoCore.ClientPluginHost 0x33b42a:$x1: NanoCore.ClientPluginHost 0xa138a:$x2: IClientNetworkHost 0x15088a:$x2: IClientNetworkHost 0x1b712a:$x2: IClientNetworkHost 0x2e623c:$x2: IClientNetworkHost 0x2ebe1a:$x2: IClientNetworkHost 0x2fd1dc:$x2: IClientNetworkHost 0x33b46f:$x2: IClientNetworkHost 0xa678f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb4701:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: CONTRACT.exe PID: 6168	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CONTRACT.exe PID: 6168	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x63d0e:$a: NanoCore 0xa0e2e:$a: NanoCore 0xa0e4a:$a: NanoCore 0xa0fa5:$a: NanoCore 0xa0fb4:$a: NanoCore 0xa128d:$a: NanoCore 0xa12b9:$a: NanoCore 0xa1329:$a: NanoCore 0xb0d6b:$a: NanoCore 0xb0d7d:$a: NanoCore 0xb0db9:$a: NanoCore 0x150756:$a: NanoCore 0x1507f7:$a: NanoCore 0x150864:$a: NanoCore 0x150925:$a: NanoCore 0x1517f6:$a: NanoCore 0x151849:$a: NanoCore 0x151882:$a: NanoCore 0x1518f5:$a: NanoCore 0x1ac2fa:$a: NanoCore 0x1ac31a:$a: NanoCore
Process Memory Space: CONTRACT.exe PID: 4600	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CONTRACT.exe PID: 1388	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb2cc:$x1: NanoCore.ClientPluginHost 0x52d25:$x1: NanoCore.ClientPluginHost 0x6c4f1:$x1: NanoCore.ClientPluginHost 0x720b0:$x1: NanoCore.ClientPluginHost 0x8345c:$x1: NanoCore.ClientPluginHost 0xb32d:$x2: IClientNetworkHost 0x52d4b:$x2: IClientNetworkHost 0x6c517:$x2: IClientNetworkHost 0x720f5:$x2: IClientNetworkHost 0x834a1:$x2: IClientNetworkHost 0x10732:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e6a4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: CONTRACT.exe PID: 1388	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CONTRACT.exe PID: 1388	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xadd1:$a: NanoCore 0xaded:$a: NanoCore 0xaf48:$a: NanoCore 0xaf57:$a: NanoCore 0xb230:$a: NanoCore 0xb25c:$a: NanoCore 0xb2cc:$a: NanoCore 0x1ad0e:$a: NanoCore 0x1ad20:$a: NanoCore 0x1ad5c:$a: NanoCore 0x46a0d:$a: NanoCore 0x46a92:$a: NanoCore 0x46b7d:$a: NanoCore 0x52c17:$a: NanoCore 0x52cb8:$a: NanoCore 0x52d25:$a: NanoCore 0x52de6:$a: NanoCore 0x53cb7:$a: NanoCore 0x53d0a:$a: NanoCore 0x53d43:$a: NanoCore 0x53db6:$a: NanoCore
Process Memory Space: CONTRACT.exe PID: 6344	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
28.0.CONTRACT.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
28.0.CONTRACT.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
28.0.CONTRACT.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.0.CONTRACT.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.CONTRACT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.CONTRACT.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.2.CONTRACT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.CONTRACT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
15.2.CONTRACT.exe.5330000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
15.2.CONTRACT.exe.5330000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
15.2.CONTRACT.exe.5b24629.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
15.2.CONTRACT.exe.5b24629.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
15.2.CONTRACT.exe.5b24629.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.CONTRACT.exe.3deeb0c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
15.2.CONTRACT.exe.3deeb0c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
15.2.CONTRACT.exe.3deeb0c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CONTRACT.exe.da294b8.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CONTRACT.exe.da294b8.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.CONTRACT.exe.da294b8.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CONTRACT.exe.da294b8.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
28.2.CONTRACT.exe.2cc38ec.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
28.2.CONTRACT.exe.2cc38ec.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
28.2.CONTRACT.exe.3cf3135.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
28.2.CONTRACT.exe.3cf3135.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
28.2.CONTRACT.exe.3cf3135.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.CONTRACT.exe.3de9cd6.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
15.2.CONTRACT.exe.3de9cd6.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
15.2.CONTRACT.exe.3de9cd6.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.CONTRACT.exe.3de9cd6.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
15.0.CONTRACT.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.0.CONTRACT.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.0.CONTRACT.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.0.CONTRACT.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.0.CONTRACT.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.0.CONTRACT.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.0.CONTRACT.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.0.CONTRACT.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.CONTRACT.exe.5b20000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
15.2.CONTRACT.exe.5b20000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
15.2.CONTRACT.exe.5b20000.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CONTRACT.exe.da294b8.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CONTRACT.exe.da294b8.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.CONTRACT.exe.da294b8.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CONTRACT.exe.da294b8.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
28.0.CONTRACT.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
28.0.CONTRACT.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
28.0.CONTRACT.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.0.CONTRACT.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.CONTRACT.exe.3deeb0c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
15.2.CONTRACT.exe.3deeb0c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
15.2.CONTRACT.exe.3deeb0c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.CONTRACT.exe.5b20000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
15.2.CONTRACT.exe.5b20000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
15.2.CONTRACT.exe.5b20000.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.CONTRACT.exe.3ceeb0c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
28.2.CONTRACT.exe.3ceeb0c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
28.2.CONTRACT.exe.3ceeb0c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.CONTRACT.exe.46be418.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.CONTRACT.exe.46be418.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
18.2.CONTRACT.exe.46be418.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.CONTRACT.exe.46be418.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
18.2.CONTRACT.exe.46be418.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.CONTRACT.exe.46be418.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
18.2.CONTRACT.exe.46be418.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.CONTRACT.exe.46be418.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
15.2.CONTRACT.exe.3df3135.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
15.2.CONTRACT.exe.3df3135.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
15.2.CONTRACT.exe.3df3135.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.CONTRACT.exe.2db12f4.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
15.2.CONTRACT.exe.2db12f4.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
28.2.CONTRACT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
28.2.CONTRACT.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
28.2.CONTRACT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.CONTRACT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 76 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CONTRACT.exe, ProcessId: 6168, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CONTRACT.exe, ProcessId: 6168, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CONTRACT.exe, ProcessId: 6168, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CONTRACT.exe, ProcessId: 6168, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "30b6fbac-dd0d-47bd-b8ab-6df66b01", "Group": "Default", "Domain1": "kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu", "Domain2": "", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.415", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\QnctWeFrWlqq.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Show sources

Source: CONTRACT.exe

ReversingLabs: Detection: 36%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONTRACT.exe PID: 6168, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONTRACT.exe PID: 1388, type: MEMORY
Source: Yara match	File source: 28.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b24629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3deeb0c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONTRACT.exe.da294b8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3cf3135.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3de9cd6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b20000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONTRACT.exe.da294b8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3deeb0c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ceeb0c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.CONTRACT.exe.46be418.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.CONTRACT.exe.46be418.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3df3135.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\QnctWeFrWlqq.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: CONTRACT.exe

Joe Sandbox ML: detected

Source: 15.2.CONTRACT.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 28.0.CONTRACT.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.0.CONTRACT.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.2.CONTRACT.exe.5b20000.11.unpack	Avira: Label: TR/NanoCore.fadte
Source: 15.0.CONTRACT.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 28.0.CONTRACT.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 28.2.CONTRACT.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: CONTRACT.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\CONTRACT.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: CONTRACT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: CONTRACT.exe, 00000000.00000002.331511150.0000000007640000.00000002.00000001.sdmp, CONTRACT.exe, 0000000F.00000002.507447877.0000000005710000.00000002.00000001.sdmp, CONTRACT.exe, 00000012.00000002.416976159.0000000006C60000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu

Source: global traffic

TCP traffic: 192.168.2.5:49713 -> 185.140.53.135:1187

Source: Joe Sandbox View

IP Address: 185.140.53.135 185.140.53.135

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown

DNS traffic detected: queries for: kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu

Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CONTRACT.exe, 00000000.00000003.235560856.0000000005A80000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: CONTRACT.exe, 00000000.00000003.238068775.0000000005A7D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: CONTRACT.exe, 00000000.00000003.232678625.0000000005A8B000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: CONTRACT.exe, 00000000.00000003.232678625.0000000005A8B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com8
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000000.00000003.234802969.0000000005AAD000.00000004.00000001.sdmp, CONTRACT.exe, 00000000.00000003.235175021.0000000005A74000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: CONTRACT.exe, 00000000.00000003.235175021.0000000005A74000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CONTRACT.exe, 00000000.00000003.234859930.0000000005A74000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn1
Source: CONTRACT.exe, 00000000.00000003.234859930.0000000005A74000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnPq
Source: CONTRACT.exe, 00000000.00000003.234802969.0000000005AAD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-g
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Cg
Source: CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0z
Source: CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ita
Source: CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Qg3
Source: CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: CONTRACT.exe, 00000000.00000003.232678625.0000000005A8B000.00000004.00000001.sdmp, CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: CONTRACT.exe, 00000000.00000003.233856245.0000000005A76000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krl
Source: CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: CONTRACT.exe, 00000000.00000003.232884277.0000000005A8B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comcm
Source: CONTRACT.exe, 00000000.00000003.232943546.0000000005A8B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comnm
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: CONTRACT.exe, 00000000.00000002.321826037.0000000001640000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: CONTRACT.exe, 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONTRACT.exe PID: 6168, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONTRACT.exe PID: 1388, type: MEMORY
Source: Yara match	File source: 28.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b24629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3deeb0c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONTRACT.exe.da294b8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3cf3135.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3de9cd6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b20000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONTRACT.exe.da294b8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3deeb0c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ceeb0c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.CONTRACT.exe.46be418.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.CONTRACT.exe.46be418.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3df3135.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.507246807.0000000005330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CONTRACT.exe PID: 6168, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: CONTRACT.exe PID: 6168, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CONTRACT.exe PID: 1388, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: CONTRACT.exe PID: 1388, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.CONTRACT.exe.5330000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.CONTRACT.exe.5b24629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.CONTRACT.exe.3deeb0c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CONTRACT.exe.da294b8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CONTRACT.exe.da294b8.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.CONTRACT.exe.2cc38ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.CONTRACT.exe.3cf3135.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.CONTRACT.exe.3de9cd6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.CONTRACT.exe.3de9cd6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.CONTRACT.exe.5b20000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CONTRACT.exe.da294b8.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CONTRACT.exe.da294b8.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.CONTRACT.exe.3deeb0c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.CONTRACT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.CONTRACT.exe.3ceeb0c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.CONTRACT.exe.46be418.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.CONTRACT.exe.46be418.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.CONTRACT.exe.46be418.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.CONTRACT.exe.46be418.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.CONTRACT.exe.3df3135.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.CONTRACT.exe.2db12f4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_0504152A NtQuerySystemInformation,		15_2_0504152A
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_050414EF NtQuerySystemInformation,		15_2_050414EF

Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320A320	0_2_0320A320
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03202720	0_2_03202720
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320BEA0	0_2_0320BEA0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03209EE0	0_2_03209EE0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320B560	0_2_0320B560
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320F140	0_2_0320F140
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320ADB8	0_2_0320ADB8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320CD98	0_2_0320CD98
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_032059E0	0_2_032059E0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03205C48	0_2_03205C48
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03209858	0_2_03209858
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_032094C8	0_2_032094C8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320DB28	0_2_0320DB28
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03202710	0_2_03202710
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320EB48	0_2_0320EB48
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_032057BF	0_2_032057BF
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320EF90	0_2_0320EF90
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03206247	0_2_03206247
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03206258	0_2_03206258
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03205917	0_2_03205917
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320ED40	0_2_0320ED40
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320E5A0	0_2_0320E5A0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320B998	0_2_0320B998
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03205C38	0_2_03205C38
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320586F	0_2_0320586F
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_0320E840	0_2_0320E840
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03205841	0_2_03205841
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_032058B1	0_2_032058B1
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_032058CB	0_2_032058CB
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07481758	0_2_07481758
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07481318	0_2_07481318
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07480070	0_2_07480070
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07483690	0_2_07483690
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07481748	0_2_07481748
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07480540	0_2_07480540
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07480550	0_2_07480550
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07482F78	0_2_07482F78
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07483F78	0_2_07483F78
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07480B19	0_2_07480B19
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07481311	0_2_07481311
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07483F28	0_2_07483F28
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07484529	0_2_07484529
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07480B20	0_2_07480B20
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07484538	0_2_07484538
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07481FEC	0_2_07481FEC
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07482F88	0_2_07482F88
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07483F88	0_2_07483F88
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07481A7F	0_2_07481A7F
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07480006	0_2_07480006
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07482006	0_2_07482006
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07482028	0_2_07482028
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07483680	0_2_07483680
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_07481A90	0_2_07481A90
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_04EE3850	15_2_04EE3850
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_04EE86A8	15_2_04EE86A8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_04EE92A8	15_2_04EE92A8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_04EE2FA8	15_2_04EE2FA8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_04EE23A0	15_2_04EE23A0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_04EEAF31	15_2_04EEAF31
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_04EE306F	15_2_04EE306F
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_04EE95BB	15_2_04EE95BB
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_04EE936F	15_2_04EE936F
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_04EE9B50	15_2_04EE9B50
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577B560	18_2_0577B560
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577F140	18_2_0577F140
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_057759E0	18_2_057759E0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577ADB8	18_2_0577ADB8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577CD98	18_2_0577CD98
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05779858	18_2_05779858
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05775C48	18_2_05775C48
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_057794C8	18_2_057794C8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577A320	18_2_0577A320
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05772720	18_2_05772720
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05779EE0	18_2_05779EE0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577BEA0	18_2_0577BEA0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577ED40	18_2_0577ED40
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_057755B1	18_2_057755B1
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577E5A0	18_2_0577E5A0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577B998	18_2_0577B998
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577E840	18_2_0577E840
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05775C38	18_2_05775C38
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_057758CB	18_2_057758CB
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577EB48	18_2_0577EB48
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577DB28	18_2_0577DB28
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05772710	18_2_05772710
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_0577EF90	18_2_0577EF90
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05776258	18_2_05776258
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05776247	18_2_05776247
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F41E0	18_2_071F41E0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F3610	18_2_071F3610
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F0070	18_2_071F0070
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F1318	18_2_071F1318
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F3918	18_2_071F3918
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F1316	18_2_071F1316
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F3F08	18_2_071F3F08
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F2F38	18_2_071F2F38
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F0B20	18_2_071F0B20
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F1758	18_2_071F1758
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F0550	18_2_071F0550
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F1748	18_2_071F1748
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F0540	18_2_071F0540
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F2F78	18_2_071F2F78
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F2F88	18_2_071F2F88
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F41D1	18_2_071F41D1
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F0006	18_2_071F0006
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F3600	18_2_071F3600
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F2028	18_2_071F2028
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F2026	18_2_071F2026
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F1A41	18_2_071F1A41
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F1640	18_2_071F1640
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F1A7F	18_2_071F1A7F
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F1A90	18_2_071F1A90
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F44B8	18_2_071F44B8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F44B6	18_2_071F44B6
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F3EA8	18_2_071F3EA8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F0AC7	18_2_071F0AC7
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F3EF8	18_2_071F3EF8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_071F0AF1	18_2_071F0AF1
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 28_2_00F82FA8	28_2_00F82FA8
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 28_2_00F823A0	28_2_00F823A0
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 28_2_00F83850	28_2_00F83850
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 28_2_00F8306F	28_2_00F8306F

Source: CONTRACT.exe, 00000000.00000002.320453077.0000000000E70000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamep6FirY.exeR vs CONTRACT.exe
Source: CONTRACT.exe, 00000000.00000002.321826037.0000000001640000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs CONTRACT.exe
Source: CONTRACT.exe, 00000000.00000002.330904879.00000000071D0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs CONTRACT.exe
Source: CONTRACT.exe, 00000000.00000002.331227731.0000000007500000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs CONTRACT.exe
Source: CONTRACT.exe, 00000000.00000002.331227731.0000000007500000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs CONTRACT.exe
Source: CONTRACT.exe, 00000000.00000002.331511150.0000000007640000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs CONTRACT.exe
Source: CONTRACT.exe, 00000000.00000002.328078636.0000000005930000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs CONTRACT.exe
Source: CONTRACT.exe, 00000000.00000002.331081001.00000000074A0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs CONTRACT.exe
Source: CONTRACT.exe, 0000000F.00000000.319310047.0000000000710000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamep6FirY.exeR vs CONTRACT.exe
Source: CONTRACT.exe, 0000000F.00000002.507246807.0000000005330000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs CONTRACT.exe
Source: CONTRACT.exe, 0000000F.00000002.506876489.0000000004FF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs CONTRACT.exe
Source: CONTRACT.exe, 0000000F.00000002.501147747.0000000000D2A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs CONTRACT.exe
Source: CONTRACT.exe, 0000000F.00000002.508210268.00000000063D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs CONTRACT.exe
Source: CONTRACT.exe, 0000000F.00000002.507690875.0000000005B10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs CONTRACT.exe
Source: CONTRACT.exe, 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs CONTRACT.exe
Source: CONTRACT.exe, 0000000F.00000002.507447877.0000000005710000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs CONTRACT.exe
Source: CONTRACT.exe, 00000012.00000002.417606505.0000000006F50000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs CONTRACT.exe
Source: CONTRACT.exe, 00000012.00000002.418463825.0000000007270000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs CONTRACT.exe
Source: CONTRACT.exe, 00000012.00000002.418463825.0000000007270000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs CONTRACT.exe
Source: CONTRACT.exe, 00000012.00000000.327386760.0000000000FA0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamep6FirY.exeR vs CONTRACT.exe
Source: CONTRACT.exe, 00000012.00000002.412946319.00000000039A3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs CONTRACT.exe
Source: CONTRACT.exe, 00000012.00000002.418259595.0000000007210000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs CONTRACT.exe
Source: CONTRACT.exe, 00000012.00000002.416976159.0000000006C60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs CONTRACT.exe
Source: CONTRACT.exe, 0000001A.00000002.405851211.00000000004B0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamep6FirY.exeR vs CONTRACT.exe
Source: CONTRACT.exe, 0000001C.00000002.424334425.00000000005B0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamep6FirY.exeR vs CONTRACT.exe
Source: CONTRACT.exe, 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs CONTRACT.exe
Source: CONTRACT.exe, 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs CONTRACT.exe
Source: CONTRACT.exe, 0000001C.00000002.424932741.0000000000CBA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs CONTRACT.exe
Source: CONTRACT.exe, 0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs CONTRACT.exe
Source: CONTRACT.exe, 0000001C.00000002.425752443.0000000004DD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs CONTRACT.exe
Source: CONTRACT.exe	Binary or memory string: OriginalFilenamep6FirY.exeR vs CONTRACT.exe

Source: CONTRACT.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.507246807.0000000005330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.507246807.0000000005330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CONTRACT.exe PID: 6168, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: CONTRACT.exe PID: 6168, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CONTRACT.exe PID: 1388, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: CONTRACT.exe PID: 1388, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.CONTRACT.exe.5330000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.CONTRACT.exe.5330000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.CONTRACT.exe.5b24629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.CONTRACT.exe.5b24629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.CONTRACT.exe.3deeb0c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.CONTRACT.exe.3deeb0c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONTRACT.exe.da294b8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CONTRACT.exe.da294b8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONTRACT.exe.da294b8.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.CONTRACT.exe.2cc38ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.CONTRACT.exe.2cc38ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.CONTRACT.exe.3cf3135.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.CONTRACT.exe.3cf3135.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.CONTRACT.exe.3de9cd6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.CONTRACT.exe.3de9cd6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.CONTRACT.exe.3de9cd6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.CONTRACT.exe.5b20000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.CONTRACT.exe.5b20000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONTRACT.exe.da294b8.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CONTRACT.exe.da294b8.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONTRACT.exe.da294b8.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.CONTRACT.exe.3deeb0c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.CONTRACT.exe.3deeb0c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.CONTRACT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.CONTRACT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.CONTRACT.exe.3ceeb0c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.CONTRACT.exe.3ceeb0c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.CONTRACT.exe.46be418.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.CONTRACT.exe.46be418.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.CONTRACT.exe.46be418.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.CONTRACT.exe.46be418.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.CONTRACT.exe.46be418.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.CONTRACT.exe.46be418.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.CONTRACT.exe.3df3135.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.CONTRACT.exe.3df3135.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.CONTRACT.exe.2db12f4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.CONTRACT.exe.2db12f4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 15.2.CONTRACT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.2.CONTRACT.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.2.CONTRACT.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.CONTRACT.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.0.CONTRACT.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.0.CONTRACT.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.CONTRACT.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.0.CONTRACT.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.CONTRACT.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 15.0.CONTRACT.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.CONTRACT.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.CONTRACT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.CONTRACT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 28.0.CONTRACT.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.0.CONTRACT.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.0.CONTRACT.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.CONTRACT.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 28.0.CONTRACT.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.0.CONTRACT.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 28.2.CONTRACT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 28.2.CONTRACT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/7@17/1

Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_050412EA AdjustTokenPrivileges,	15_2_050412EA
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_050412B3 AdjustTokenPrivileges,	15_2_050412B3
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05C319CE AdjustTokenPrivileges,	18_2_05C319CE
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05C31997 AdjustTokenPrivileges,	18_2_05C31997

Source: C:\Users\user\Desktop\CONTRACT.exe

File created: C:\Users\user\AppData\Roaming\QnctWeFrWlqq.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:120:WilError_01
Source: C:\Users\user\Desktop\CONTRACT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\CONTRACT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{30b6fbac-dd0d-47bd-b8ab-6df66b017896}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01

Source: C:\Users\user\Desktop\CONTRACT.exe

File created: C:\Users\user\AppData\Local\Temp\tmp99D6.tmp

Jump to behavior

Source: CONTRACT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CONTRACT.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CONTRACT.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\CONTRACT.exe

File read: C:\Users\user\Desktop\CONTRACT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CONTRACT.exe 'C:\Users\user\Desktop\CONTRACT.exe'
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp99D6.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Users\user\Desktop\CONTRACT.exe {path}
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9F3.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\CONTRACT.exe C:\Users\user\Desktop\CONTRACT.exe 0
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp372F.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Users\user\Desktop\CONTRACT.exe {path}
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Users\user\Desktop\CONTRACT.exe {path}
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp99D6.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Users\user\Desktop\CONTRACT.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9F3.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp372F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Users\user\Desktop\CONTRACT.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Users\user\Desktop\CONTRACT.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: CONTRACT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\CONTRACT.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: CONTRACT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_00D78794 push 28700002h; retn 0000h	0_2_00D789D9
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_00D77076 push ebp; iretd	0_2_00D77077
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 0_2_03202D94 push dword ptr [ecx]; retf	0_2_03202D9C
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_00617076 push ebp; iretd	15_2_00617077
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_00618794 push 28700002h; retn 0000h	15_2_006189D9
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_00CE74AC push ecx; ret	15_2_00CE74AD
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_00CE74B8 push ebp; ret	15_2_00CE74B9
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_00CE9D58 pushad ; retf	15_2_00CE9D59
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_00CE9D54 push eax; retf	15_2_00CE9D55
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_00EA8794 push 28700002h; retn 0000h	18_2_00EA89D9
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_00EA7076 push ebp; iretd	18_2_00EA7077
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 18_2_05772D94 push dword ptr [ecx]; retf	18_2_05772D9C
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 26_2_003B7076 push ebp; iretd	26_2_003B7077
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 26_2_003B8794 push 28700002h; retn 0000h	26_2_003B89D9
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 28_2_004B7076 push ebp; iretd	28_2_004B7077
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 28_2_004B8794 push 28700002h; retn 0000h	28_2_004B89D9

Source: initial sample	Static PE information: section name: .text entropy: 7.29376967447
Source: initial sample	Static PE information: section name: .text entropy: 7.29376967447

Source: 15.2.CONTRACT.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.2.CONTRACT.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.0.CONTRACT.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.0.CONTRACT.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.0.CONTRACT.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.0.CONTRACT.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 28.0.CONTRACT.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 28.0.CONTRACT.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 28.0.CONTRACT.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 28.0.CONTRACT.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 28.2.CONTRACT.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 28.2.CONTRACT.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\CONTRACT.exe

File created: C:\Users\user\AppData\Roaming\QnctWeFrWlqq.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\CONTRACT.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp99D6.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\CONTRACT.exe

File opened: C:\Users\user\Desktop\CONTRACT.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: Process Memory Space: CONTRACT.exe PID: 4600, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONTRACT.exe PID: 6344, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: CONTRACT.exe, 00000000.00000002.323016759.00000000036B1000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: CONTRACT.exe, 00000000.00000002.323016759.00000000036B1000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\CONTRACT.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe

Window / User API: foregroundWindowGot 708

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe TID: 6376	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe TID: 3596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe TID: 3596	Thread sleep count: 132 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe TID: 3596	Thread sleep count: 210 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe TID: 4532	Thread sleep count: 143 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe TID: 5804	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe TID: 4696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe TID: 7152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\CONTRACT.exe

Code function: 15_2_05041012 GetSystemInfo,

15_2_05041012

Source: C:\Users\user\Desktop\CONTRACT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: CONTRACT.exe, 0000000F.00000002.508210268.00000000063D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: CONTRACT.exe, 0000000F.00000002.501442796.0000000000DAD000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: CONTRACT.exe, 0000000F.00000002.508210268.00000000063D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: CONTRACT.exe, 0000000F.00000002.508210268.00000000063D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: CONTRACT.exe, 00000012.00000002.412160555.00000000035F3000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: CONTRACT.exe, 0000000F.00000002.501442796.0000000000DAD000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: CONTRACT.exe, 0000000F.00000002.508210268.00000000063D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\CONTRACT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\CONTRACT.exe	Memory written: C:\Users\user\Desktop\CONTRACT.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Memory written: C:\Users\user\Desktop\CONTRACT.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp99D6.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Users\user\Desktop\CONTRACT.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9F3.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp372F.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Users\user\Desktop\CONTRACT.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Process created: C:\Users\user\Desktop\CONTRACT.exe {path}	Jump to behavior

Source: CONTRACT.exe, 0000000F.00000002.501442796.0000000000DAD000.00000004.00000020.sdmp	Binary or memory string: Program Manager
Source: CONTRACT.exe, 0000000F.00000002.502050466.0000000001470000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: CONTRACT.exe, 0000000F.00000002.502050466.0000000001470000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: CONTRACT.exe, 0000000F.00000002.502050466.0000000001470000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: CONTRACT.exe, 0000000F.00000002.501356514.0000000000D99000.00000004.00000020.sdmp	Binary or memory string: sProgram ManagerD[
Source: CONTRACT.exe, 0000000F.00000002.502050466.0000000001470000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: CONTRACT.exe, 0000000F.00000002.502050466.0000000001470000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: CONTRACT.exe, 0000000F.00000002.505011573.0000000002E5C000.00000004.00000001.sdmp	Binary or memory string: Program Manager8V
Source: CONTRACT.exe, 0000000F.00000002.501442796.0000000000DAD000.00000004.00000020.sdmp	Binary or memory string: Program Manager\

Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONTRACT.exe PID: 6168, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONTRACT.exe PID: 1388, type: MEMORY
Source: Yara match	File source: 28.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b24629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3deeb0c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONTRACT.exe.da294b8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3cf3135.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3de9cd6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b20000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONTRACT.exe.da294b8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3deeb0c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ceeb0c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.CONTRACT.exe.46be418.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.CONTRACT.exe.46be418.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3df3135.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: CONTRACT.exe, 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CONTRACT.exe, 0000000F.00000002.507246807.0000000005330000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CONTRACT.exe, 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: CONTRACT.exe, 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONTRACT.exe PID: 6168, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONTRACT.exe PID: 1388, type: MEMORY
Source: Yara match	File source: 28.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ce9cd6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b24629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3deeb0c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONTRACT.exe.da294b8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3cf3135.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3de9cd6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.CONTRACT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b20000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONTRACT.exe.da294b8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.CONTRACT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3deeb0c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.5b20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ceeb0c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.3ceeb0c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.CONTRACT.exe.46be418.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.CONTRACT.exe.46be418.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.CONTRACT.exe.3df3135.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.CONTRACT.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_0504283A bind,		15_2_0504283A
Source: C:\Users\user\Desktop\CONTRACT.exe	Code function: 15_2_050427E8 bind,		15_2_050427E8

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading1	Input Capture21	Security Software Discovery211	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information2	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing2	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CONTRACT.exe	36%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
CONTRACT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\QnctWeFrWlqq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\QnctWeFrWlqq.exe	36%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
15.2.CONTRACT.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
28.0.CONTRACT.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
15.0.CONTRACT.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
15.2.CONTRACT.exe.5b20000.11.unpack	100%	Avira	TR/NanoCore.fadte	Download File
15.0.CONTRACT.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
28.0.CONTRACT.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
28.2.CONTRACT.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sandoll.co.krl	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.tiro.comnm	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0z	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn1	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cnl-g	0%	Avira URL Cloud	safe
http://www.tiro.comcm	0%	Avira URL Cloud	safe
kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	0%	Avira URL Cloud	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ita	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/n	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/n	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/n	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/Qg3	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fonts.com8	0%	URL Reputation	safe
http://www.fonts.com8	0%	URL Reputation	safe
http://www.fonts.com8	0%	URL Reputation	safe
http://www.founder.com.cn/cnPq	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Cg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.globalsign.cloud	104.18.24.243	true	false		unknown
kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	185.140.53.135	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.krl	CONTRACT.exe, 00000000.00000003.233856245.0000000005A76000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comion	CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	CONTRACT.exe, 00000000.00000003.235560856.0000000005A80000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.come.com	CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comnm	CONTRACT.exe, 00000000.00000003.232943546.0000000005A8B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0z	CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	CONTRACT.exe, 00000000.00000003.232678625.0000000005A8B000.00000004.00000001.sdmp, CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	CONTRACT.exe, 00000000.00000003.235175021.0000000005A74000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn1	CONTRACT.exe, 00000000.00000003.234859930.0000000005A74000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000000.00000003.234802969.0000000005AAD000.00000004.00000001.sdmp, CONTRACT.exe, 00000000.00000003.235175021.0000000005A74000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnl-g	CONTRACT.exe, 00000000.00000003.234802969.0000000005AAD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false		high
http://www.tiro.comcm	CONTRACT.exe, 00000000.00000003.232884277.0000000005A8B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comm	CONTRACT.exe, 00000000.00000003.319401814.0000000005A70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ita	CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/n	CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersb	CONTRACT.exe, 00000000.00000003.238068775.0000000005A7D000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/Qg3	CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false		high
http://www.fonts.com	CONTRACT.exe, 00000000.00000003.232678625.0000000005A8B000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	CONTRACT.exe, 00000000.00000002.330280391.0000000006C82000.00000004.00000001.sdmp, CONTRACT.exe, 00000012.00000002.415953147.0000000005C60000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com8	CONTRACT.exe, 00000000.00000003.232678625.0000000005A8B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnPq	CONTRACT.exe, 00000000.00000003.234859930.0000000005A74000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Cg	CONTRACT.exe, 00000000.00000003.236218871.0000000005A74000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.135	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	431926
Start date:	09.06.2021
Start time:	15:09:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CONTRACT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/7@17/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 13.7% (good quality ratio 9.5%) Quality average: 46.7% Quality standard deviation: 34.4%
HCA Information:	Successful, ratio: 97% Number of executed functions: 555 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 40.88.32.150, 184.30.20.56, 20.82.210.154, 13.88.21.125, 20.190.160.68, 20.190.160.3, 20.190.160.131, 20.190.160.72, 20.190.160.135, 20.190.160.70, 20.190.160.1, 20.190.160.7, 92.122.213.194, 92.122.213.247, 104.43.139.144, 20.54.26.129, 52.255.188.83 Excluded domains from analysis (whitelisted): ocsp.msocsp.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, login.live.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, hostedocsp.globalsign.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/431926/sample/CONTRACT.exe

Simulations

Behavior and APIs

Time	Type	Description
15:11:34	API Interceptor	671x Sleep call for process: CONTRACT.exe modified
15:11:35	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\CONTRACT.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.135	Swift.exe	Get hash	malicious	Browse
	5U8Z6pqTlhp68RB.exe	Get hash	malicious	Browse
	HY_RAY_RFQ,pdf .exe	Get hash	malicious	Browse
	Shipping_Documents_INV_PL_and_BL,pdf.exe	Get hash	malicious	Browse
	Geno_Quotation,pdf.exe	Get hash	malicious	Browse
	PO20002106.exe	Get hash	malicious	Browse
	SOA_30_11_2020,pdf.exe	Get hash	malicious	Browse
	20201229_QUA_20Y0252,pdf.exe	Get hash	malicious	Browse
	PO029734,pdf.exe	Get hash	malicious	Browse
	VSI_202012223,pdf.exe	Get hash	malicious	Browse
	PO968_8359808,pdf.exe	Get hash	malicious	Browse
	purchase order # 10000000648.pdf.exe	Get hash	malicious	Browse
	Order 20015639 15-10-2020,pdf.exe	Get hash	malicious	Browse
	shipping documents.doc	Get hash	malicious	Browse
	POEA-MANNING ADVISORY 2020-56.PDF.exe	Get hash	malicious	Browse
	Doc_1110_090820.exe	Get hash	malicious	Browse
	Doc0_01210_72820.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	Swift.exe	Get hash	malicious	Browse	185.140.53.135
kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	5U8Z6pqTlhp68RB.exe	Get hash	malicious	Browse	185.140.53.135
api.globalsign.cloud	MO1cjFKh2H.exe	Get hash	malicious	Browse	104.18.24.243
	nU8kVKVAc8.exe	Get hash	malicious	Browse	104.18.25.243
	25-1.exe	Get hash	malicious	Browse	104.18.25.243
	4ySmTH2Z18.exe	Get hash	malicious	Browse	104.18.24.243
	EQUIPMENT SPECIFICATION.exe	Get hash	malicious	Browse	104.18.24.243
	FLkiItoJYT.exe	Get hash	malicious	Browse	104.18.25.243
	2sEHG8pTHtJcOxy.exe	Get hash	malicious	Browse	104.18.24.243
	RFQ039311.exe	Get hash	malicious	Browse	104.18.24.243
	RFQ.exe	Get hash	malicious	Browse	104.18.24.243
	receipt620.htm	Get hash	malicious	Browse	104.18.25.243
	RFQ PRICE LIST FOR LEABANON 8938920993.exe	Get hash	malicious	Browse	104.18.25.243
	Haftal#U0131k Piyasa G#U00f6r#U00fc#U015f#U00fc ve Fon Da#U011f#U0131l#U0131m #U00d6nerileri.exe	Get hash	malicious	Browse	104.18.24.243
	SecuriteInfo.com.W32.AIDetect.malware2.23636.exe	Get hash	malicious	Browse	104.18.24.243
	purchase order.exe	Get hash	malicious	Browse	104.18.24.243
	TJ8I2tNHFHvbwdf.exe	Get hash	malicious	Browse	104.18.25.243
	CONTRACT_SCAN627289222.exe	Get hash	malicious	Browse	104.18.25.243
	Drawings-ESS316.exe	Get hash	malicious	Browse	104.18.25.243
	rf1K94mmmC.exe	Get hash	malicious	Browse	104.18.25.243
	Fattura01409602.xlsm	Get hash	malicious	Browse	104.18.24.243
	UR8zlHNhnw.exe	Get hash	malicious	Browse	104.18.24.243

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	doc03027320210521173305IMG0012.exe	Get hash	malicious	Browse	185.140.53.230
	yfilQwrYpA.exe	Get hash	malicious	Browse	185.140.53.216
	Ff6m4N8pog.exe	Get hash	malicious	Browse	185.140.53.216
	yCdBrRiAN2.exe	Get hash	malicious	Browse	185.140.53.216
	loKHQzx6Lf.exe	Get hash	malicious	Browse	185.140.53.216
	SecuriteInfo.com.Program.Win32.Wacapew.Cml.7225.exe	Get hash	malicious	Browse	185.140.53.129
	Shipping Documents_Bill of Lading 910571880.exe	Get hash	malicious	Browse	185.140.53.129
	knqh5Hw6gu.exe	Get hash	malicious	Browse	185.140.53.13
	Container_Deposit_slip_pdf.jar	Get hash	malicious	Browse	185.244.30.47
	Cargo Charter Request details.vbs	Get hash	malicious	Browse	185.244.30.184
	Shipping Documents_Bill of Lading 910571880,pdf.exe	Get hash	malicious	Browse	185.140.53.129
	WarkZh7G8j6Xo8r.exe	Get hash	malicious	Browse	91.193.75.66
	Re R new proforma.exe	Get hash	malicious	Browse	185.140.53.138
	PO20880538.exe	Get hash	malicious	Browse	185.140.53.129
	QI5MR3pte0.exe	Get hash	malicious	Browse	185.140.53.40
	5Em2NXNxSt.exe	Get hash	malicious	Browse	185.140.53.40
	7Zpsd899Kf.exe	Get hash	malicious	Browse	185.140.53.40
	LfgEatrwIF.exe	Get hash	malicious	Browse	185.140.53.40
	Swift.exe	Get hash	malicious	Browse	185.140.53.135
	50060001-SDS-MAT.doc	Get hash	malicious	Browse	185.140.53.149

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CONTRACT.exe.log Download File
Process:	C:\Users\user\Desktop\CONTRACT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp372F.tmp Download File
Process:	C:\Users\user\Desktop\CONTRACT.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1649
Entropy (8bit):	5.1758026207295185
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBWtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3u
MD5:	079FD1EAE59C41272B433990C9FE9362
SHA1:	8174889EC1A3B212D32B07674D2AF7277FAF3C36
SHA-256:	E7338DDD51F1164DD1D8EAAAA577AFF2D4CEED3E7E878977ED7810EE7FD272BB
SHA-512:	778D6CB22DF42C21A226696BC1DDB40D0EAFDB6E687F311FC8BBE876EBB5584016325AC03BB537A29F151E4FCBB8546943E6BBC34F1514F8BD195432C5267E0A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Local\Temp\tmp99D6.tmp Download File
Process:	C:\Users\user\Desktop\CONTRACT.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1649
Entropy (8bit):	5.1758026207295185
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBWtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3u
MD5:	079FD1EAE59C41272B433990C9FE9362
SHA1:	8174889EC1A3B212D32B07674D2AF7277FAF3C36
SHA-256:	E7338DDD51F1164DD1D8EAAAA577AFF2D4CEED3E7E878977ED7810EE7FD272BB
SHA-512:	778D6CB22DF42C21A226696BC1DDB40D0EAFDB6E687F311FC8BBE876EBB5584016325AC03BB537A29F151E4FCBB8546943E6BBC34F1514F8BD195432C5267E0A
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Local\Temp\tmpA9F3.tmp Download File
Process:	C:\Users\user\Desktop\CONTRACT.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1299
Entropy (8bit):	5.099430969810765
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Pwxtn:cbk4oL600QydbQxIYODOLedq3Swj
MD5:	3D40480D97364F56C5C51E071E631CCA
SHA1:	E13D848FFA6CC8296CE19F5D3D6018AC500AB54E
SHA-256:	FEBB7C115CF69F8959CF4F0B5BD15FC3AF198E93F7ED32937DBCD2B8D1086B99
SHA-512:	52597FDB8A0292F068D5A7A2EC1D221FCCC730DDD31EF25C05ACB3464A2E05B7BBD8298B9A9A0A6ABB0A8C3C0069DB81A512F9DA25C970FBABC2AF894B95BC04
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\CONTRACT.exe
File Type:	Non-ISO extended-ASCII text, with NEL line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:muhn:Nn
MD5:	B75FA3BA49F18EFFCA05BC26EFC182E4
SHA1:	170FAB6DBDBBD728DB71E9DFA17A74CFDBB80E18
SHA-256:	25EBD16688D06225015F798E1ED5801A7DF0D12E9587A5B4421C3B7563514189
SHA-512:	70B3D081FAA9583763D480AB263D127F5B68A2CAD280518C0EADD129EE64FAAC44D6A72DB0EFED2AD652EC527E58032E23AB7943663A5C477EF28B90D4F8B056
Malicious:	true
Preview:	..}..+.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\CONTRACT.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	36
Entropy (8bit):	4.260067015271104
Encrypted:	false
SSDEEP:	3:oNUWJRWm+H:oNNJAm+H
MD5:	DBCC846B014C265EDEF56251371453F9
SHA1:	9C5B51D9F562B065CDBFC598D46A2757BE06BDD5
SHA-256:	82DDF51FD8DAEA1C6A369F221EDEB9EA74FC17C3DDC03F8C6DD7B3DCCCFD1CC7
SHA-512:	D876C8EDB8E6C7A47F6BD39C997F23B817EBF1E2F2C671119880C7840E6DFE8E77A35AD7325836CE4C1830F655D4E336CD2A2CBBAA6760351EE390C915AD845B
Malicious:	false
Preview:	C:\Users\user\Desktop\CONTRACT.exe

C:\Users\user\AppData\Roaming\QnctWeFrWlqq.exe Download File
Process:	C:\Users\user\Desktop\CONTRACT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1038848
Entropy (8bit):	7.288848117566979
Encrypted:	false
SSDEEP:	12288:Rp7kPTkSKoCyFABtnt/u7At0mGCMDXuFbCNbV89+7j2hjTQJpOVi26R8GOYZNh54:PIYo9A1Bt8jzuFbCNbq+YI8Gjn
MD5:	02430D34BE900990FBF6A7EFE35A7C64
SHA1:	00B40170C46AE026CF518588D5B6177538BB1036
SHA-256:	80CA460C629559CF38E1244983877ED9C041C636C1F2E7E388AE2F9BA4D06788
SHA-512:	5B8D6D1F57D3B7E6E38171A493DEA7723F59A11E5F96C3121B4A171D9B3CA50BEAF8A57FE55FB6E1BA5DCD3AA06F5226C91E9E89422354B987EE4451BB466467
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-Z.`..............0.................. ........@.. .......................@............@.....................................S............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........F.........c........X...........................................0..............0..f........r...p}......}.....(.... ... .$'.a%..^E...."...............+ .. ...RZ .T.a+... ...Z ...6a+..(........0........... YX$. ...ea%....^E....B.......................#...........G.......q...................8=.....-. mO..%+. ....%&.. ....Za+..{....(....r[..p(....+.... b.$W8h....{....(....r[..p(....-... J.c.Z 9c..a8>....r]..p(....&.. w../Z ..t.a8.....{....(....r[..p(....-... ..AZ @

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.288848117566979
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	CONTRACT.exe
File size:	1038848
MD5:	02430d34be900990fbf6a7efe35a7c64
SHA1:	00b40170c46ae026cf518588d5b6177538bb1036
SHA256:	80ca460c629559cf38e1244983877ed9c041c636c1f2e7e388ae2f9ba4d06788
SHA512:	5b8d6d1f57d3b7e6e38171a493dea7723f59a11e5f96c3121b4a171d9b3ca50beaf8a57fe55fb6e1ba5dcd3aa06f5226c91e9e89422354b987ee4451bb466467
SSDEEP:	12288:Rp7kPTkSKoCyFABtnt/u7At0mGCMDXuFbCNbV89+7j2hjTQJpOVi26R8GOYZNh54:PIYo9A1Bt8jzuFbCNbq+YI8Gjn
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-Z.`..............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4feede
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60C05A2D [Wed Jun 9 06:05:33 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfee88	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x102000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfcee4	0xfd000	False	0.609683794466	data	7.29376967447	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x100000	0x5e0	0x600	False	0.429036458333	data	4.17054411618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x102000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1000a0	0x354	data
RT_MANIFEST	0x1003f4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	p6FirY.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	WindowsFormsApplication1
ProductVersion	1.0.0.0
FileDescription	WindowsFormsApplication1
OriginalFilename	p6FirY.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 15:11:36.133652925 CEST	49713	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:36.184017897 CEST	1187	49713	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:36.832331896 CEST	49713	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:36.884536982 CEST	1187	49713	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:37.512537956 CEST	49713	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:37.562122107 CEST	1187	49713	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:41.910310984 CEST	49714	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:41.959913015 CEST	1187	49714	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:42.473571062 CEST	49714	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:42.522758007 CEST	1187	49714	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:43.035938978 CEST	49714	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:43.086430073 CEST	1187	49714	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:47.266108990 CEST	49716	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:47.315263033 CEST	1187	49716	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:47.895875931 CEST	49716	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:47.945034981 CEST	1187	49716	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:48.598984003 CEST	49716	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:48.648087978 CEST	1187	49716	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:52.833493948 CEST	49720	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:52.884505987 CEST	1187	49720	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:53.396202087 CEST	49720	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:53.446635008 CEST	1187	49720	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:54.099448919 CEST	49720	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:54.150813103 CEST	1187	49720	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:58.305289984 CEST	49725	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:58.355926991 CEST	1187	49725	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:58.912319899 CEST	49725	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:58.961363077 CEST	1187	49725	185.140.53.135	192.168.2.5
Jun 9, 2021 15:11:59.594679117 CEST	49725	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:11:59.643789053 CEST	1187	49725	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:04.344858885 CEST	49726	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:04.394035101 CEST	1187	49726	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:04.897331953 CEST	49726	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:04.946528912 CEST	1187	49726	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:05.491000891 CEST	49726	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:05.540112972 CEST	1187	49726	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:09.970873117 CEST	49731	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:10.020190954 CEST	1187	49731	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:10.600840092 CEST	49731	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:10.650640011 CEST	1187	49731	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:11.210552931 CEST	49731	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:11.260483980 CEST	1187	49731	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:15.386992931 CEST	49733	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:15.436425924 CEST	1187	49733	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:15.945077896 CEST	49733	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:15.994143963 CEST	1187	49733	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:16.507870913 CEST	49733	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:16.557605028 CEST	1187	49733	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:20.748197079 CEST	49734	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:20.799599886 CEST	1187	49734	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:21.304902077 CEST	49734	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:21.354278088 CEST	1187	49734	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:21.867383003 CEST	49734	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:21.916800976 CEST	1187	49734	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:26.149667978 CEST	49736	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:26.198642969 CEST	1187	49736	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:26.711622000 CEST	49736	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:26.760647058 CEST	1187	49736	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:27.274167061 CEST	49736	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:27.323299885 CEST	1187	49736	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:31.524297953 CEST	49738	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:31.576438904 CEST	1187	49738	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:32.087162971 CEST	49738	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:32.136506081 CEST	1187	49738	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:32.649689913 CEST	49738	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:32.699239016 CEST	1187	49738	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:36.844011068 CEST	49742	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:36.893429995 CEST	1187	49742	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:37.400743961 CEST	49742	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:37.450277090 CEST	1187	49742	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:37.962666988 CEST	49742	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:38.012227058 CEST	1187	49742	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:42.129333973 CEST	49743	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:42.178355932 CEST	1187	49743	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:42.681971073 CEST	49743	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:42.731220007 CEST	1187	49743	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:43.244360924 CEST	49743	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:43.294605970 CEST	1187	49743	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:47.470359087 CEST	49744	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:47.519824028 CEST	1187	49744	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:48.025939941 CEST	49744	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:48.075654984 CEST	1187	49744	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:48.588541985 CEST	49744	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:48.639895916 CEST	1187	49744	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:52.910712004 CEST	49745	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:52.960248947 CEST	1187	49745	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:53.463908911 CEST	49745	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:53.513602972 CEST	1187	49745	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:54.026438951 CEST	49745	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:54.076955080 CEST	1187	49745	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:58.151308060 CEST	49746	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:58.201324940 CEST	1187	49746	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:58.714617014 CEST	49746	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:58.765150070 CEST	1187	49746	185.140.53.135	192.168.2.5
Jun 9, 2021 15:12:59.276935101 CEST	49746	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:12:59.327738047 CEST	1187	49746	185.140.53.135	192.168.2.5
Jun 9, 2021 15:13:03.393882036 CEST	49747	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:13:03.443732023 CEST	1187	49747	185.140.53.135	192.168.2.5
Jun 9, 2021 15:13:03.949186087 CEST	49747	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:13:03.998831987 CEST	1187	49747	185.140.53.135	192.168.2.5
Jun 9, 2021 15:13:04.511730909 CEST	49747	1187	192.168.2.5	185.140.53.135
Jun 9, 2021 15:13:04.561326981 CEST	1187	49747	185.140.53.135	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 15:10:43.247039080 CEST	61805	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:10:43.309325933 CEST	53	61805	8.8.8.8	192.168.2.5
Jun 9, 2021 15:10:46.349242926 CEST	54795	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:10:46.408559084 CEST	53	54795	8.8.8.8	192.168.2.5
Jun 9, 2021 15:10:54.344942093 CEST	49557	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:10:54.403634071 CEST	53	49557	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:07.206101894 CEST	61733	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:07.289447069 CEST	53	61733	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:09.357294083 CEST	65447	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:09.407288074 CEST	53	65447	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:18.258994102 CEST	52441	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:18.317873001 CEST	53	52441	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:20.861732960 CEST	62176	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:20.920252085 CEST	53	62176	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:22.370107889 CEST	59596	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:22.420223951 CEST	53	59596	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:35.948556900 CEST	65296	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:36.040786028 CEST	53	65296	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:41.824446917 CEST	63183	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:41.907804966 CEST	53	63183	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:44.029692888 CEST	60151	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:44.079866886 CEST	53	60151	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:47.160471916 CEST	56969	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:47.222385883 CEST	53	56969	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:48.347043991 CEST	55161	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:48.397419930 CEST	53	55161	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:50.412841082 CEST	54757	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:50.466154099 CEST	53	54757	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:52.513382912 CEST	49992	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:52.563604116 CEST	53	49992	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:52.722013950 CEST	60075	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:52.781090021 CEST	53	60075	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:54.455400944 CEST	55016	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:54.516119957 CEST	53	55016	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:55.904514074 CEST	64345	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:55.977710009 CEST	53	64345	8.8.8.8	192.168.2.5
Jun 9, 2021 15:11:58.242530107 CEST	57128	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:11:58.303719044 CEST	53	57128	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:04.242368937 CEST	54791	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:04.302180052 CEST	53	54791	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:09.044012070 CEST	50463	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:09.105695963 CEST	53	50463	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:09.909527063 CEST	50394	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:09.969455957 CEST	53	50394	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:12.994746923 CEST	58530	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:13.045157909 CEST	53	58530	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:15.322493076 CEST	53813	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:15.382190943 CEST	53	53813	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:20.654206991 CEST	63732	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:20.715926886 CEST	53	63732	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:26.032799959 CEST	57344	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:26.088777065 CEST	54450	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:26.105664968 CEST	53	57344	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:26.147627115 CEST	53	54450	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:27.186002970 CEST	59261	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:27.252074957 CEST	53	59261	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:31.461066961 CEST	57151	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:31.522952080 CEST	53	57151	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:33.924118042 CEST	59413	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:33.986242056 CEST	53	59413	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:35.132694960 CEST	60516	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:35.209789038 CEST	53	60516	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:35.285379887 CEST	51649	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:35.340759993 CEST	53	51649	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:36.766644001 CEST	65086	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:36.828108072 CEST	53	65086	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:42.067761898 CEST	56432	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:42.128058910 CEST	53	56432	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:47.410507917 CEST	52929	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:47.469122887 CEST	53	52929	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:52.854509115 CEST	64317	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:52.908962011 CEST	53	64317	8.8.8.8	192.168.2.5
Jun 9, 2021 15:12:58.090678930 CEST	61004	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:12:58.150679111 CEST	53	61004	8.8.8.8	192.168.2.5
Jun 9, 2021 15:13:03.341973066 CEST	56895	53	192.168.2.5	8.8.8.8
Jun 9, 2021 15:13:03.392714024 CEST	53	56895	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 9, 2021 15:11:35.948556900 CEST	192.168.2.5	8.8.8.8	0x6a79	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:11:41.824446917 CEST	192.168.2.5	8.8.8.8	0x2e8	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:11:47.160471916 CEST	192.168.2.5	8.8.8.8	0x8eb5	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:11:52.722013950 CEST	192.168.2.5	8.8.8.8	0xb2ab	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:11:58.242530107 CEST	192.168.2.5	8.8.8.8	0xb66b	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:04.242368937 CEST	192.168.2.5	8.8.8.8	0xdc24	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:09.909527063 CEST	192.168.2.5	8.8.8.8	0x10c9	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:15.322493076 CEST	192.168.2.5	8.8.8.8	0x7e01	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:20.654206991 CEST	192.168.2.5	8.8.8.8	0x8746	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:26.088777065 CEST	192.168.2.5	8.8.8.8	0x1bda	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:31.461066961 CEST	192.168.2.5	8.8.8.8	0xa7f8	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:36.766644001 CEST	192.168.2.5	8.8.8.8	0x6d11	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:42.067761898 CEST	192.168.2.5	8.8.8.8	0xd7a4	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:47.410507917 CEST	192.168.2.5	8.8.8.8	0xe2e1	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:52.854509115 CEST	192.168.2.5	8.8.8.8	0xf77b	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:58.090678930 CEST	192.168.2.5	8.8.8.8	0xba42	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)
Jun 9, 2021 15:13:03.341973066 CEST	192.168.2.5	8.8.8.8	0x5f8e	Standard query (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 9, 2021 15:10:43.309325933 CEST	8.8.8.8	192.168.2.5	0x918b	No error (0)	api.globalsign.cloud		104.18.24.243	A (IP address)	IN (0x0001)
Jun 9, 2021 15:10:43.309325933 CEST	8.8.8.8	192.168.2.5	0x918b	No error (0)	api.globalsign.cloud		104.18.25.243	A (IP address)	IN (0x0001)
Jun 9, 2021 15:11:36.040786028 CEST	8.8.8.8	192.168.2.5	0x6a79	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:11:41.907804966 CEST	8.8.8.8	192.168.2.5	0x2e8	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:11:47.222385883 CEST	8.8.8.8	192.168.2.5	0x8eb5	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:11:52.781090021 CEST	8.8.8.8	192.168.2.5	0xb2ab	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:11:54.516119957 CEST	8.8.8.8	192.168.2.5	0xc3c3	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jun 9, 2021 15:11:58.303719044 CEST	8.8.8.8	192.168.2.5	0xb66b	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:04.302180052 CEST	8.8.8.8	192.168.2.5	0xdc24	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:09.969455957 CEST	8.8.8.8	192.168.2.5	0x10c9	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:15.382190943 CEST	8.8.8.8	192.168.2.5	0x7e01	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:20.715926886 CEST	8.8.8.8	192.168.2.5	0x8746	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:26.147627115 CEST	8.8.8.8	192.168.2.5	0x1bda	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:31.522952080 CEST	8.8.8.8	192.168.2.5	0xa7f8	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:36.828108072 CEST	8.8.8.8	192.168.2.5	0x6d11	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:42.128058910 CEST	8.8.8.8	192.168.2.5	0xd7a4	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:47.469122887 CEST	8.8.8.8	192.168.2.5	0xe2e1	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:52.908962011 CEST	8.8.8.8	192.168.2.5	0xf77b	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:12:58.150679111 CEST	8.8.8.8	192.168.2.5	0xba42	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)
Jun 9, 2021 15:13:03.392714024 CEST	8.8.8.8	192.168.2.5	0x5f8e	No error (0)	kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu		185.140.53.135	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CONTRACT.exe PID: 6344 Parent PID: 5820

General

Start time:	15:10:50
Start date:	09/06/2021
Path:	C:\Users\user\Desktop\CONTRACT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CONTRACT.exe'
Imagebase:	0xd70000
File size:	1038848 bytes
MD5 hash:	02430D34BE900990FBF6A7EFE35A7C64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.332389158.000000000D991000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.326212902.00000000046B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6092 Parent PID: 6344

General

Start time:	15:11:30
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp99D6.tmp'
Imagebase:	0xf60000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6236 Parent PID: 6092

General

Start time:	15:11:30
Start date:	09/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: CONTRACT.exe PID: 6168 Parent PID: 6344

General

Start time:	15:11:31
Start date:	09/06/2021
Path:	C:\Users\user\Desktop\CONTRACT.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x610000
File size:	1038848 bytes
MD5 hash:	02430D34BE900990FBF6A7EFE35A7C64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.318659568.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.507246807.0000000005330000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.507246807.0000000005330000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.499012397.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.319148029.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.507725412.0000000005B20000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.506181931.0000000003DE7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5892 Parent PID: 6168

General

Start time:	15:11:33
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9F3.tmp'
Imagebase:	0xf60000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4740 Parent PID: 5892

General

Start time:	15:11:33
Start date:	09/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: CONTRACT.exe PID: 4600 Parent PID: 904

General

Start time:	15:11:35
Start date:	09/06/2021
Path:	C:\Users\user\Desktop\CONTRACT.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CONTRACT.exe 0
Imagebase:	0xea0000
File size:	1038848 bytes
MD5 hash:	02430D34BE900990FBF6A7EFE35A7C64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.413143915.00000000045C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6440 Parent PID: 4600

General

Start time:	15:12:10
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QnctWeFrWlqq' /XML 'C:\Users\user\AppData\Local\Temp\tmp372F.tmp'
Imagebase:	0x1360000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6468 Parent PID: 6440

General

Start time:	15:12:10
Start date:	09/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: CONTRACT.exe PID: 5952 Parent PID: 4600

General

Start time:	15:12:11
Start date:	09/06/2021
Path:	C:\Users\user\Desktop\CONTRACT.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3b0000
File size:	1038848 bytes
MD5 hash:	02430D34BE900990FBF6A7EFE35A7C64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: CONTRACT.exe PID: 1388 Parent PID: 4600

General

Start time:	15:12:12
Start date:	09/06/2021
Path:	C:\Users\user\Desktop\CONTRACT.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x4b0000
File size:	1038848 bytes
MD5 hash:	02430D34BE900990FBF6A7EFE35A7C64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000000.407344258.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.425591629.0000000002CA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000000.407937748.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.425626395.0000000003CA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.424133299.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: CONTRACT.exe PID: 6344 Parent PID: 5820 CONTRACT.exeCOMMON

Executed Functions

Function 03209858, Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

Invoke, xrefs: 03209AA5
Load, xrefs: 03209946
EntryPoint, xrefs: 032099D2

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID: EntryPoint$Invoke$Load
API String ID: 0-1662677525
Opcode ID: 0828fd48a245ccf5e8bced682476e3d2dbb0d569fcdc72a91b2a3f8f6e74706b
Instruction ID: a7c61c98506592a1fa46268bd17d0f25c7df066eef1926649fa0974f67d2eb2f
Opcode Fuzzy Hash: 0828fd48a245ccf5e8bced682476e3d2dbb0d569fcdc72a91b2a3f8f6e74706b
Instruction Fuzzy Hash: 6791B174E002189FDB18DFA9C844A9EBBF2FF88300F65C069D519AB365DB719985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07483680, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

pK/, xrefs: 074837CB

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID: pK/
API String ID: 0-430018697
Opcode ID: ded8db19e2d1499e045c78ebb4a984b60da2ad63123c57e4e24bfea232266b83
Instruction ID: 1265c90e57351786d3f944bd7c3359329eaad7610d7420abc56a027952ee15f1
Opcode Fuzzy Hash: ded8db19e2d1499e045c78ebb4a984b60da2ad63123c57e4e24bfea232266b83
Instruction Fuzzy Hash: EE71DFB4E00209DFCB44EFE8D95469EBBB2FF89300F20946AD416AB358D7355A06DB54

Uniqueness

Uniqueness Score: -1.00%

Function 07483690, Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

pK/, xrefs: 074837CB

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID: pK/
API String ID: 0-430018697
Opcode ID: d1e34991687c892cca27b87ba6b18b4ee7e5edccc6644cd8b3be46559fff0284
Instruction ID: 610cd1ab7f7bd96afb67443b69309adc162c7a01bdec25d239dd588e51a0d37c
Opcode Fuzzy Hash: d1e34991687c892cca27b87ba6b18b4ee7e5edccc6644cd8b3be46559fff0284
Instruction Fuzzy Hash: D671EFB4E01209DFCB44EFE8D9545AEBBB2FF89300F20942AD416BB358DB355A06DB54

Uniqueness

Uniqueness Score: -1.00%

Function 03202720, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

Bnn, xrefs: 03202873

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID: Bnn
API String ID: 0-2056956163
Opcode ID: c36a6d2bc34d4bbcf5d2853b08cb5b790320584fa73839776ede12f0e93a8cf1
Instruction ID: 8267069926b5d4f35eb0652ec7edee3421e834c9e6124f47f1a54bd340b4a3f7
Opcode Fuzzy Hash: c36a6d2bc34d4bbcf5d2853b08cb5b790320584fa73839776ede12f0e93a8cf1
Instruction Fuzzy Hash: 4341A5B1E016188FEB18CFA6D95878EBBF6BF89304F14C1A9C558AB254DB750A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 03202710, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

Bnn, xrefs: 03202873

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID: Bnn
API String ID: 0-2056956163
Opcode ID: 5b294c6a2fd6064814b12a103c2bd3ab2419105164d34398d131ed4147f85e51
Instruction ID: 31fdc7b8d558331c17e812ec506835f5e27eeea6453a677af5711f189063bfcf
Opcode Fuzzy Hash: 5b294c6a2fd6064814b12a103c2bd3ab2419105164d34398d131ed4147f85e51
Instruction Fuzzy Hash: 0341B9B0E016588FEB19CFA6D95878EFBF2BF89304F14C1AAC448AB254DB750A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07480006, Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85de857d93ae104723a0ed2171bfeb67e22a274117515ddefe4dc40e3d1df0a7
Instruction ID: 2254597e00a330e4c0c3af01379bd2aa33fa85b75b5a8d20db2e49cb27b6cd1a
Opcode Fuzzy Hash: 85de857d93ae104723a0ed2171bfeb67e22a274117515ddefe4dc40e3d1df0a7
Instruction Fuzzy Hash: 5AE188B0915289CFCB54DFA8E28498CBFF2FB09305F5580AAE4119F369E7349949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07480070, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1152769eeabb0e7f051292b3f71be1b7dcc54a2354b4c42cdc3d929e1af87824
Instruction ID: e5cd8cbf3b1a6386d3d0f1653d8978a2901abfaaba342f8410a6670e46729ba4
Opcode Fuzzy Hash: 1152769eeabb0e7f051292b3f71be1b7dcc54a2354b4c42cdc3d929e1af87824
Instruction Fuzzy Hash: ACD18BB091124ACFCB54DFA8E28498DBBF2FB08305F5190A9E425AF368E7349D44CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0320CD98, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb72cd4ba47afc30f37cdc661b18af99e3d999707d71e16830f22f1be71c2a6a
Instruction ID: 7cc1b4ed90e406c3b81c602c0799025f8811a18c2011282658af0037c3f37428
Opcode Fuzzy Hash: eb72cd4ba47afc30f37cdc661b18af99e3d999707d71e16830f22f1be71c2a6a
Instruction Fuzzy Hash: AEC16BB0D2521ADFCB14CFA4C1808AEFBB1FF49310B209656D426BF255C374AA85DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 032057BF, Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3eaa5375a7abe8cb182719cf5ff8e360a18ffe188c3edf14e049ade9c7ca63d
Instruction ID: 199c71cec6f6ec32739ae06be870dc2e6cabfe9be0257fd2d4d12501f3182907
Opcode Fuzzy Hash: d3eaa5375a7abe8cb182719cf5ff8e360a18ffe188c3edf14e049ade9c7ca63d
Instruction Fuzzy Hash: A5B19D7182E3A59FCB12CF64C491699BFF0FF4B200B1885D6C481EB297C2B49659CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0320586F, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a5c10ce46cfa8a2ba27e4e5913467dc8486aff112a7f6f2eab12c38f02c7f9
Instruction ID: 3a2d2095fd31fc558529be5ef34b9cf334ff36bec588eb7deabff64699c7b2ab
Opcode Fuzzy Hash: 01a5c10ce46cfa8a2ba27e4e5913467dc8486aff112a7f6f2eab12c38f02c7f9
Instruction Fuzzy Hash: 94A17B7282E3A59FCB12CFA4C491699BFF1BF47200B1885DAC481EB287C3B45649CB56

Uniqueness

Uniqueness Score: -1.00%

Function 07481318, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce9a22be49bba8dc13622b923d3d30b60fe41c6d23c246d509169b43c8f48cd
Instruction ID: 01dbdf2896439cbb74e278966affabd0d6d44baf66c7efa340c5db7b2acf489d
Opcode Fuzzy Hash: dce9a22be49bba8dc13622b923d3d30b60fe41c6d23c246d509169b43c8f48cd
Instruction Fuzzy Hash: CC9125B4D0120E9FCB44DFA9D5805EEBBB2FF89310F64856AD025AB354D7349A42CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 032058CB, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbe8da01624970671e25444e9705a343adf7c3758157f10d8cf2e1288d3be46
Instruction ID: 31df57186ed594bc6bf558d0c649f2ab489bea7a74877b3404a7be3b84e74285
Opcode Fuzzy Hash: 1fbe8da01624970671e25444e9705a343adf7c3758157f10d8cf2e1288d3be46
Instruction Fuzzy Hash: 59917A71C2D3A99FCB12CFA4C49169DBFF1FF46200B1885DAC441AB297C2749648CF56

Uniqueness

Uniqueness Score: -1.00%

Function 07481311, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251b4977129caf428ab649f85332aab333f32b1c75fc30191f611d968b0691f0
Instruction ID: 8d55b6e52483b8c27e190f41a2ee1be7f4cd0997c617720040ecb7f3d0a08ff6
Opcode Fuzzy Hash: 251b4977129caf428ab649f85332aab333f32b1c75fc30191f611d968b0691f0
Instruction Fuzzy Hash: 499124B4D0120E9FCB44DFA9D5805EEBBB2FF89310F64856AD025AB354D7349A42CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 03205917, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b66510ffac853ad85406b0b2c0cf20c8f33fa52d55ff68aaf2b4564f65fe627
Instruction ID: 23d362ef223b06d2195ec1e00bfbd6e669d0b0406adfdb2b7cd05af98eb43d2d
Opcode Fuzzy Hash: 1b66510ffac853ad85406b0b2c0cf20c8f33fa52d55ff68aaf2b4564f65fe627
Instruction Fuzzy Hash: B2817B71C293A99FCB12CFA4C49169DBFF1BF4A200F18859AC441AB297C3749649CF56

Uniqueness

Uniqueness Score: -1.00%

Function 03205841, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7fd71398b766c19f1defe16e0742b907a881252cdc7c636f65e8635c7d2705
Instruction ID: dffbac3f2b395fbff09edac8926608334c13f89f4ad9760be490864646d99672
Opcode Fuzzy Hash: 3f7fd71398b766c19f1defe16e0742b907a881252cdc7c636f65e8635c7d2705
Instruction Fuzzy Hash: 71819C71C293A99FCB12CFA4C48169EBFF0FF4A200F14859AC041AB297C3B49648CF56

Uniqueness

Uniqueness Score: -1.00%

Function 032058B1, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09b0467322747c0a39d66af26f4d5a06d4c9004f735efd57c3168e1d4edb1c8
Instruction ID: 49bffd1da1e6462efb5ba099d7a60d5a35ff948a0fe19e3735b1f3c0252ffc66
Opcode Fuzzy Hash: d09b0467322747c0a39d66af26f4d5a06d4c9004f735efd57c3168e1d4edb1c8
Instruction Fuzzy Hash: A6817A71D293A99FCB12CFA4C49169DBFF1FF4A200F14859AC041AB297D3749648CF56

Uniqueness

Uniqueness Score: -1.00%

Function 07483F28, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2996be3ac94d7542c819692825a1247709dd37b3f9dbfbcc7d4004cb818fe93
Instruction ID: 13f40b21306af39f59a244ed069ca250242534e275c59d488c77e8bbb4186821
Opcode Fuzzy Hash: a2996be3ac94d7542c819692825a1247709dd37b3f9dbfbcc7d4004cb818fe93
Instruction Fuzzy Hash: C27127B4D5921ECFCB44EFA4D5809EEBBB1FB8A700F10982AD915BB204D7345A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0320ADB8, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6820f162d0cb7ff2ee7ac67a1804df35c90beb417c2ab7fc832491e6f535bd31
Instruction ID: f1beca248efae1a5aa524c6609cd04d48d73e83644386a00a8204bea4555709c
Opcode Fuzzy Hash: 6820f162d0cb7ff2ee7ac67a1804df35c90beb417c2ab7fc832491e6f535bd31
Instruction Fuzzy Hash: 6171E174D11209DFCB04DFA9C884AAEBBB2FF89300F60816AE415BB294D7355A46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07481748, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13afcd7914ed7d8c9130c25fdb80c5c8a485979b5ee6cfa61103a210755417fd
Instruction ID: 2aa4b120b11b80f9485b9dbc72ec9713568751e5b9f72f4d607429a0850cf2ee
Opcode Fuzzy Hash: 13afcd7914ed7d8c9130c25fdb80c5c8a485979b5ee6cfa61103a210755417fd
Instruction Fuzzy Hash: 195138B0D1520EDBCB84DFA5C9819EEFBB2FF8A310F14955BD011BB254D3349A428BA5

Uniqueness

Uniqueness Score: -1.00%

Function 07481758, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1507d3ec8a09187b3eea615325c08fdf9a56bcdeec5ff9af2dc8882ba0b42fed
Instruction ID: 1baf92fae223abab7c89ca3b80e79c2e0c6f6be0ba7dda516a95dac263aa103a
Opcode Fuzzy Hash: 1507d3ec8a09187b3eea615325c08fdf9a56bcdeec5ff9af2dc8882ba0b42fed
Instruction Fuzzy Hash: 2E5138B0D1520EDBCB84DFA5C9819EEFBB2BB8A210F14955BD011BB254D3349A42CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 03205C38, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e894c5a26cf5779715faa2dd6523ab31112f274128a4300dfca5746a07fcd93
Instruction ID: 9ef7167d1852403216d18f8059e5fba2fa0b9e7f23177e9b75904dae95debf9a
Opcode Fuzzy Hash: 4e894c5a26cf5779715faa2dd6523ab31112f274128a4300dfca5746a07fcd93
Instruction Fuzzy Hash: 6761CFB4D15209DFCB04CFA5D5849AEBBF2FB89300F20906AD826AB394E7345A49DF50

Uniqueness

Uniqueness Score: -1.00%

Function 03209EE0, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54ec49512c8d78219d154ddb53278fcc937a2ffb365bfc10192a2e0dd66d3e3
Instruction ID: 6b4b168929380b7daac8060eb41d1984d96043ac5b255fd244f2e16cc030bfe0
Opcode Fuzzy Hash: e54ec49512c8d78219d154ddb53278fcc937a2ffb365bfc10192a2e0dd66d3e3
Instruction Fuzzy Hash: D451B5B4E042199FCB04DFA9D584AAEFBF2FF88300F24C565D414AB355D734AA85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032094C8, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8928608542b7f9f0259bf24ec67641e74682b2b0d17408d1b2e483b35195c0
Instruction ID: 0f78f1eb491ff1ad59ddb638a0825a67a2e726065972bfc4bcdbbe06941b5e10
Opcode Fuzzy Hash: 8c8928608542b7f9f0259bf24ec67641e74682b2b0d17408d1b2e483b35195c0
Instruction Fuzzy Hash: D851C6B4E042199FDB08DFEAD894AAEFBF2FF88300F108129D815AB355D7759985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03205C48, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4db45e4dd14d1bc9f5f6b29fc3760f5f57ef6d2d074683b38c5d800a943d0d7
Instruction ID: 47fb69d3d1877c74a365d36bc63abe690b77c22514461c3e11007a95629af8c6
Opcode Fuzzy Hash: d4db45e4dd14d1bc9f5f6b29fc3760f5f57ef6d2d074683b38c5d800a943d0d7
Instruction Fuzzy Hash: B351D0B4D25209DFCB04CFA5D5849AEFBF6FB89300F20906AD426AB384E7345A49DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0320B560, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0289b5a2e56c6a2831641e4409d7a7650df160dbc64fd56e8ed18a35ed4488d
Instruction ID: 84333a9338db6444d5e8fbc6812ed7f4e4f3d63cd282fe191e8e4dbd013fee72
Opcode Fuzzy Hash: b0289b5a2e56c6a2831641e4409d7a7650df160dbc64fd56e8ed18a35ed4488d
Instruction Fuzzy Hash: 345109B1D1420A8FCB18CFE9C4409AEFBF2EB88310F14D469D455BB255D7749A85CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 032059E0, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5deaaa16e1b1c6a24de2505512f3944fe65c6f28dc4024fdc63deece04fc68
Instruction ID: e41094ca57def4d9491d4399b50f288c888cc7f356268a4a58fca6cbb6961fd2
Opcode Fuzzy Hash: 8f5deaaa16e1b1c6a24de2505512f3944fe65c6f28dc4024fdc63deece04fc68
Instruction Fuzzy Hash: 42513474D2920ADFCB04CFA9C5805AEFBF1FB49300F20946AD412B7291D774AA84CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0320BEA0, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb96b483ad2222a5d4de2967659488b6de2dabb14a0a65ce6b962ae0cc4c7228
Instruction ID: 0531ca68fcc690ed960e60b8eed61182c951efedf00cc6a05b9e579a32480432
Opcode Fuzzy Hash: cb96b483ad2222a5d4de2967659488b6de2dabb14a0a65ce6b962ae0cc4c7228
Instruction Fuzzy Hash: 1531E971E002188BDB28CFAAD8446DEBBB3EF89311F54C06AE419AB354DB355989CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0320F140, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728f3ed291d59104661bdb0e17eda3a5809c48dd03c2799f61c111e12c9b7412
Instruction ID: 2631d9353c1327a2ceb7db0175249e811d910c3336cd12586d516efc312f1fb4
Opcode Fuzzy Hash: 728f3ed291d59104661bdb0e17eda3a5809c48dd03c2799f61c111e12c9b7412
Instruction Fuzzy Hash: 1E310971E116199FDB28CF6BD84469EFBF3BFC9300F04C1B59808AA255D73059868F51

Uniqueness

Uniqueness Score: -1.00%

Function 0320A320, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521ccac5165dce3b07a9d0cf9958ca6145946e01a92a5515195a4b72d9dfd48a
Instruction ID: 87dc29e356832418b9d4c9c5c7c8a42cfc29b2b1049793ec1786fc6cc26f5ddc
Opcode Fuzzy Hash: 521ccac5165dce3b07a9d0cf9958ca6145946e01a92a5515195a4b72d9dfd48a
Instruction Fuzzy Hash: BF31E7B1E11619CBEB18DFABC84069EFAF3BFC9300F54C0A99448AB255DB750A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05921513, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 059215C3

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 19c5d6d970024f29fc474be396b054f1331bd390882805e25cb2222249cc71d0
Instruction ID: e06027f2fb8117953bbef47a26f4299854f1fbdad305369ebe427955fb46883b
Opcode Fuzzy Hash: 19c5d6d970024f29fc474be396b054f1331bd390882805e25cb2222249cc71d0
Instruction Fuzzy Hash: 5931A5714043846FEB228B65DC44F6ABFACEF05310F0888AAF985CB152D764A919DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05920E02, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,D42FA0E5,00000000,00000000,00000000,00000000), ref: 05920EAC

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 0202026cf4ddb88f015459aab375fec8ffa0b362ddd7775f9e8a8a747f51f8ae
Instruction ID: 98b5a27143d3101737f7567480e9139805885a74a0305f07599eb84012277dca
Opcode Fuzzy Hash: 0202026cf4ddb88f015459aab375fec8ffa0b362ddd7775f9e8a8a747f51f8ae
Instruction Fuzzy Hash: C431B5714093846FEB228F65DC85F96BFBCEF06310F08849AE9849F153D624A548D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05920990, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05920A31

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 15d15a9ef6959e33324d8b139a92d85cc797f0e37f897e4998412d2725e5847c
Instruction ID: 48dd515311e4270893925486bb527b2db5e5368ac52f5a646281fbf27a36bdce
Opcode Fuzzy Hash: 15d15a9ef6959e33324d8b139a92d85cc797f0e37f897e4998412d2725e5847c
Instruction Fuzzy Hash: 81315C71505380AFE722CF65DC88F66BFECEF45210F0884AEE9859B252D365E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05921133, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 059211CF

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 1c7b66bafa357fa635783df6ace60b494c32183f58fe435f4dd7c174819a40be
Instruction ID: f8031c3bf61a148a23dc28512f2d7660241205eeeef5aa618e295da06b307a04
Opcode Fuzzy Hash: 1c7b66bafa357fa635783df6ace60b494c32183f58fe435f4dd7c174819a40be
Instruction Fuzzy Hash: 69217E72504244AFEB21CF65DC84FAAFFBCEF05310F18889AED849B152D264A558CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05921546, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 059215C3

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a86f919216fa34438efacd3107d9b0cd6efc24e02cacb6fff32e4dc5e30f83cc
Instruction ID: 46cc5a8ce370170f10e340830952d24a6e93061d64e027f5ed4f3cf7f9474645
Opcode Fuzzy Hash: a86f919216fa34438efacd3107d9b0cd6efc24e02cacb6fff32e4dc5e30f83cc
Instruction Fuzzy Hash: 8421A1B2500204AFEB21DF65DC84F6AFBACEF04320F14886AED459B151D770A554DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05921621, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 059216A8

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4e90177639ccb4cdf72d3699e49ce5bb2afddd8db8c081bb85c931dc830f1dbc
Instruction ID: bee393f00ed664cb3d280234e760e442b63023e86462e07530f68729879339cf
Opcode Fuzzy Hash: 4e90177639ccb4cdf72d3699e49ce5bb2afddd8db8c081bb85c931dc830f1dbc
Instruction Fuzzy Hash: 7821A1765093C09FD712CB35DC54B92BFA8EF17210F0D84DADC858F2A3D265A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05920A88, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,D42FA0E5,00000000,00000000,00000000,00000000), ref: 05920B1D

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9b39b1c2b098b7b034c4cd72cc454a2490d2765bb28c604c2b7165a351a95ab3
Instruction ID: 4becb79aae37a4e67af3822c3edb317816b55b17fdaecc17a5ad77698f9f4a32
Opcode Fuzzy Hash: 9b39b1c2b098b7b034c4cd72cc454a2490d2765bb28c604c2b7165a351a95ab3
Instruction Fuzzy Hash: 372107B54087846FE7128B25DC95FA2BFBCEF46720F0884DAED848B153D264A909D771

Uniqueness

Uniqueness Score: -1.00%

Function 059209B2, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05920A31

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8b0587e2dc1020abef7598dc90f3a9ddc0cf06d46e9bb8a15a292fff9eb87115
Instruction ID: 80b7f257fbf9d9eb1c4a5af837df86dabda77cc03fa969d5ad14aacb46a56778
Opcode Fuzzy Hash: 8b0587e2dc1020abef7598dc90f3a9ddc0cf06d46e9bb8a15a292fff9eb87115
Instruction Fuzzy Hash: 05218E71501240AFEB21DF69DD89F66FBE8FF04310F148869E9499B256D771E404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 059201B5, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05920237

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 4d0e95ba5ca7e475f20912b3213c959d531f5b0694d673cd5be1a9b5b2abdd33
Instruction ID: 475ccb8aa4fa1dc36e91bb7be26ee58295595a8878e272e6e271ee05f2982705
Opcode Fuzzy Hash: 4d0e95ba5ca7e475f20912b3213c959d531f5b0694d673cd5be1a9b5b2abdd33
Instruction Fuzzy Hash: FE21A175509384AFDB22CF65DC84B62BFF8EF16210F0985DAE9858F563D235E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0592115E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 059211CF

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 2f9ca8bd4a88ac4aee61f5b2d860988b47f8cbae3a2c9d2184ea40b070c9900e
Instruction ID: 49eab40eed21b4c2435561577e487509a79b7fe3b71586b204ae71942e7ef665
Opcode Fuzzy Hash: 2f9ca8bd4a88ac4aee61f5b2d860988b47f8cbae3a2c9d2184ea40b070c9900e
Instruction Fuzzy Hash: 5521CDB2500204AFEB20DF69DC84F6AFBECEF44710F14886AED45DB246D670A518CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05920C3A, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,D42FA0E5,00000000,00000000,00000000,00000000), ref: 05920CB9

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 556d46ace21a2a351adbbf4cd2e8488dd45cf622539c23e5e1b4aecc2b5b46fd
Instruction ID: 25c88dfb7edb28c94e69a6d2953258ad55e1863db29602a9aeb5ffe55c568d35
Opcode Fuzzy Hash: 556d46ace21a2a351adbbf4cd2e8488dd45cf622539c23e5e1b4aecc2b5b46fd
Instruction Fuzzy Hash: C4216271505384AFDB22CF55DC84F57FFB8EF45310F0884AAEA459B152D364A508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05920E42, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,D42FA0E5,00000000,00000000,00000000,00000000), ref: 05920EAC

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 744e545e4a9552625a7530d7519f0731d592fb19f1ebed41deef7c41276891a3
Instruction ID: 57a3425ac0031fd99f699f6e20981a18461c686b93ece4944a6753317f9e9ea0
Opcode Fuzzy Hash: 744e545e4a9552625a7530d7519f0731d592fb19f1ebed41deef7c41276891a3
Instruction Fuzzy Hash: 7E11A5B1500204AFEB21CF69DD84FAAFBACEF44310F14846AEE45DB541D774A444CB71

Uniqueness

Uniqueness Score: -1.00%

Function 059218E4, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05921964

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 991a4b6e1d469d6f37db0c30a623ce30e13fa8107ae26c7dbcff4e3b94382050
Instruction ID: 786d326561654695b3d272dc3d0fe59276328c33b80bf8103431637751f5b6b5
Opcode Fuzzy Hash: 991a4b6e1d469d6f37db0c30a623ce30e13fa8107ae26c7dbcff4e3b94382050
Instruction Fuzzy Hash: B621B3761097C09FD7128F25DC45AA6FFF8EF06210F0984DFE8858B163D225A858DB21

Uniqueness

Uniqueness Score: -1.00%

Function 05921A45, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05921AB9

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 604e2caa6257272131b7488cecc87051dc3d45efc993fe03f11c117d608b4f72
Instruction ID: 72d13f534cf270e98efabc73dcbd66a9a358c374f60ba7238744970ff53b3eeb
Opcode Fuzzy Hash: 604e2caa6257272131b7488cecc87051dc3d45efc993fe03f11c117d608b4f72
Instruction Fuzzy Hash: 3F2189724093C09FDB238F25DC44A62FFB4EF07220F0984DAE9848F163D225A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05920C5A, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,D42FA0E5,00000000,00000000,00000000,00000000), ref: 05920CB9

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a4567ee8f482b6b2a1eb758ca9e8d963d01c99181b8ab9bf93b07581e76616ce
Instruction ID: e721dca5b9ffe87fa570b28e393df64902ea4325b01e74d05aaf7c9713d17a45
Opcode Fuzzy Hash: a4567ee8f482b6b2a1eb758ca9e8d963d01c99181b8ab9bf93b07581e76616ce
Instruction Fuzzy Hash: 531194B1500204AFEB21DF55DD88F66FBE8EF44720F14886AEE499B155D774A404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05921843, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059218A8

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fd49e4ca69069ef7cb359c943a5de24c03eaa9f6db7336bdceee22133f8871de
Instruction ID: 7aa733b09b343ce2cff9c3a228ea2f3e4648a77c5008cf31cbc7b68249ac6034
Opcode Fuzzy Hash: fd49e4ca69069ef7cb359c943a5de24c03eaa9f6db7336bdceee22133f8871de
Instruction Fuzzy Hash: 8A110476409784AFDB228F21DC84A52FFB4EF06320F08C4DEED858B563D275A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05921DD7, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05921E41

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a59fd6127a6382197e03ec317d7c170520c2807d8fe4f07469d0e1b753a83181
Instruction ID: b1c3a0428f8d3329b2c4eb05a45c83c5e515b9ce42b964078f3991a4b28c9114
Opcode Fuzzy Hash: a59fd6127a6382197e03ec317d7c170520c2807d8fe4f07469d0e1b753a83181
Instruction Fuzzy Hash: 221190714093849FDB228F15DC45B52FFB4EF06324F08C49EED854B163D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0592179C, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 059217FB

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: bf67faa43ce5ec710e1970676d3cb677e93020ed9bfa1ddbd612b060b1fe1b99
Instruction ID: 2eead0a74c76ea4a88abfdabd3e018bf6976522f873d7c4cdd24fca79bc28b83
Opcode Fuzzy Hash: bf67faa43ce5ec710e1970676d3cb677e93020ed9bfa1ddbd612b060b1fe1b99
Instruction Fuzzy Hash: 8811E3755083849FD711CF15DC84F62FFE8EF06220F0880AEED458B262D238E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05920ACA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,D42FA0E5,00000000,00000000,00000000,00000000), ref: 05920B1D

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9508c0530253e18349bfb6f4b1a8a1ca1fddb27bb73bb71bdf99d9bea04de874
Instruction ID: 179ecda524824965d23836f1eddfad830a9d44f0f85945946264ee4b94295c32
Opcode Fuzzy Hash: 9508c0530253e18349bfb6f4b1a8a1ca1fddb27bb73bb71bdf99d9bea04de874
Instruction Fuzzy Hash: 8001F971500204AFEB20CF15DC89F66FFACDF44720F14C49AEE449B245D674A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 059201E6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05920237

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: a27e5fad4057b7130cd947d89aae6ab7a31b14238f95110bec199319fbb64d92
Instruction ID: c9838767c2ba11f4a58b667b3077418892905e19bf52e00f9712b277f7eeeb95
Opcode Fuzzy Hash: a27e5fad4057b7130cd947d89aae6ab7a31b14238f95110bec199319fbb64d92
Instruction Fuzzy Hash: FD1118759042049FDB20CF65D988B66FBE8FF44620F0884AAED898B656D275E418CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0592191E, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05921964

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7191bb1933e4a7eb9b1605d16c0198e5080dd239da8c8dde66dc8fab56241ce6
Instruction ID: fa151321773c27b8b2a6f66fda23df345958dab389dcf560804a373da1a72fef
Opcode Fuzzy Hash: 7191bb1933e4a7eb9b1605d16c0198e5080dd239da8c8dde66dc8fab56241ce6
Instruction Fuzzy Hash: 2A0180795006009FDB20CF19E884B66FBE8EF04320F08C4AEED458B655D371E468EF61

Uniqueness

Uniqueness Score: -1.00%

Function 0592166E, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 059216A8

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 96eaad7c941086af07a5d04467d2eed3531684c8e0ca167ddce1d85e675aeade
Instruction ID: 7a8b99f78e4dc8907bbf5c2cfc17b60a90f3642acb0667c897cbb2017b0fdbbc
Opcode Fuzzy Hash: 96eaad7c941086af07a5d04467d2eed3531684c8e0ca167ddce1d85e675aeade
Instruction Fuzzy Hash: BD017C71A042408FDB10CF6AE885BAAFBE8EF44220F1CC4AADD49CF646D675E414DF61

Uniqueness

Uniqueness Score: -1.00%

Function 059217BE, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 059217FB

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: c2f6a7f8d06789028e5b7f5eded93228b01aacfd7dece6ee44d1e7407d580f68
Instruction ID: b07540c0b659b41202581bb09415c61140091ef08a1d16af7a20b34a7c17d485
Opcode Fuzzy Hash: c2f6a7f8d06789028e5b7f5eded93228b01aacfd7dece6ee44d1e7407d580f68
Instruction Fuzzy Hash: D60184756102448FDB10CF15E884B66FBE8EF44320F18C4AADD458B655D275E454DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0592186A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059218A8

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9cc11876428ce6d9480848e2744038499460af6bce3e118e815ad1eedd13e6cb
Instruction ID: 5727deecc17014acacb05b90867b224a14eaf36dc01b80b6a4962970d87c6362
Opcode Fuzzy Hash: 9cc11876428ce6d9480848e2744038499460af6bce3e118e815ad1eedd13e6cb
Instruction Fuzzy Hash: 9E01B1315007049FDB208F16D884B66FFA5EF04320F18C49EED454BA55D275E468DF62

Uniqueness

Uniqueness Score: -1.00%

Function 05921E06, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05921E41

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4718e79aeba8d0d3a3cc1c395eb6ddb3592ce65af957f0f6b0d10abaf6ae6a8e
Instruction ID: 1032adc367fa9171d44307f7cc02f109d315e0dc6e283d03a791442dc3bfe2d8
Opcode Fuzzy Hash: 4718e79aeba8d0d3a3cc1c395eb6ddb3592ce65af957f0f6b0d10abaf6ae6a8e
Instruction Fuzzy Hash: 3901BC715002009FEB208F15DC84B66FFA5EF08320F08C4AEED4A4B666D271A428DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05921A7E, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05921AB9

Memory Dump Source

Source File: 00000000.00000002.328067581.0000000005920000.00000040.00000001.sdmp, Offset: 05920000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a04dfd74ac12e6d8df03311a73fb3f290b61dde486e2a5e011a649c28572fb84
Instruction ID: ffa939ad24f9e4db90b3b5d220abf2fcc75f915b5abf12ca09e166c9a98be97d
Opcode Fuzzy Hash: a04dfd74ac12e6d8df03311a73fb3f290b61dde486e2a5e011a649c28572fb84
Instruction Fuzzy Hash: FF01AD35400744DFDB20CF56E884B26FFA4FF48320F08C4AADD490B25AD275A468DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 074826FC, Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

H<0m, xrefs: 0748266A

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID: H<0m
API String ID: 0-3201341484
Opcode ID: 738128aef0a09a31512019e3d5537a424479f57b20c799bc7ad17a643d41da5e
Instruction ID: ea8f31123658b0bee770334dfde550f83f3a6669cc90ff67adea5a133154fd29
Opcode Fuzzy Hash: 738128aef0a09a31512019e3d5537a424479f57b20c799bc7ad17a643d41da5e
Instruction Fuzzy Hash: 8DE0EC75A15149DBCB44DF60EA9069D7BF7FB8D311F1084AAE106E3248CB785E41CF00

Uniqueness

Uniqueness Score: -1.00%

Function 03209BD0, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd18e7048bdd11e4307368ab4cde75774ecd1405dca678e59daa2c6e012d7711
Instruction ID: f99c723139aa6282654e7c52631006e71a1cc7ffa8a70dcf247029ddd52d4041
Opcode Fuzzy Hash: cd18e7048bdd11e4307368ab4cde75774ecd1405dca678e59daa2c6e012d7711
Instruction Fuzzy Hash: 4B910431D10229DFDB14CFA9C880BDDBBB2BF85304F5480A9D509BB2A1DB755A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0320A0A0, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d2963d2c23b0882a973eb16c9878e8e80707ac2c91cf8c8af09a3bf9704a72
Instruction ID: dd9ae620e440c5b933c7c216aed398353114c1e83e671c6741b6be2bc2d712bf
Opcode Fuzzy Hash: e9d2963d2c23b0882a973eb16c9878e8e80707ac2c91cf8c8af09a3bf9704a72
Instruction Fuzzy Hash: 5A518C70E00219DFDB14DFB9D890AAEBBB2BF89700F64806AE405BB394DB715D46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07481071, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595c158f27eba264ee7157a2f7e1e7768a6cec5bf9a5f97a39e9b9181ac3325e
Instruction ID: 30d12d32dacf89c6a9c6ff7b5676d299579807fc00aaebd7f73bcf2531b0aeda
Opcode Fuzzy Hash: 595c158f27eba264ee7157a2f7e1e7768a6cec5bf9a5f97a39e9b9181ac3325e
Instruction Fuzzy Hash: 6E318974E0825E9FDB40DFA4D8859EEBBF2FB49301F20856AD414B7344D7305A02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0320B748, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c1677d704ca8f8a3107309edff6b31a933984839421a4e87a8582e489cd15a
Instruction ID: 75d8e4ca63ca8b1dc190dad7cde851a0166c20bae668b12fc74089ebf01292d9
Opcode Fuzzy Hash: b5c1677d704ca8f8a3107309edff6b31a933984839421a4e87a8582e489cd15a
Instruction Fuzzy Hash: BA3118B4E1420ADFCB54CF99C5809AEBBB1FF88300F10916AD815AB765C378AA41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 032001C8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cac9545ada7bcc0fad9949fa53ae77d97519199366e419cf3991ab1fc07a7d9
Instruction ID: d8f05f6d70124d6ccad267c0611baf3d41114ea3849bc5ece9399673e4196901
Opcode Fuzzy Hash: 8cac9545ada7bcc0fad9949fa53ae77d97519199366e419cf3991ab1fc07a7d9
Instruction Fuzzy Hash: 54219A70C26209FFDB04DFA4D58069DBBB6EF89300F20D1AAC401AB2A5E7749B44CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0320D308, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b8b003f5909a2c79315b0fc7d09dfa314eb9b4b1623f694167db8b58ddb385
Instruction ID: df051b530fbcf39a88e7cc38ec2b68fbda79c86be00df9047fbec18c939bf26b
Opcode Fuzzy Hash: c3b8b003f5909a2c79315b0fc7d09dfa314eb9b4b1623f694167db8b58ddb385
Instruction Fuzzy Hash: 322139B0D2620AEFCB04CFE9C5849AEFBB5FB84300F10949A9405AB295D7709B44DF55

Uniqueness

Uniqueness Score: -1.00%

Function 074828E6, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3624ea537bb0c18cb72b156b697e4e4b3dc2524093739612ebf8eea4cdcf7232
Instruction ID: 350d38984ad2f2fdae88b90f824cc83c1b4d28b42978f99c41963ccb4244d6a2
Opcode Fuzzy Hash: 3624ea537bb0c18cb72b156b697e4e4b3dc2524093739612ebf8eea4cdcf7232
Instruction Fuzzy Hash: C831BCB4D003289FCBA0DFA4D99479DBBF1BB0A310F60149AD44AAB251DB704A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 032001D8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4308474e6f46d4363d177d8a8704d01ef9e53c916a4c2aa8acdf0dd65129148
Instruction ID: cfe5405b47cdc4f80b285d8d86803598c4f7f2f4a6f5e714ee1122b0e5d2e8fd
Opcode Fuzzy Hash: e4308474e6f46d4363d177d8a8704d01ef9e53c916a4c2aa8acdf0dd65129148
Instruction Fuzzy Hash: 03215C70D26209EFDB44DFE5E6416ADFBF6EF89700F20E5A98405AB295D7709B44CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0326075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322543430.0000000003260000.00000040.00000040.sdmp, Offset: 03260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1658590d89fc1075bec66546d7a8c06a7faca866d0d0d647cf4f4cbe9d602809
Instruction ID: 9c8e01fc13c742c09f8709a47ce808d4c8dd00454d93d638bda6353b5ba89393
Opcode Fuzzy Hash: 1658590d89fc1075bec66546d7a8c06a7faca866d0d0d647cf4f4cbe9d602809
Instruction Fuzzy Hash: D411E434218245DFD706CB24D980B26BB95EF88708F28C99CE9491B692C77BD883DE91

Uniqueness

Uniqueness Score: -1.00%

Function 0320B870, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efdab6cb7096c72eb1778475e4f09ab4881214bf20c91a44806250300996e5e
Instruction ID: 549e9c5cd4e4b51dd260f2eb4df813e52192bcfe638410455b0de3e23fb97e96
Opcode Fuzzy Hash: 2efdab6cb7096c72eb1778475e4f09ab4881214bf20c91a44806250300996e5e
Instruction Fuzzy Hash: A72147B0D1420ADFCB14DFA9D5849AEFBF1FF89300F148595D414AB255D330EA448F90

Uniqueness

Uniqueness Score: -1.00%

Function 074810C0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35e7478cd4bde89c893783c7fd6aba5b8ac8eecaaa9eb43a9de46724d22402b
Instruction ID: 77a33076edb7a97b7c2264891b72026aaf1346b9be80891ce290b036c3a75234
Opcode Fuzzy Hash: e35e7478cd4bde89c893783c7fd6aba5b8ac8eecaaa9eb43a9de46724d22402b
Instruction Fuzzy Hash: 5E2103B4E0420ECFCB44DFA9C5845AEBBF6FB89300F20856AC825A7348D7345A068F90

Uniqueness

Uniqueness Score: -1.00%

Function 03200091, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82425d59c31b3ed37ee87dc589bb79c11a820e5d4096675b86e975a6d0ad9f03
Instruction ID: 1219efa20e86704259aeb3bc0aabd333cd71f79d429e66ebc76b770a5daff029
Opcode Fuzzy Hash: 82425d59c31b3ed37ee87dc589bb79c11a820e5d4096675b86e975a6d0ad9f03
Instruction Fuzzy Hash: 96119A30895308AFCB00EFB4D10659DBBB0FB46305F2080AAC006AB156E7359A98DB95

Uniqueness

Uniqueness Score: -1.00%

Function 03260738, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322543430.0000000003260000.00000040.00000040.sdmp, Offset: 03260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424682536206a2e6f0add4a881f6a4174240cacbd17677cbd456ec7e427db2ce
Instruction ID: 3e683072239b42db506823fb5c6eaa1ec1ee9a9c7800131ab067dfa396e25e7f
Opcode Fuzzy Hash: 424682536206a2e6f0add4a881f6a4174240cacbd17677cbd456ec7e427db2ce
Instruction Fuzzy Hash: 3D114C3550D3C59FC713CB20C890B15BFB1AF46204F29C6EED4898B6A3C33A9846DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0320D418, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6516a02aefab5cb831277c582e566dbd264aa4fbd2d4f01f0adc043bc621bb24
Instruction ID: 87756832e2b1ae0e1aad3fd75859c621c1760f6f29772a5d5c34a934a1df769f
Opcode Fuzzy Hash: 6516a02aefab5cb831277c582e566dbd264aa4fbd2d4f01f0adc043bc621bb24
Instruction Fuzzy Hash: 7B113678E15109EFCB04DFA9C588A9DFBF2EF88300F55C099E519AB365DB70AA44CB40

Uniqueness

Uniqueness Score: -1.00%

Function 032000A0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1b42c9b71663e45b5d3b6f688c8f24c0077147980c895f5d9a0ea4497ae42d
Instruction ID: ee1df26c884578f2f42c5654a8ed4245a194a5bc8a24479179c694efbb74db5d
Opcode Fuzzy Hash: 8d1b42c9b71663e45b5d3b6f688c8f24c0077147980c895f5d9a0ea4497ae42d
Instruction Fuzzy Hash: 3E01F130D50208EFCB44DFA4D2026ADFBB0FB4A301F20D0AAC006EF245DB709A98DB55

Uniqueness

Uniqueness Score: -1.00%

Function 07482942, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a5521325c53adde988040561492fc6450eb7bef6a118153009a89a104d3512
Instruction ID: 51d612c7b9630bc598d6421743ca22bf5acb78c7fa616e3abfb0e89f7ae37ff8
Opcode Fuzzy Hash: 14a5521325c53adde988040561492fc6450eb7bef6a118153009a89a104d3512
Instruction Fuzzy Hash: 7021ABB4E002288FCB60DF68D994B9DBBF1BB49314F5050AAD40EAB351DB305A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 032605CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322543430.0000000003260000.00000040.00000040.sdmp, Offset: 03260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd23570fc235439dcb60b391fd955084da9ba9ede31a53fc7075bc38f14a22ff
Instruction ID: ac609cf2e8c96ef62f057edcec58974e644e449a272a97e2431293675bf2d62a
Opcode Fuzzy Hash: bd23570fc235439dcb60b391fd955084da9ba9ede31a53fc7075bc38f14a22ff
Instruction Fuzzy Hash: D70186765097806FD7128F16EC55862FFB8DF86620709C49FEC498B613D22AB809CB76

Uniqueness

Uniqueness Score: -1.00%

Function 03260700, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322543430.0000000003260000.00000040.00000040.sdmp, Offset: 03260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba382d9853942c39c539d0980624839fa6e76f56f7956927a3c430ff56ed28c7
Instruction ID: 35e939dbdfd85ecfe6da4d5191a28dbbd36f8a6187b55c1eef13bff4173ed8ab
Opcode Fuzzy Hash: ba382d9853942c39c539d0980624839fa6e76f56f7956927a3c430ff56ed28c7
Instruction Fuzzy Hash: F6110C3415D3C19FC343CB20D850B65BFB1AF86318F29C6DED4854B663C27A9856DB52

Uniqueness

Uniqueness Score: -1.00%

Function 03202DEE, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d5e525f2116057de1d1c5ac59cdcd4172ac7d73a027d453e622909e7561881
Instruction ID: 46954f0c4108a577f7374ca9959e12e5c2c8a7e4d4ef1777789464cbac73ac31
Opcode Fuzzy Hash: 75d5e525f2116057de1d1c5ac59cdcd4172ac7d73a027d453e622909e7561881
Instruction Fuzzy Hash: 95116D74902328CFDB2ACF65C854A9DFBBABF88300F1090EAC508B6265DB315B91DF01

Uniqueness

Uniqueness Score: -1.00%

Function 0320604F, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1371afd3d1445e2482d7e2da5cf970760ba83d884ff942d040dcf1338f6f1716
Instruction ID: ed124f857c896e76761eb2c0c677ec9b6e8756b0a6f83a546d24a3600edf2148
Opcode Fuzzy Hash: 1371afd3d1445e2482d7e2da5cf970760ba83d884ff942d040dcf1338f6f1716
Instruction Fuzzy Hash: 0AF06D70E552499FCB41EFA8D5486ACBFF1FB06310F0481EAD808D7361E7760AA4CB52

Uniqueness

Uniqueness Score: -1.00%

Function 032018E6, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5505471225e6d69ed523f3ddfbcc7c5ae4b7e15a6a88459b4094bc63f250f2d5
Instruction ID: 7aac7eeb2044bbfe3cb2620d64ba00d3f4d0c669aff88e7dcda9248bc1692136
Opcode Fuzzy Hash: 5505471225e6d69ed523f3ddfbcc7c5ae4b7e15a6a88459b4094bc63f250f2d5
Instruction Fuzzy Hash: FC01F438C2560ADFC751CFB0C8849E9B770FF49310F051995C11AAB291D7349A89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03202E10, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a655ef020e46c4b879af3dc1f75818f9da19207ee896d92a56ca94daa4d2a0
Instruction ID: 6dc65044b45d42def67b00fd673a7a5394e0073934f8c91ac89d850a44956231
Opcode Fuzzy Hash: 39a655ef020e46c4b879af3dc1f75818f9da19207ee896d92a56ca94daa4d2a0
Instruction Fuzzy Hash: A301E9B4D112288BEB66DFA5CC54B9DBAFABF88300F10A0D9D50DB6254DB314F819F01

Uniqueness

Uniqueness Score: -1.00%

Function 0320DE68, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2716d3fe6d5ba2e92bad393022e4f30b08346dcb9986749fbd0939fb37a6ab24
Instruction ID: b702432e2e4d442add32f78d9c7ec7336f21d0affa40801fe7d949d3dce6bae7
Opcode Fuzzy Hash: 2716d3fe6d5ba2e92bad393022e4f30b08346dcb9986749fbd0939fb37a6ab24
Instruction Fuzzy Hash: 1101FB74D0011A9FCB50DFA8C4449AEFBF0FB08301F548196E864A7385D734AA84DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03260818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322543430.0000000003260000.00000040.00000040.sdmp, Offset: 03260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction ID: 3d485f5f4469d24bc0a8f5614cd96c859767c592c7f21c0ff6eac59b62303f61
Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction Fuzzy Hash: C8F01D35108645DFC706CF40D940B15FBA6EB89718F24C6ADE9490B752C337E853DE81

Uniqueness

Uniqueness Score: -1.00%

Function 03205E70, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cdb77a090306c6d7f36d5ccf75d3409c9dbae2e942079904049bcb2e4b272bd
Instruction ID: 9d17d2167ced37b3c1958972c09cc33972710e5202bb3d10e8f7173347a69ef9
Opcode Fuzzy Hash: 8cdb77a090306c6d7f36d5ccf75d3409c9dbae2e942079904049bcb2e4b272bd
Instruction Fuzzy Hash: F4F06D74A853489FC752FFB8950426C7FB0FB82321F2401BBCD40DB261EA350A96D752

Uniqueness

Uniqueness Score: -1.00%

Function 07485222, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23070f775406d1aee49349915fe8b719b9ffa6ad5720e07774bfa36ef410525
Instruction ID: 86c86cab96221ec55ce5a6cf180363f3c0c6f60ad67c8afacdc81bc865dd5f39
Opcode Fuzzy Hash: a23070f775406d1aee49349915fe8b719b9ffa6ad5720e07774bfa36ef410525
Instruction Fuzzy Hash: 490192B0D4A26A8FEB64DF55CD80BDDBBB5BB54710F4084D9C109A7290DB755A80DF00

Uniqueness

Uniqueness Score: -1.00%

Function 03200B4C, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e35ca5a9cf30bef1d9e702a05799517d73a990b38eed22ee20e42d5712de8f4
Instruction ID: b6f238cfbe46dc160465b89c7a37e700ad7897188e54784eb8b0e10a5a3f2b4e
Opcode Fuzzy Hash: 8e35ca5a9cf30bef1d9e702a05799517d73a990b38eed22ee20e42d5712de8f4
Instruction Fuzzy Hash: 8701F230A2021ADFCB25CF10C944BD9B7B2FB89304F1089E4C15EAB265E7705E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03205BF0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e81121db0fff95b762bba1daa5343b5ee40d8027075fd780186937259e322a
Instruction ID: b841fc235f6a8bc8b801844820f70c05f533df869550cdd3778f06b17e303f65
Opcode Fuzzy Hash: 77e81121db0fff95b762bba1daa5343b5ee40d8027075fd780186937259e322a
Instruction Fuzzy Hash: 56F05870D493489FCB45EFA884011ADBFB0EB46310F1485EBC81897252D2351955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03205EB8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52dc723007562dafaadcdd42d473101a10876ed87d1debb525d9c2e8dc120235
Instruction ID: c48ffb183efcd85052ab0ff4ff5263bf63f5327f1a9955abf05a098fcf312ed6
Opcode Fuzzy Hash: 52dc723007562dafaadcdd42d473101a10876ed87d1debb525d9c2e8dc120235
Instruction Fuzzy Hash: 24F06D34A953449FCB45EBB895152AC7FB0FB82314F2500FBC840DB251D7360A8AD762

Uniqueness

Uniqueness Score: -1.00%

Function 032605F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322543430.0000000003260000.00000040.00000040.sdmp, Offset: 03260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af48e96a0341bdb70b86be31816ac1f2d603f31651e4e1ae55aac76ae8c09fb9
Instruction ID: 732d5bfb55bd7824a4f958b57089ac0173cf9776b57bd0c6a07d40aa0bfd8675
Opcode Fuzzy Hash: af48e96a0341bdb70b86be31816ac1f2d603f31651e4e1ae55aac76ae8c09fb9
Instruction Fuzzy Hash: 68E06DB66006004B9650CF0AEC85452F7D8EB84630718C46FDC0D8B701E135B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 03201DB0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c775d9de3715bae78bff0adcf043dd4f17df1b8eccce59284639eee9479415e7
Instruction ID: bd240129e6557f81c548afa4591b9dc3527de94826f13e74f43ed620f0d8d49a
Opcode Fuzzy Hash: c775d9de3715bae78bff0adcf043dd4f17df1b8eccce59284639eee9479415e7
Instruction Fuzzy Hash: 5EF03970E45208AFCB54DBB4E4496EDBBB0EB46311F2081FBD814A7611D63A1995CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03201DF9, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30457275ce6799ce5830659d5f066ab86707090240324fcbd5804d0db702ca10
Instruction ID: a376a9ee4a719a0de167eba1a556f55d97280f3ae6a6eaafe5b984e3d06ceb0a
Opcode Fuzzy Hash: 30457275ce6799ce5830659d5f066ab86707090240324fcbd5804d0db702ca10
Instruction Fuzzy Hash: 89F06534446344DFC716EF74D8059997FB4FF16300F6040EAD9449B261F3358A59D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 032017EF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a048a74c752cc251013bd45109dcdf3fadc4373ef7f0eee9c6c8cf03edcbc8
Instruction ID: d05b0f28516d12d255601cc2c217545721db04399eff1f32fa8dbea25c403317
Opcode Fuzzy Hash: b1a048a74c752cc251013bd45109dcdf3fadc4373ef7f0eee9c6c8cf03edcbc8
Instruction Fuzzy Hash: A6F0A434A51218CFD725CF20D859FEABBB1FB4A301F5180E5E509AB294EB306E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 074848E1, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830973126c8995d0213c8cf008c09c5d75a81f5733294cf75757e10ab9e5f7a9
Instruction ID: e9c8b590334baf1160d62ec61f4ee2e2a1427d69ee96d63921ece1ff17198789
Opcode Fuzzy Hash: 830973126c8995d0213c8cf008c09c5d75a81f5733294cf75757e10ab9e5f7a9
Instruction Fuzzy Hash: BAF0E2B5C4522E8ECB30DF28C948BDCBBB1AB59300F1085DAD45967211D3B40BC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03202577, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086e5dfe5b9fcc7d0fb7cab9bf6eeca233728cfb58e5d00f0b9ce613c9bc0814
Instruction ID: 67704686c13e88fc5622aeed39311e86d517e543bfe113b2d9560479d9b4b32e
Opcode Fuzzy Hash: 086e5dfe5b9fcc7d0fb7cab9bf6eeca233728cfb58e5d00f0b9ce613c9bc0814
Instruction Fuzzy Hash: 73F039349593849FC705DFB49458698BFF0AF06300F2480EBC888DB392D6360949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03200189, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3cf2e63c73a609a11c200b7e0f953cec046591fcc1428576a8f3012ca80f9e
Instruction ID: 5314c0f8d6e923c6436919217ede8d81a1864f2ef8c3c020adc9b47736640c95
Opcode Fuzzy Hash: 5a3cf2e63c73a609a11c200b7e0f953cec046591fcc1428576a8f3012ca80f9e
Instruction Fuzzy Hash: C5E0D8748563948EC742EB7884092AC7FF0DF03214F7541FFC480E9162D2390946C761

Uniqueness

Uniqueness Score: -1.00%

Function 07483D48, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac462e3a7d44b711f90dd43361e5406079bfc37fa87340f120d91a06cd838036
Instruction ID: c26a5db1462219089d4c0cfd8ed8e59ab6edc9353c85546530e4cb902ddd15aa
Opcode Fuzzy Hash: ac462e3a7d44b711f90dd43361e5406079bfc37fa87340f120d91a06cd838036
Instruction Fuzzy Hash: 83E04F70E4520CAFCB50EFA8D849B9EBBB0EB44300F4041A69854A7380E7355A468B99

Uniqueness

Uniqueness Score: -1.00%

Function 0748541D, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9495d9e55231b39ec6c8711d7a7b591945bafc38a13612aa731538fee2948a97
Instruction ID: ab157aa47bb9e3ee23a713e61cb13a072b1a126dd984d50e9c0b7214c9559a26
Opcode Fuzzy Hash: 9495d9e55231b39ec6c8711d7a7b591945bafc38a13612aa731538fee2948a97
Instruction Fuzzy Hash: 9BF0D4B19012298FCB64DFA0C950BEDBBB4AB45300F5004A9D259AB290D6346B85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 07483F38, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad77f58ec3c1735a02c012b1df0523d89a457db7eac9ed86262de60d2caf4aa8
Instruction ID: fcd1750755b147a99778573b1b5f5475863a51a83b13b9b7146c5bd6bfbb0819
Opcode Fuzzy Hash: ad77f58ec3c1735a02c012b1df0523d89a457db7eac9ed86262de60d2caf4aa8
Instruction Fuzzy Hash: 71E0DFB0E40308DFCB10EFB4E808AADBB70EB09300F1041A9D824A3380E7721D44DB95

Uniqueness

Uniqueness Score: -1.00%

Function 07482F38, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d80049ab9b31809246079dbd2b6574f1a723fa5efb2f10d18b9eb409e03a689
Instruction ID: 83d208d4e76cdb972a28d6fed6daf8bc5de7b80cd738b8578f239d15a4d023b7
Opcode Fuzzy Hash: 2d80049ab9b31809246079dbd2b6574f1a723fa5efb2f10d18b9eb409e03a689
Instruction Fuzzy Hash: 19E0E670E5020DAFC7A4EBB8D84679DBBF4FB04704F5041A99854D7380E7759A14DBC5

Uniqueness

Uniqueness Score: -1.00%

Function 07483C81, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fbcf15e60421758731fc33ed4ceb425f19a9a062cf2613b727a824ccf8d78c
Instruction ID: d6a11068391336eed86d538fa7a8461e82e5dea2cb84da9788a061fc40d326fd
Opcode Fuzzy Hash: 09fbcf15e60421758731fc33ed4ceb425f19a9a062cf2613b727a824ccf8d78c
Instruction Fuzzy Hash: ADE04FB5E40208AFC790EFA8D84978DBBF0EB08300F1040A9D814D7382E735D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 074835C0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e679e8901a9108d388175a2f8d7a91ef184c68b8b7171d0d59037d08e54f31e
Instruction ID: e74c558b4599031899ba7905b374b57ad611a49021acc4a6e7686e7db3d3f6dd
Opcode Fuzzy Hash: 4e679e8901a9108d388175a2f8d7a91ef184c68b8b7171d0d59037d08e54f31e
Instruction Fuzzy Hash: B9E04FB0D4420CAECB54EFB8A4153DD7FF4AB04200F104ABAD85496341E77A9650CB85

Uniqueness

Uniqueness Score: -1.00%

Function 074835FF, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446f19fd2f3572188711273fe428000cd9f763939b5de00f17451d352f157ccc
Instruction ID: 233df4336531d884b603dfadf734b34398a8292d6881e251604ff6530f73f494
Opcode Fuzzy Hash: 446f19fd2f3572188711273fe428000cd9f763939b5de00f17451d352f157ccc
Instruction Fuzzy Hash: 41E01AB0D402089FCBA4EFACD8497DDBBF0AB44700F0041BA9814A6341E73555428B81

Uniqueness

Uniqueness Score: -1.00%

Function 03200CD9, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe6912994b6d60c92961bf5c7d0f0d6c049973e19eb0f5768a033dccba8da77
Instruction ID: be7eea84f8a7631a92117efff54886c93f07057b487c95703d94e278eaaec806
Opcode Fuzzy Hash: 2fe6912994b6d60c92961bf5c7d0f0d6c049973e19eb0f5768a033dccba8da77
Instruction Fuzzy Hash: 3DF015749116299FEB92CBA0C844FDDB7B6FF49300F4144E1D209AB2A0DB70AA89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07483E69, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6010d85fcd937158055b410dd3255049243ab99f65f0eaa2f71ad1c98e756b5
Instruction ID: 4f811c1790057910be98c63da6e0593a52c2b760bd2a325351feb1f6fefd12ed
Opcode Fuzzy Hash: c6010d85fcd937158055b410dd3255049243ab99f65f0eaa2f71ad1c98e756b5
Instruction Fuzzy Hash: C9E04F74D1420AAFCB90EFB8D4497EDBBB0EB44600F0441A99828E7340E7755918CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07483CC1, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd6a87936585aa5f24f5793b6a7ca9bd37efc431431a22ad5b0621c05be7a28
Instruction ID: 61b147369e529c230180a2cde29c81bae728fdd3a9885036bd30ea726162704b
Opcode Fuzzy Hash: dcd6a87936585aa5f24f5793b6a7ca9bd37efc431431a22ad5b0621c05be7a28
Instruction Fuzzy Hash: B5E0C2709841096BC7E0FBBCE80A38D7BE0EB04200F4004619808D7381E332954583D6

Uniqueness

Uniqueness Score: -1.00%

Function 074854FA, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ec9f8353524fd8bfaa628e5b1feeee61c588f20f3a4a6a0a4038db217ca383
Instruction ID: f90888708efda26642873512771e4e269444e639bfd50ca98e0b7b4d5b63eca0
Opcode Fuzzy Hash: b7ec9f8353524fd8bfaa628e5b1feeee61c588f20f3a4a6a0a4038db217ca383
Instruction Fuzzy Hash: E5E092B5C5022E8FCB94DF64C9857ECFBB4AB24350F1001EA8118A7210D7352BC5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 03200151, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99500508bce6e26aa9ea967c852a66cb60b1addf472dca8caa2c953198cb105
Instruction ID: 2f2ccdfc444a33d88b4944e095289f5dbed298d7b3f085c57b430e1a86b67a1b
Opcode Fuzzy Hash: f99500508bce6e26aa9ea967c852a66cb60b1addf472dca8caa2c953198cb105
Instruction Fuzzy Hash: D6E0C23048A3448FC3529F7894052AD7BB0EB02310F2581E7D844DA193D23D0847C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 07483641, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5a1b67b5c31bdcd9ab8434b67e14ff97d62e474cb4fc9d93e8cc2f409cc54d
Instruction ID: b28b9831c8808072c983d3d49abbfe516c6af99ca68e8fd6fd0b1483a4c6739d
Opcode Fuzzy Hash: 6f5a1b67b5c31bdcd9ab8434b67e14ff97d62e474cb4fc9d93e8cc2f409cc54d
Instruction Fuzzy Hash: 5EE04F70D0414C9BCB90EFBC9458BEDBFF1EB48708F1495B59858A7341D6351554CB84

Uniqueness

Uniqueness Score: -1.00%

Function 07484C1B, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4970a33ddd5976e2cd179fc802c06d8318b06c6d69de331f5f37026d100520b
Instruction ID: 0e0c012a2cd792986f733b5b8193d1151adb1533ce991b0b6432808bea0050a3
Opcode Fuzzy Hash: b4970a33ddd5976e2cd179fc802c06d8318b06c6d69de331f5f37026d100520b
Instruction Fuzzy Hash: 6BF0FBB180022ACFDF24CF60C984BECBBB1BB48314F0090EAC108A6250C3309A90CF10

Uniqueness

Uniqueness Score: -1.00%

Function 03201E08, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b31d73636cb6a8452f7ec9fd5dd7ac316e8dc4a8c0f41c14f3222cc1e563d8d
Instruction ID: f719df0f2b6bd8872841f1d08799bb96a7075ed25508790e81094f450bbf8098
Opcode Fuzzy Hash: 3b31d73636cb6a8452f7ec9fd5dd7ac316e8dc4a8c0f41c14f3222cc1e563d8d
Instruction Fuzzy Hash: 71E08C34841208EFCB44EFB4C405A9DBFF5EB04300F5040A9D90457260E732AAA8DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07484B17, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436258bde6c2cfb8090a04ceaa61786b403451c8542cef357bf0924b96a92d23
Instruction ID: 43ee6ecbaa1384241c43575ddd958eb80610ee9eb0a988320d7bf5b20e6998b3
Opcode Fuzzy Hash: 436258bde6c2cfb8090a04ceaa61786b403451c8542cef357bf0924b96a92d23
Instruction Fuzzy Hash: C0F098B184126EEFCB64AF58C9543EDB770AB01711F8085DA811AB7290DB300BD2DF54

Uniqueness

Uniqueness Score: -1.00%

Function 07483EE9, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9927a7761f29048ebdacf5db8afbcd9513398254a3948b518df03693399b614d
Instruction ID: 2096f947aaa1567af3b28afd8455c8484ff2b4b957f0ff7fad9cfd576a1cad4c
Opcode Fuzzy Hash: 9927a7761f29048ebdacf5db8afbcd9513398254a3948b518df03693399b614d
Instruction Fuzzy Hash: 30E0C27084414CAECF41BFF8A4487EC7FB5AB04300F6408B4984893241DA720958C390

Uniqueness

Uniqueness Score: -1.00%

Function 07484EFE, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b0fa04cf4be30f60db31699c9f871aafcfe80dd1f88185438169e8330774f0
Instruction ID: 63c235b7be115a0b6aebe76e3042f094b1df42e89981eef0674d904eeea43b40
Opcode Fuzzy Hash: 39b0fa04cf4be30f60db31699c9f871aafcfe80dd1f88185438169e8330774f0
Instruction Fuzzy Hash: 06E0E5B1C0626A8FCB24EFA0CA44BECB7B5BB55300F4084DA8259A7151D2345A81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 03202588, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7ff6d2bf08c78a97fe74234d7f6adc246b71b5f324d084571c13cdfe40e257
Instruction ID: 72572c0c49a339a20002ea7b8222daaee01fe41259f5e8efb96299cb1a37306c
Opcode Fuzzy Hash: cb7ff6d2bf08c78a97fe74234d7f6adc246b71b5f324d084571c13cdfe40e257
Instruction Fuzzy Hash: B9E0EC74D04208DFC754EFA8D4497ADBBF4FB49301F1081F9D848A7350D6755A58CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03201DC0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35af41c652adb1da6519643ca46bdf019d3e8cced6f478a407e2a6a5ef2b264
Instruction ID: 671b260ea1b57b33ddc3f5f19e52a70fc3e38be96c6ebf5ac1d49c5c572d7fd0
Opcode Fuzzy Hash: e35af41c652adb1da6519643ca46bdf019d3e8cced6f478a407e2a6a5ef2b264
Instruction Fuzzy Hash: EEE08C34D00208AFC744EFB8D0086ADBBF0EB49300F1081F99818A7340D6702A94CF81

Uniqueness

Uniqueness Score: -1.00%

Function 03205C00, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3576b34e247b6379e52b6306d3d612e2e614c1c6e21d408478a7246d38bc0efe
Instruction ID: 0006167e7f86e55b555fc64d390b693e870ada5a1802fd5f7a7771731456839c
Opcode Fuzzy Hash: 3576b34e247b6379e52b6306d3d612e2e614c1c6e21d408478a7246d38bc0efe
Instruction Fuzzy Hash: AEE0B674D0420C9FCB44EFA8D9456AEBBF4FB44300F1085AA9828A7340D7706A95CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03206215, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95da126fef44811b50f2959ac555852f6229b2684f62604ceb0b42c5c719b50
Instruction ID: 145c2aa59ea840f8505dad1462700e1d06e9dd4d36f1650e6e12262c85eb68de
Opcode Fuzzy Hash: c95da126fef44811b50f2959ac555852f6229b2684f62604ceb0b42c5c719b50
Instruction Fuzzy Hash: A5E0EC70E512089FCB94EFA8D14529CBFF0EB85311F1081BBC804A6340D7790A59CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07483D58, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2c9ae3d69b8f0004546b1bb7a5669860e83a0827ec0ed92b43c4a9060b4d74
Instruction ID: b6418e2d497ec76014660607787055356f1da1c5aa2ca029b5990a250c02a647
Opcode Fuzzy Hash: dc2c9ae3d69b8f0004546b1bb7a5669860e83a0827ec0ed92b43c4a9060b4d74
Instruction Fuzzy Hash: B4D017B0D4520CABCB54EFA8D4486AEBBB4EB88700F1081AAD828A3340D7351A55CB95

Uniqueness

Uniqueness Score: -1.00%

Function 07483650, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de871e9e98c7a7c5b0c53594bd1dc28240b4038aae263b27f4bb0594c029af6b
Instruction ID: ca462d47c6a6803e5e00da6fbc18b03eb4e793fc77f52d671afec06d97b8a3e6
Opcode Fuzzy Hash: de871e9e98c7a7c5b0c53594bd1dc28240b4038aae263b27f4bb0594c029af6b
Instruction Fuzzy Hash: 9DD05EB0D0420CAFCBA4EFBCD408A9DBFB5EB44700F1081AA9828A3344E7351A55CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07483C90, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b506a48b77ac4e5acd8bec8420ff165254fd2913162ac3ca247b33ab0651da2
Instruction ID: 722269f2892356d6afe3993a3e1c83d61206d2b21d41a015e0a023a8e058702e
Opcode Fuzzy Hash: 7b506a48b77ac4e5acd8bec8420ff165254fd2913162ac3ca247b33ab0651da2
Instruction Fuzzy Hash: 54E0ECB4D0020CDFC754EFA8D44869CBBF4EB08700F1041A9D814D7350E7359958CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0320082C, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d81f45bbdd24e98c12e329752d95c3308dabd146a73718ceda226fb42049af
Instruction ID: 9890fc8a6fbb3011f936edcec62cccc622037856c1570593ffcb750c82b2f3af
Opcode Fuzzy Hash: f2d81f45bbdd24e98c12e329752d95c3308dabd146a73718ceda226fb42049af
Instruction Fuzzy Hash: 1CE065709203198FD720CF10D999BAAB771FB48310F108195951AAA295EB305E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03205E80, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5eba01774de615a84ae3be7cbc55f7d8a0d6448321480ac6d85bf9e33f94e7
Instruction ID: 1069080f6d84aa55334c3063d0e5baf79969c16f40bc713688126b4c2caf3dab
Opcode Fuzzy Hash: ae5eba01774de615a84ae3be7cbc55f7d8a0d6448321480ac6d85bf9e33f94e7
Instruction Fuzzy Hash: F1D01774A442089FC754FBBC980926DBBF5AB84201F2404A89D44AB380EA715A95CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 03205EC8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620d780cdcfc90643206dd593701fac4a7e92244d6a7317f21873df8ac396f9c
Instruction ID: 932e10dcd3dd1ef0f60dec1ecde467e64d46740167b6f32decbbcca8aab1aedd
Opcode Fuzzy Hash: 620d780cdcfc90643206dd593701fac4a7e92244d6a7317f21873df8ac396f9c
Instruction Fuzzy Hash: BDD01774D542089FC744FBB9940926DBBF5AB44300F6000A88D44AB380EB719AD8CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 07482F48, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f62bd42508ed1e71eede5974d08a0f3b0fdf44e3efcce97d174d799a6435cb6
Instruction ID: a59be7abf2949a0c8b9caac49bb8d9bc51861e64d9eeb0e4e6697c1687072cca
Opcode Fuzzy Hash: 9f62bd42508ed1e71eede5974d08a0f3b0fdf44e3efcce97d174d799a6435cb6
Instruction Fuzzy Hash: 93D017B0D0020CAFCBA4FFB8D44569DBBF4EB08700F1041AA9818A3340E7755A14DB81

Uniqueness

Uniqueness Score: -1.00%

Function 074835D0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58549211d8c05d84019d430f7dbeafd24ead925285dbe3aea5743c4c018d4a8
Instruction ID: 9ae5371ed00435cc8ef9f33b9fcdd878266434430f78c2fee8ba1d8e88d25c01
Opcode Fuzzy Hash: b58549211d8c05d84019d430f7dbeafd24ead925285dbe3aea5743c4c018d4a8
Instruction Fuzzy Hash: D5D05BB0D0420C9FC750FFB9940439DBFF4AB04700F1041EAD85492340E7359654CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07483E78, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011af9f81815ee91034328a563ece985ffb1af3d3c0f6b00b42f477ebc7dc8c4
Instruction ID: 80b0a34cd6ee9e7bee55206e55cd01fe21416a12f7d26054d9a8d06cce225608
Opcode Fuzzy Hash: 011af9f81815ee91034328a563ece985ffb1af3d3c0f6b00b42f477ebc7dc8c4
Instruction Fuzzy Hash: 47D017B4D1020DAFCBA0EFB8E4086ACBBB4EB44700F0041AA9828A3340E7355A58CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07483610, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa3d6ce8ccf96164a8474ec9376fd054ba13d4568d37857fa0d36fe8f03f601
Instruction ID: 18a75bce9d0c8ea11e1d58c76cd293a977df13242afb1678bb5dcc9f0f493ab3
Opcode Fuzzy Hash: 6aa3d6ce8ccf96164a8474ec9376fd054ba13d4568d37857fa0d36fe8f03f601
Instruction Fuzzy Hash: 41D017B0D0020CAFCBA0EFBCD40869DBBB4EB04700F0041AAD818A3340E7356A55CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03206218, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024ea11aedf6ac29ce4d414dc5fa01b4ddc61ed710982d9c1a028348669c7284
Instruction ID: ad945419ad876c3064d2897875df985913fe359ff4e6534d52b0f64cae7e044a
Opcode Fuzzy Hash: 024ea11aedf6ac29ce4d414dc5fa01b4ddc61ed710982d9c1a028348669c7284
Instruction Fuzzy Hash: 29D01770E01208AFCB54EFA8D54529CFBF4EB04300F0040EA8848A7380EB745AA8CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03206060, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3002134b51a94bdd135cd3a7b4cf556af5f8896b1cecebe0704ab9a44729821
Instruction ID: 4bddb7446ecd0aaa14b047070adfaa1f890354068629f68cf95775b3b8e4526c
Opcode Fuzzy Hash: c3002134b51a94bdd135cd3a7b4cf556af5f8896b1cecebe0704ab9a44729821
Instruction Fuzzy Hash: 0CD01770E40208AFCB54EFACD5096ACBBF5EB04300F0080A98858A7340E7755A94CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07483EF8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564079df5a1aeaf92a4e04a39871490107378d26c7d400acf7700c2d52191174
Instruction ID: fd5257a81e9cdc55d4bf4d628f3e72e5200d12881bc499bfc0b69f44dbe21b75
Opcode Fuzzy Hash: 564079df5a1aeaf92a4e04a39871490107378d26c7d400acf7700c2d52191174
Instruction Fuzzy Hash: 20D0A77085010C9FCB50FFB8A4047ADBBB4EB00701F1005B9880453340EB711964C791

Uniqueness

Uniqueness Score: -1.00%

Function 03200198, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291e9f4c2dd20859a7e51e5475d1f29f1a3e23ad53133e9870c6667d860dd0a7
Instruction ID: af42952029ff251edba0aa68f5513c645c06ff999315e0a913ce760c06a80709
Opcode Fuzzy Hash: 291e9f4c2dd20859a7e51e5475d1f29f1a3e23ad53133e9870c6667d860dd0a7
Instruction Fuzzy Hash: FAD0A7B08152189EC744EBBC950636DFBF48700601F5041F99C4466241E6741B5497A1

Uniqueness

Uniqueness Score: -1.00%

Function 07483CD0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d3c3127e11e86f5b882203e775b9acf93a02140d25491717e63db514d21aaf
Instruction ID: 4758095eb6ed8882a1b95205f1f76d94d0cfc9f598f9330d135d8cbf1727349d
Opcode Fuzzy Hash: 41d3c3127e11e86f5b882203e775b9acf93a02140d25491717e63db514d21aaf
Instruction Fuzzy Hash: 29D0A9B0C0020C9BC790FFFCE40928DBBF4EB08700F5005A59808A3300E7322A5887E2

Uniqueness

Uniqueness Score: -1.00%

Function 0320A2E8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9647967bfe73b0edf31ca64c954d314e0098a0f9f326aea09ce9f6312b40cf
Instruction ID: 620a695607f8b09506978e49ecb693c52871c5a21a1440c3b60a522355f11797
Opcode Fuzzy Hash: 5a9647967bfe73b0edf31ca64c954d314e0098a0f9f326aea09ce9f6312b40cf
Instruction Fuzzy Hash: 6AD0A9320402088FC320EBB4A80C629BBA8EB0A202F9140A1A42883100EB33089897E1

Uniqueness

Uniqueness Score: -1.00%

Function 07482B6A, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35da8911e3d90c68a22a251f45a75b9fad91755360fdb624b87948b08e6ce2e
Instruction ID: 6a34bf1748cb5ac76428d4a8908f85fdaa9b0de0308b57efe7e5121f4691d381
Opcode Fuzzy Hash: c35da8911e3d90c68a22a251f45a75b9fad91755360fdb624b87948b08e6ce2e
Instruction Fuzzy Hash: DBE0BD74E4521CDFCB60DF60E994B8EBBF2FB4A201F2184AAD05AA7214DB705E85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 074849C9, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78941a68d79552f72f753485643ac26e7ab0a6466ab225f06b953c6499dba91f
Instruction ID: 77d1407c760812bfb0d190861b313c2278ce1e6409e4f65169101936e94c1e8f
Opcode Fuzzy Hash: 78941a68d79552f72f753485643ac26e7ab0a6466ab225f06b953c6499dba91f
Instruction Fuzzy Hash: 27E0E2B5C0526A8FCB24DF60C9847EEBBB0BB51350F0084EA8049BA140D3384B81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 03200160, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd34ba3a7b472ca957abf1fff0419522f9b1ae762ca43dfe98b36ef06dfeab02
Instruction ID: 0ccbbd5fc6e0cf6b0da860a4989934e9e95326dac4befea544f0a9eba6a5ed57
Opcode Fuzzy Hash: dd34ba3a7b472ca957abf1fff0419522f9b1ae762ca43dfe98b36ef06dfeab02
Instruction Fuzzy Hash: E6C080704462089FC350EEB9940671AB7ECC701500F014565580893241D579295485F6

Uniqueness

Uniqueness Score: -1.00%

Function 0320159D, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab35433f8e28754d7f7d86c19bda4220a93fc097bfc7ba17e9ba14006a3e789
Instruction ID: 117adc68032b80bc1f2d7b0b43c3a5d86af092c1fc25fd11ba6336bbe77c5d55
Opcode Fuzzy Hash: aab35433f8e28754d7f7d86c19bda4220a93fc097bfc7ba17e9ba14006a3e789
Instruction Fuzzy Hash: D1E0E2B4C6526ACFCB25DFA0C945AEDBBB0FB48350F504896C815AA600E7708B848F50

Uniqueness

Uniqueness Score: -1.00%

Function 07485089, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1f65afd76bd5d8fd9cf5adb2c1b452a20526db2b2c3ce5406097ca2a3ae5f8
Instruction ID: a481a47035ecc593a8489460f68ecd9cc7c942872fabba3f9a414b495f8b4d37
Opcode Fuzzy Hash: cd1f65afd76bd5d8fd9cf5adb2c1b452a20526db2b2c3ce5406097ca2a3ae5f8
Instruction Fuzzy Hash: 4CD0C9BA814378CECF659F3099803ECBAB0AB61761F5408E7814DB2180D6784BC9DE50

Uniqueness

Uniqueness Score: -1.00%

Function 03201919, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf96b9a401ee9f88cf454c24ee72adf5763340a7db9b49ba4987211fd204dc4
Instruction ID: 4b1d513528d83e4fd56f5344b9574d357b33fbd5be44b0ae2da6609167c05cb8
Opcode Fuzzy Hash: 0cf96b9a401ee9f88cf454c24ee72adf5763340a7db9b49ba4987211fd204dc4
Instruction Fuzzy Hash: 6CE0B670920119DFCB64CF60D859AE9B771BB45321F0184E5960EA7254DB705A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0320196A, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ff1e8dcfe8299fb7b09faee8554a0756d0fd2723f169cd33b5f0345f15cb61
Instruction ID: 6034316f4f7f5074423dd7c3c73ada199f2e5a7d4281d70315eadece59ab4b15
Opcode Fuzzy Hash: 74ff1e8dcfe8299fb7b09faee8554a0756d0fd2723f169cd33b5f0345f15cb61
Instruction Fuzzy Hash: 21C01235E152449FCB10DFA4E0444DC7BF0EF8A221B411493D114D7110D2309518CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0320099E, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9677e3fb0230eaeace8a2ca72aa9a7b91cdf41ddae2d512105627acff67c6dd0
Instruction ID: c47e491f40ad9a415148cf6f4a259d99b6d0aead6ce3b4fd067d3e30e80a1489
Opcode Fuzzy Hash: 9677e3fb0230eaeace8a2ca72aa9a7b91cdf41ddae2d512105627acff67c6dd0
Instruction Fuzzy Hash: 75E0B6709151598FCBA4DF20C884AEDFBB1AB44301F0090E5891DAB255DB705A818F90

Uniqueness

Uniqueness Score: -1.00%

Function 0748509D, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e520c4253bcd11a7343b77bb9934a1fd1b900ff01ef9807fce624639f82f3d
Instruction ID: 43a869bf2b89541504348fb546fbc31ff251d3e9b7b61d87ae33aaf501a45c3b
Opcode Fuzzy Hash: a9e520c4253bcd11a7343b77bb9934a1fd1b900ff01ef9807fce624639f82f3d
Instruction Fuzzy Hash: 6ED06CB59052A98ECB64DF24C8847EDBBB0AB50351F1044DA880976241C7784FC1DF40

Uniqueness

Uniqueness Score: -1.00%

Function 07482C38, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576f5f10e6bca9b0ddc55eae1b05d7cf38347d743618f4cb2592d0bb3ec0408d
Instruction ID: ee1d42c76bf28931c506e02aef9272846bccac61cd303b18a75c7c259ba19e62
Opcode Fuzzy Hash: 576f5f10e6bca9b0ddc55eae1b05d7cf38347d743618f4cb2592d0bb3ec0408d
Instruction Fuzzy Hash: 1FC08C708661089FC350CF60E5849AEFB32FB4F301F2124169012EB088C7309904CB08

Uniqueness

Uniqueness Score: -1.00%

Function 03201507, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2448add551d0ea01afc987981c9f34d5a12b7f693364b4042d1b3140d51db427
Instruction ID: 9b0d91b956b0a97428124601216e2118a7461196a727d3cc188f7a7936f80a91
Opcode Fuzzy Hash: 2448add551d0ea01afc987981c9f34d5a12b7f693364b4042d1b3140d51db427
Instruction Fuzzy Hash: 8DD0A938812105CFC314CB60C898DE9BBB4FB88301F4045A4C009AB340E3705AC8CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 03201778, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a910448a6c94dacea6d68881652678ce97d1811519e3cc1a7af436e3639441
Instruction ID: 9a138ca5d83722794fbfa6446fbe85c0ce8e659be019ff6fc3cc14aa39b19b42
Opcode Fuzzy Hash: 72a910448a6c94dacea6d68881652678ce97d1811519e3cc1a7af436e3639441
Instruction Fuzzy Hash: 9ED012349162158FDB54CF60C559BEE7771FB44311F1554B480099B295DB705B81CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 03202FC4, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3978e55ec1770ea99b8eca5cadf408ed960f6da6ef2a3e908395b5615a3b40
Instruction ID: 8a11af1dedd582c7b3a1b53ec704ae4973aaa338d8d1db092f1b7b28ae35e60b
Opcode Fuzzy Hash: 1f3978e55ec1770ea99b8eca5cadf408ed960f6da6ef2a3e908395b5615a3b40
Instruction Fuzzy Hash: ACC08C3092A225CFC7A4CF20E8A869DB730EB4F300F408AC5C00E9E099CB709A85CF12

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0320ED40, Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

9;V9, xrefs: 0320EEDA
"_R1, xrefs: 0320EDE6

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID: "_R1$9;V9
API String ID: 0-2682008883
Opcode ID: 9576672d743241460541cb827a97dd2d93bae3aa27d79012f3cd578d7e0209a9
Instruction ID: 1bd569ceb287093a102d2fe9c9c9a132b33e5ad458d49b3cf5ee33be7d69d4d4
Opcode Fuzzy Hash: 9576672d743241460541cb827a97dd2d93bae3aa27d79012f3cd578d7e0209a9
Instruction Fuzzy Hash: C9611274D25609DBCF08CFAAC5419AEBBF1FF88200F50992AD425BB251D3389A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0320E5A0, Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

rW5, xrefs: 0320E631
+s/, xrefs: 0320E5DD

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID: +s/$rW5
API String ID: 0-1787962815
Opcode ID: a82513c43d8a40e24c38739db5d7de2969c88c369d66984e8f3a5867a99cce62
Instruction ID: 86525cdc86ffe85be2ca7553e225912f088184530654a08fcd5cd4f5087087b1
Opcode Fuzzy Hash: a82513c43d8a40e24c38739db5d7de2969c88c369d66984e8f3a5867a99cce62
Instruction Fuzzy Hash: 8E511774D25619DFCB04CFA8D5808AEFBB2FF48300F118965E415A7342D770AA84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07484538, Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

Jp5, xrefs: 0748590F
Jp5, xrefs: 07485905

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID: Jp5$Jp5
API String ID: 0-132139368
Opcode ID: 7078278626e6da95f26f18b217c5e1e4e28062f62b4a0c9e65f3ae6afc5941ad
Instruction ID: c3b4f4b2b2427ea31406130f3618ef14320d5140576dd6573f5869f820825661
Opcode Fuzzy Hash: 7078278626e6da95f26f18b217c5e1e4e28062f62b4a0c9e65f3ae6afc5941ad
Instruction Fuzzy Hash: 61511BB0E0412A8BDB68DF69C9547DEFAF2FB89300F1084FAD51DA7614EB305A959F00

Uniqueness

Uniqueness Score: -1.00%

Function 0320E840, Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

9,^k, xrefs: 0320E920

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID: 9,^k
API String ID: 0-1667768249
Opcode ID: d87c94ede7755679580179cbbd8458da812cb48b31d5567cf1af2364954215e4
Instruction ID: 888c346e93ceebb7c929f0796a50c05028cfe3d4d70dc47c4ffe09b87c22286e
Opcode Fuzzy Hash: d87c94ede7755679580179cbbd8458da812cb48b31d5567cf1af2364954215e4
Instruction Fuzzy Hash: 37513671D2520ADFCB04CFA8D581AAEFBB1BF48300F119956D480B7251D374AA84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07482006, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915165f6f3debba89c7d5533b782f2cf80daa286f5e6df23787d30cd99ade43c
Instruction ID: fe7f2dc82564d30630afc16222b3e538c36e385452db4b3c56c3509a30ca7ea9
Opcode Fuzzy Hash: 915165f6f3debba89c7d5533b782f2cf80daa286f5e6df23787d30cd99ade43c
Instruction Fuzzy Hash: B8A136B4D04259DFCB54DFA9C5805ADFBB2FF8A304F2485AAD464AB306D3749A42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07481FEC, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad085875e5bc044459c0aa57023a6a07370afff556df848f6902eff3427c34af
Instruction ID: c7a7fc08505063e89524a5a5456836ef0ccea8da3045dc1759e8a95a269c70cb
Opcode Fuzzy Hash: ad085875e5bc044459c0aa57023a6a07370afff556df848f6902eff3427c34af
Instruction Fuzzy Hash: 5CA126B4D04219DFCB54DFA9C5809ADBBB2FF8A304F2485AAD425AB305D3749A42DF90

Uniqueness

Uniqueness Score: -1.00%

Function 07482028, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c7a5d63adbc355da3b37fcf290f811e31951093077da53597a323160576628
Instruction ID: 3054a0e1b35523b39492ef4a84093ba7b9c11e656a7856878598b90cce966e72
Opcode Fuzzy Hash: 09c7a5d63adbc355da3b37fcf290f811e31951093077da53597a323160576628
Instruction Fuzzy Hash: A9A148B4D04219DFCB54DFA9C5805ADFBB2FF89304F2482AAD425AB305D374AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07482F88, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2964b78d5f4b1a23df12bfbeafc1a40ea5571f9124054031c27c80fd318a99e0
Instruction ID: d9f200c6f4c2f524265277e932e40740ecc0d382bd2f711a0ba61a6b26ce4514
Opcode Fuzzy Hash: 2964b78d5f4b1a23df12bfbeafc1a40ea5571f9124054031c27c80fd318a99e0
Instruction Fuzzy Hash: E39123B4D14218DFDB54DFA9C980AADFBF2FB89304F20856AD419AB315D734AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07482F78, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42079d602823b74703a9ced35fae8221d0e72483a0e914fde710786be713bc4d
Instruction ID: 898c8528473b95f59748e512611e34e9b4d088fb2557e819829348e30517c70f
Opcode Fuzzy Hash: 42079d602823b74703a9ced35fae8221d0e72483a0e914fde710786be713bc4d
Instruction Fuzzy Hash: 148142B4D04218DFDB44DFA9C980AADBBF2FB89304F20816AD419AB355D734AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07483F88, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21e32730b711e5f0fc5ab27e261d88d84ccfdb22e84d63f660a8e963f4c90c4
Instruction ID: 1b83ae256677bc342a4fa2ebc149cb104f1e239df9d00b7eecd61252cd7e0175
Opcode Fuzzy Hash: f21e32730b711e5f0fc5ab27e261d88d84ccfdb22e84d63f660a8e963f4c90c4
Instruction Fuzzy Hash: C06105B4D5921ECFCB84EFE5D5805EEBBB1FB8A700F10A82AD515BB204D7345A02CB95

Uniqueness

Uniqueness Score: -1.00%

Function 07483F78, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52baf15ed57d70d60777a36ab6f4d1192d53ec183bd34f013a3d00719d3835c
Instruction ID: 09d988fdbefd3ed95c8ab66d01260e93aa802c1cba125ade5ba79063f16172ee
Opcode Fuzzy Hash: f52baf15ed57d70d60777a36ab6f4d1192d53ec183bd34f013a3d00719d3835c
Instruction Fuzzy Hash: 156116B4D5921ECFCB44EFE5D5805EEBBB1FB8A700F10982AD515BB204D7349A02CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0320DB28, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42e45b51bc80c20b36f2070b69867d1f0a52d240e062e83b67d151e638790a1
Instruction ID: 1e6603f2481c537546474a3ba68554bf481e5cd7fad90b24b4229572ba29c2db
Opcode Fuzzy Hash: a42e45b51bc80c20b36f2070b69867d1f0a52d240e062e83b67d151e638790a1
Instruction Fuzzy Hash: 2261CF74E25209DFCB44CFA9C084A9DFBF1FB49310F14D5AAD815AB261D334AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0320B998, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f45d05b941bdd322634e1f90fc88ca66fcb8d5d52cd5a507264b91392ffd801
Instruction ID: 0f6d4a5279682671b93474b4eeab8aa404cb83b0e81f25240909ab46f4493d67
Opcode Fuzzy Hash: 4f45d05b941bdd322634e1f90fc88ca66fcb8d5d52cd5a507264b91392ffd801
Instruction Fuzzy Hash: 94513374D2020ACFCB14CF99C6809AEFBF1FB48310F25965AD405BB246C374AA85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07481A90, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28a6dbc0b73850f4e12f2846bc9d394942c349a050d5b9fee69ac67a75dde36
Instruction ID: 82bfcebac819d7f5681a6190d5a52d4e1d46fd103d681db6ffc1c2f3576e8ae0
Opcode Fuzzy Hash: b28a6dbc0b73850f4e12f2846bc9d394942c349a050d5b9fee69ac67a75dde36
Instruction Fuzzy Hash: FF51F1B0D1421DDBCB54DFAAC5805ADFBB6FB89304F24C66AD415AB305D7349A42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07481A7F, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74a80c0a90ff96861722f7ba7abced690bbd47011ec5338833abeea43c5806c
Instruction ID: 3426a29d8f4d04a4fc6672c07f43c8c9272516967084e5888a2e5ae92902757c
Opcode Fuzzy Hash: d74a80c0a90ff96861722f7ba7abced690bbd47011ec5338833abeea43c5806c
Instruction Fuzzy Hash: 3A5110B0D1421DDBCB54DFAAC5815AEFBB2FB89304F24C56AC415AB345D3389A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07484529, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb0b3dad00785d78e68328260a1ef6fac4276872669276f2d0ce0178b97e1f8
Instruction ID: d5af7aa8662692386f263a2d7512b2c852c428c4fd9514df2dfa04dc515fe93a
Opcode Fuzzy Hash: dfb0b3dad00785d78e68328260a1ef6fac4276872669276f2d0ce0178b97e1f8
Instruction Fuzzy Hash: 88411FB0D0021A9FDB68DF69C95479EBAF2FB88300F51C5FAD51CA7254EB305A859F40

Uniqueness

Uniqueness Score: -1.00%

Function 0320EB48, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8f21d71d523deb9f97f43c93d8e0491d35814e8d5f48189bb6118d5da45112
Instruction ID: 4dd9ba527250c83a6ce056193ef0321cefae42a3452ab253015eebfa96305959
Opcode Fuzzy Hash: af8f21d71d523deb9f97f43c93d8e0491d35814e8d5f48189bb6118d5da45112
Instruction Fuzzy Hash: BD410875D1560ADBCB04CF96C5814AEFBB2FB88310F11D869C022BB285D3749685CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0320EF90, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887ae48fd34b853ab70c0c95f9c0fa4b289ff6bb902ce2a001f70af3a302491a
Instruction ID: 2980f7188539aa8e91d689e899d8386003ab755871be51a1cc5580edd5728619
Opcode Fuzzy Hash: 887ae48fd34b853ab70c0c95f9c0fa4b289ff6bb902ce2a001f70af3a302491a
Instruction Fuzzy Hash: 6E4127B1D2560ADFCB04CFA9C5814AEFBF2FF88300F20946AC415BB245D3709A85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03206247, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1ef42d73fab7bf54c10726dfe824ad3706c83d0109d02778da8065f8c854b8
Instruction ID: cee969a4a0871bc2d36f2c7c823d0f98cc8700cc0a55c9921302ed6b2e6e81f5
Opcode Fuzzy Hash: 7e1ef42d73fab7bf54c10726dfe824ad3706c83d0109d02778da8065f8c854b8
Instruction Fuzzy Hash: 644183B1D116188BEB19CFA6C95439EBBF2BFC8304F14C16AC418AB295DB79094A8F50

Uniqueness

Uniqueness Score: -1.00%

Function 03206258, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322411449.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3d20df7263df92216d7b7dd2080bfb0ca0775f8593f7972eb5bade8f15cc3a
Instruction ID: 5d60226d53193ec6def5f433ff8d7400f0efca8ac43cf607bd21a62fbfcc5af9
Opcode Fuzzy Hash: db3d20df7263df92216d7b7dd2080bfb0ca0775f8593f7972eb5bade8f15cc3a
Instruction Fuzzy Hash: 283164B1D116188BEB18CFA7D95439EFAF7AFC8304F14C169C5186B294DBB506498F90

Uniqueness

Uniqueness Score: -1.00%

Function 07480550, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe06a0dfae279d61313da47bf3777a1906965ab6fe5f2b997b26eb3572b5d033
Instruction ID: 7d4a1b8c46224b3e73303372425fbc8823a5395f47cfb07800112c38fbaf2874
Opcode Fuzzy Hash: fe06a0dfae279d61313da47bf3777a1906965ab6fe5f2b997b26eb3572b5d033
Instruction Fuzzy Hash: A311C5B0E15609CBDB58CFABC94059EFBF7BFC9200F64C17A9818AB254DB7446069F90

Uniqueness

Uniqueness Score: -1.00%

Function 07480B20, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25bde422b10dfa73c2c37964abdd03c2a4b5abd10796ceab1404c90284a48c7
Instruction ID: 346783ee37d38f340430f04768b5ff22acd79c9baf609e29688ef9334d182a24
Opcode Fuzzy Hash: a25bde422b10dfa73c2c37964abdd03c2a4b5abd10796ceab1404c90284a48c7
Instruction Fuzzy Hash: 2B1109B1D0420DCBDB58DFAB89056AEFBF7ABC9200F24C17A8418A7215E73446029F80

Uniqueness

Uniqueness Score: -1.00%

Function 07480540, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fc7fa71a3a4c64ccc9069ff83dbb77cb6b003c040f2010cfb3dffbbbc415e5
Instruction ID: 67c49888393e7d6fdae86c8fca9a847df9aaf990e494d9cb6f6b4a6fc135501f
Opcode Fuzzy Hash: 74fc7fa71a3a4c64ccc9069ff83dbb77cb6b003c040f2010cfb3dffbbbc415e5
Instruction Fuzzy Hash: 7B1105B1D056098BEB58CFABC90029EFBF7BFC8300F54C13A8418AB254EB3446059F90

Uniqueness

Uniqueness Score: -1.00%

Function 07480B19, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.331053036.0000000007480000.00000040.00000001.sdmp, Offset: 07480000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4eeb1f34cf42c7e9d4eae840bfc40113bd4fb9aaeac546f63418f96028f66ed
Instruction ID: 164ecfbd48ee9e83fae550771f53e684f62a457ca69ba8f9a11c523610570b71
Opcode Fuzzy Hash: b4eeb1f34cf42c7e9d4eae840bfc40113bd4fb9aaeac546f63418f96028f66ed
Instruction Fuzzy Hash: A101E9B1D00609CBEB58DFAB890569EFBF3BFC9300F24C03A8414AB215E73456059F95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CONTRACT.exe PID: 6168 Parent PID: 6344 CONTRACT.exeCOMMON

Executed Functions

Function 04EEAF31, Relevance: 2.2, Strings: 1, Instructions: 910COMMON

Download Yara Rule

Strings

r, xrefs: 04EEBA2C

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: e154a64b9c40dd88e6463c0fefe0a8d87fbe05cac5de1833c1206c8fec95a211
Instruction ID: dfde6ec39852456268c28f0db4dc55150b8942beae7ce4e94d0734c75908593f
Opcode Fuzzy Hash: e154a64b9c40dd88e6463c0fefe0a8d87fbe05cac5de1833c1206c8fec95a211
Instruction Fuzzy Hash: 36824770A00615CFCB14CFA9C580AAEBBB2FF88310F158A69D55AAB751D730F985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 050427E8, Relevance: 1.6, APIs: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 0504289B

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: ce8f6a9b0ea17c64762a78dc3daea71e60dcf1a7a367911a4c9395e210683575
Instruction ID: adbaa0a496d78c8482f485c2b86d05c8dd0e76dffd194c152d5da0b98e42af72
Opcode Fuzzy Hash: ce8f6a9b0ea17c64762a78dc3daea71e60dcf1a7a367911a4c9395e210683575
Instruction Fuzzy Hash: D6315EB550E3C05FD7138B249C54B56BFB8AF07210F0984EBE984DF1A3D264A449CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050412B3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05041333

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 3b57103c9c54a3655f39144e18c24de2e6d20056646e785e6e1bec939b563ed5
Instruction ID: 61d12afe1c3321f1ab8ca64695e92af3cf947f0388f7552f395a2501880294c6
Opcode Fuzzy Hash: 3b57103c9c54a3655f39144e18c24de2e6d20056646e785e6e1bec939b563ed5
Instruction Fuzzy Hash: 0C21D1B6509384AFDB228F25DC40B56BFF4EF06310F0884EAE9858F563D270A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050414EF, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05041565

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: c236e10cc30de735a19b9e04d3e2c7f956c62e2c125d603391458df47e243aeb
Instruction ID: 569d5047bc97e88bfb645f4063e0a9a2df3abcb61b28750c5d72800c3eca0f8c
Opcode Fuzzy Hash: c236e10cc30de735a19b9e04d3e2c7f956c62e2c125d603391458df47e243aeb
Instruction Fuzzy Hash: 9E21C0B14097C09FDB238B20DC45A62FFB4EF16314F09C0DBE9858B163D265A50DCB62

Uniqueness

Uniqueness Score: -1.00%

Function 0504283A, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 0504289B

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 0d5c7567f9dce04b47621963045ced12117321e4724bdc6c645777a109be46e9
Instruction ID: fa19143b8c7e3c3358cc7049c6b2fc10e5ef344ff5394d022b5ece2fa9ec1836
Opcode Fuzzy Hash: 0d5c7567f9dce04b47621963045ced12117321e4724bdc6c645777a109be46e9
Instruction Fuzzy Hash: 771190B5A01204AFE720CF55EC84FAEBBE8EF44710F1484BAEE499B241D674A444CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 050412EA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05041333

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 14e86a93762d54371a0eee9526412bb2455ba32077ba4a3190f43dd84009bb9a
Instruction ID: 1ae71ad31295ade4d8e6cb5b6932e2a80e171849c3548f2166c6ea4348475098
Opcode Fuzzy Hash: 14e86a93762d54371a0eee9526412bb2455ba32077ba4a3190f43dd84009bb9a
Instruction Fuzzy Hash: D1115EB5A002049FDB20CF55E844B6AFBE4EF04621F08C4BAED498B652D271E458CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05041012, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05041044

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 6c3b7983149377a0f30fa444223ed7446078cb5fd13a428e66272a1b4b17b9b6
Instruction ID: cc3163b90ec3aba8a92125a97f5fe7cdf590d7d981544f3c66d0696af6f4fccf
Opcode Fuzzy Hash: 6c3b7983149377a0f30fa444223ed7446078cb5fd13a428e66272a1b4b17b9b6
Instruction Fuzzy Hash: 7401ADB09002849FDB10CF15E88876AFFA4EF44320F08C0BADD588F286D2B5A444CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0504152A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05041565

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 643870d67db917ab9b343fefd14a6d56d45987bdcc1dde84f29e563f76580750
Instruction ID: 8b279de58d45d90408311078151e5d712e7ce732b05ecbab32a158b6e2d4edd1
Opcode Fuzzy Hash: 643870d67db917ab9b343fefd14a6d56d45987bdcc1dde84f29e563f76580750
Instruction Fuzzy Hash: 2E018FB1410680DFDB20DF15E885B69FFA1EF48720F08C4AADD9A4B252C275A458CF62

Uniqueness

Uniqueness Score: -1.00%

Function 04EE3850, Relevance: .8, Instructions: 764COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf2b9667c9f6ce778f3dbab42533900288da4650b71b3f3b16e3b9e0a863a1b
Instruction ID: be77805c96f0a919b1bcb0f69eed930ad0ac023a0fc50e25d9501bf60f46dbe8
Opcode Fuzzy Hash: 4bf2b9667c9f6ce778f3dbab42533900288da4650b71b3f3b16e3b9e0a863a1b
Instruction Fuzzy Hash: 7352D171A04215CFCB15CF69C8809BABBF2FF85304B2985AAE9199F256D731FC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04EE86A8, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d204b6b8d74c48ce54ba2fbc7d4bacc05fce2adf9d94280b4e7607cae9e3f9db
Instruction ID: d9ea1234bba62f73f079438736251b94b09c198cac0e0b44ccc06cdabff802ee
Opcode Fuzzy Hash: d204b6b8d74c48ce54ba2fbc7d4bacc05fce2adf9d94280b4e7607cae9e3f9db
Instruction Fuzzy Hash: 3112AB31A00A15CFDB24EF7AC4802BEBBF6BF85304F65956AE4169B354EB74E841DB40

Uniqueness

Uniqueness Score: -1.00%

Function 04EE23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f990792b6af94a8010a4b10e517aae8271bf5d1680b96f2f7437b5d6be5fe7
Instruction ID: 2772af55c3553e410586dc5591d476c5ed715df04419c3f7ef9e9320ae74b2c1
Opcode Fuzzy Hash: b8f990792b6af94a8010a4b10e517aae8271bf5d1680b96f2f7437b5d6be5fe7
Instruction Fuzzy Hash: 0A12CC31A00296CFCB24CF6AC9847BDBBF6BF88304F1491A9D246DB355EB74A945DB40

Uniqueness

Uniqueness Score: -1.00%

Function 04EE92A8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7696eabf2051b5e717f6a71aad9c7c090eb1d4ce6b92a87c144f96d3ebdabad
Instruction ID: 2b2f570c5cb927cf2ad1c4b68d637925a3f128fd83da04ff40f06f09b77cba5b
Opcode Fuzzy Hash: c7696eabf2051b5e717f6a71aad9c7c090eb1d4ce6b92a87c144f96d3ebdabad
Instruction Fuzzy Hash: 0F815DB1F015159BD714DB6AD880AAEBBF3AFC4310F2A8565E415DB3A6EE31EC018790

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa56fab41c8f909d3d63d820dca09fa0c1457ef0e8658f30f1713a8f30e03dc
Instruction ID: b6b94c562975ee71053678d8e5a7dedfaa01f7fb7773181c273c64ab27cbdd4e
Opcode Fuzzy Hash: 2aa56fab41c8f909d3d63d820dca09fa0c1457ef0e8658f30f1713a8f30e03dc
Instruction Fuzzy Hash: 9B815D72F011159BD714DB6AD854AAEBBF3AFC8310F2A8475E815EB355DE31EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 04EEC6D8, Relevance: 2.6, Strings: 2, Instructions: 59COMMON

Download Yara Rule

Strings

=?q^, xrefs: 04EEC723
-?q^, xrefs: 04EEC744

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: -?q^$=?q^
API String ID: 0-3871980776
Opcode ID: aad88e49ec2a214f5d9b345493460f84c3e512e1b76ae911b2296529f282a0ff
Instruction ID: fc4eda9e26d45aefa188c9429e998c5de2dbdd3c61199531ce3566416bb15ed3
Opcode Fuzzy Hash: aad88e49ec2a214f5d9b345493460f84c3e512e1b76ae911b2296529f282a0ff
Instruction Fuzzy Hash: 4D119170308651CBC318A73AC1541BEBBA69FD27147A4986EA04B9F381EF75FC029B52

Uniqueness

Uniqueness Score: -1.00%

Function 05041670, Relevance: 1.6, APIs: 1, Instructions: 125networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 05041766

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: a22d3d1f94b14dfd980c88fd32b5dfa2329a5b2d6afa7134c75d2120d3d2d777
Instruction ID: ad171deb489fb48066deb0e74b2e8645c57fee08f095d4ee3b25277e88b066bb
Opcode Fuzzy Hash: a22d3d1f94b14dfd980c88fd32b5dfa2329a5b2d6afa7134c75d2120d3d2d777
Instruction Fuzzy Hash: 6741346550E7C06FD3038B359C65A61BFB4EF47624B0E85CBD884CF5A3D258A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05040D08, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05040DAB

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5e924854c2227056e78a796b2a3f6aec74a280022e50d51355e5fd47e16aa404
Instruction ID: 4e93a1e30415c942ac16e196a5b9ef20bc88e8bb770d8f8e4c049d9969e4226a
Opcode Fuzzy Hash: 5e924854c2227056e78a796b2a3f6aec74a280022e50d51355e5fd47e16aa404
Instruction Fuzzy Hash: 7B31B3B15043446FEB228B65DC44F67BFECEF05320F0488AAF985DB152D264A519DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05040A9B, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 05040B6A

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 61e725f6a601e24f38bf5b660b83a70b56c4eee42e780037e701a5abb20d6558
Instruction ID: 6114a12f976050c4eb7426b72037a96e690ed27add28b61e427b171d4df40f45
Opcode Fuzzy Hash: 61e725f6a601e24f38bf5b660b83a70b56c4eee42e780037e701a5abb20d6558
Instruction Fuzzy Hash: 5A315C6140E3C05FD7038B358C65B62BFB4AF47614F0A81DBD8849F5A3D6246919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05040390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0504045E

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8121c17a472e61d3e961f025b784f84bd4b4645760fe104a1b9a40fd1cf1ba82
Instruction ID: 46dd902bb1f05bb2482537c82ba5e21c208b09494ea3136c211f21a5b70fac8b
Opcode Fuzzy Hash: 8121c17a472e61d3e961f025b784f84bd4b4645760fe104a1b9a40fd1cf1ba82
Instruction Fuzzy Hash: B731F5B1004340AFE7228F20CC45FA6FFB8EF05310F04859EFA859B192D3A5A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050407F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05040899

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9b8423e3242cdc1456580aad6843f95862fcd886026ec72c2dbdc931ce0fffc9
Instruction ID: c7c95e457d1eaf9599e53cea959d47dffc2382f59b758e80035dcb0e8c6ad6a7
Opcode Fuzzy Hash: 9b8423e3242cdc1456580aad6843f95862fcd886026ec72c2dbdc931ce0fffc9
Instruction Fuzzy Hash: 75318DB1504380AFE722CF65DD44F66BFE8EF05210F0884AEE9859B252D375E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05040E09, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 05040EAC

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: a4cec38afa61efff141e9cd60cbf8a0ee7891963f37d07550f2ef0fcce252a9f
Instruction ID: d3f79e1059dc3864bd1f2bd7c9078687fccce035eba9f38baf5f303465c22bd5
Opcode Fuzzy Hash: a4cec38afa61efff141e9cd60cbf8a0ee7891963f37d07550f2ef0fcce252a9f
Instruction Fuzzy Hash: 8D31E8715093C06FE712CB25DC55FA6BFB8EF47710F0984DAE9848F1A3D664A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 05042570, Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 0504260D

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 8b4e4d9d95f3ac0085fbea218598afb268e706281bf349161231e12ec05a5bd7
Instruction ID: ee17d0f3f45b59269ec48a1515c81d34aecd0a639af3e0a0773bd4ffb8f9f330
Opcode Fuzzy Hash: 8b4e4d9d95f3ac0085fbea218598afb268e706281bf349161231e12ec05a5bd7
Instruction Fuzzy Hash: FE31D9B65093806FD7128F64DC45FA6BFB8EF06310F0884AAF985DF153D264A545CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05042ACF, Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05042B85

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: e62f4c06477a354839ca14c34d7786edde9ccea32e52315dd3836f65cac06d47
Instruction ID: 4938864b08c16a73bee359c30f9391145e7b3565874a36ff4f7e7503352d3a26
Opcode Fuzzy Hash: e62f4c06477a354839ca14c34d7786edde9ccea32e52315dd3836f65cac06d47
Instruction Fuzzy Hash: A0316F7650D3C05FD7038B258C65A56BFB4EF47710F1A80DBD984CF1A3E6646909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 050400F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0504019D

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9e04c0aa800a383b148b59d14a6386b7a73793effa6980fc85214a554481aca9
Instruction ID: ece6e3fb9a8048ccbc6b8964cc627569c494ab6b244f5d66f2cf51ca1a4308c0
Opcode Fuzzy Hash: 9e04c0aa800a383b148b59d14a6386b7a73793effa6980fc85214a554481aca9
Instruction Fuzzy Hash: BB31A1B15097806FE712CB25DC84B56FFF8EF06210F0884AAE984DF292D364A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05042104, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 050421B6

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 3bf4c8ecec313a8634dfef9a51a2112a9a37ba65eade8fcdb95604419c354bee
Instruction ID: af21f0c8fde85f10f7abbdb17460410b46e8ab9fe9922a96841e1efdbc341309
Opcode Fuzzy Hash: 3bf4c8ecec313a8634dfef9a51a2112a9a37ba65eade8fcdb95604419c354bee
Instruction Fuzzy Hash: CA31C4B2404780AFE722CB55DC45F56FFF8FF05320F08859AE9849B162D364A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050404AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 0504055C

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9d256ffbf4ecd89ef2d8ca5c39a9eecb8c134cdb5865f6a1c714bd1847c88df7
Instruction ID: 7a7f3f9d1746cdcfe9e827dcd1cfebc0c9faff5fc55cbd4becb7460c8845bf16
Opcode Fuzzy Hash: 9d256ffbf4ecd89ef2d8ca5c39a9eecb8c134cdb5865f6a1c714bd1847c88df7
Instruction Fuzzy Hash: 5831A2B15093C0AFD722CB65DC84F56BFF8EF06310F0884DAEA859B162D264E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05040D2E, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05040DAB

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6d155dba2d4e5eec21532f56639d133f53a7aabb66495aa5f5f1b1d56c03e9aa
Instruction ID: bc6a0aa6bd4406ecd9d9d193661acde7aa4c70f88b7c615e4cc68e635bb458ad
Opcode Fuzzy Hash: 6d155dba2d4e5eec21532f56639d133f53a7aabb66495aa5f5f1b1d56c03e9aa
Instruction Fuzzy Hash: F221A1B2500604AFEB21DF69DC85F6AFBECEF04320F14886AEA85DB151D670E5188B71

Uniqueness

Uniqueness Score: -1.00%

Function 050402AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 05040353

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1a08ead13c39722e2ac2c33b32421c8f226871a80a218917b13e71a034a3a18f
Instruction ID: 083840b94bf8289f490723640c009e0b8f32b6f6083ec51179eca6095632fdd3
Opcode Fuzzy Hash: 1a08ead13c39722e2ac2c33b32421c8f226871a80a218917b13e71a034a3a18f
Instruction Fuzzy Hash: 2621A6754093806FE7228B20DC45FA6BFB8EF06310F0884DAF9849F192D265A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05042022, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 050420AD

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 2d49f0446cbea4decc5352ea88ad5112b8b4567aac57c82563867968d3121488
Instruction ID: 7e6e2c0034fe2390a83c143af99397ce2c22d9d2f43fc70a152a02a218e67515
Opcode Fuzzy Hash: 2d49f0446cbea4decc5352ea88ad5112b8b4567aac57c82563867968d3121488
Instruction Fuzzy Hash: 9021A1B1509380AFE721CB65DC45F66FFF8EF05310F0884AAE9859B252D375E408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05041792, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0504181E

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 55714e5ffe01ac174f1e76e03b40a0a1cfa05b0a34ab38d98c4c7fb548998937
Instruction ID: 3ee71445e5cbda31ba7e639c791a9f994bb8996d5206836d8c3b726c50d0c872
Opcode Fuzzy Hash: 55714e5ffe01ac174f1e76e03b40a0a1cfa05b0a34ab38d98c4c7fb548998937
Instruction Fuzzy Hash: FE216B71505780AFE7228F65DC45F66FFF8EF05210F0884AEE9859B652D365A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0504081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05040899

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 30d0116303b2919fdf361cf85d282ae061857ad0e6788d12deb8fdb37f5eb588
Instruction ID: d9b547e662927c18f5a59c0b08fabcf0c996f39409bffbd2fa3b9b1256b6eeef
Opcode Fuzzy Hash: 30d0116303b2919fdf361cf85d282ae061857ad0e6788d12deb8fdb37f5eb588
Instruction Fuzzy Hash: E5218EB1500240AFEB21DF69DD49F6AFBE8FF08310F14846EEA859B252D771E404CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050408F0, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 05040985

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b2ce8b4aea82144851564912ce2f8bb60fa18ce8989d253ee1df14742174aba9
Instruction ID: 8e8fe8e1a45b4feaa072b3fa397e5e1974e6f16580d0ddf773a873cd7f39e168
Opcode Fuzzy Hash: b2ce8b4aea82144851564912ce2f8bb60fa18ce8989d253ee1df14742174aba9
Instruction Fuzzy Hash: 1E2107B54087806FE7128B25DC45FA6BFB8EF46720F08849BED849B153D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 050409C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 05040A51

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 682bcb41c2c4d0dd9abafdc35a71dd7a830f6b987b37b7b399e2e0055150b711
Instruction ID: f9efbf839af22d7022a8255fd229ec330f3d2e2834c0252343b65d4346795bb0
Opcode Fuzzy Hash: 682bcb41c2c4d0dd9abafdc35a71dd7a830f6b987b37b7b399e2e0055150b711
Instruction Fuzzy Hash: E72174B15093806FD7228F65DC44F56BFB8EF46714F0884ABEA849F153C265A419CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050403CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0504045E

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2fdaa9b61e8833b4c31c4bc780c0c56276a2a48bb51bd50b89361b41fe3db34e
Instruction ID: 24be9007d5086750bef996c7c9683e254e634f811dc03a53fb814123bc44ce79
Opcode Fuzzy Hash: 2fdaa9b61e8833b4c31c4bc780c0c56276a2a48bb51bd50b89361b41fe3db34e
Instruction Fuzzy Hash: 3C21F5B1500204AFEB21CF15DC85FBAFBACEF44710F00896AFE459A181D6B5A408CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 0504012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0504019D

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 67f4e3a7fc033a0f1cc3a31e46ddd8f0c44a024409d87e46855357fbcba0b7c4
Instruction ID: b82bf7f1cf181f33f3ef0da8e2a39d75d9a951a7bb92997ad129b75666d4af67
Opcode Fuzzy Hash: 67f4e3a7fc033a0f1cc3a31e46ddd8f0c44a024409d87e46855357fbcba0b7c4
Instruction Fuzzy Hash: 4B218EB1604240AFE720DF69DC89B6AFBE8EF04310F18846AEE499F252D770E504CA65

Uniqueness

Uniqueness Score: -1.00%

Function 05040F0F, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 05040F9B

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0d2bfee01f36844875150244687c1a0eafec9295449d533ef89cdd007bab3e38
Instruction ID: 48e10cde53ae8523029bc4bd5a5eb0cf03ba4dd9f466886066da99f25eace3ff
Opcode Fuzzy Hash: 0d2bfee01f36844875150244687c1a0eafec9295449d533ef89cdd007bab3e38
Instruction Fuzzy Hash: 6521D8715043846FE7218B25DC85F66BFB8EF45710F1480AAFE459F192D364A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05040723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0504079F

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: c60853cc70333b4066bfec6c073893b7dccc1484d6e06096a8780eb64e1453ab
Instruction ID: 3dd33827d95c5a514630adc28c0ef1af9561e1911dcb1bcb7aaee6c93dcfd136
Opcode Fuzzy Hash: c60853cc70333b4066bfec6c073893b7dccc1484d6e06096a8780eb64e1453ab
Instruction Fuzzy Hash: 0421B0B29093809FD752CB25DC58B56BFF8EF06210F0984EAE985DF153E264E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05042042, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 050420AD

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: b95473c7f5f67e488f948fa7077a3c361e526a73117abb19b490ab2c7ce80052
Instruction ID: ea0d0020287658d40d80d85ba0c5a0b8da04e5a58e06bd3253bfa0cb6d05afe8
Opcode Fuzzy Hash: b95473c7f5f67e488f948fa7077a3c361e526a73117abb19b490ab2c7ce80052
Instruction Fuzzy Hash: 0321D2B5604240AFE720DF69DC85F6AFBE8EF04320F14846AED498B242D771E404CB76

Uniqueness

Uniqueness Score: -1.00%

Function 05041380, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 050413EC

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ae586144bba9f87974f8861b735a1af82f1c2becdc1a5e95aa5f9a47709b557c
Instruction ID: 9f2c54d54856929fb972037950c56af4f5c288e33fa669997bce319c898b0065
Opcode Fuzzy Hash: ae586144bba9f87974f8861b735a1af82f1c2becdc1a5e95aa5f9a47709b557c
Instruction Fuzzy Hash: D621C3725093C05FDB128F25DC54A92BFB4AF47324F0980EBEC858F663D2749948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05041435, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,0D64F1C6,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 050414A6

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 8313630568de626ea642bba8cd365b656ca6e574b21b6f0c7e4441238d4e8d83
Instruction ID: 02ebc794d94c0b50b0899146f6d094aafa8d070b6be4ce2bce2e800410045def
Opcode Fuzzy Hash: 8313630568de626ea642bba8cd365b656ca6e574b21b6f0c7e4441238d4e8d83
Instruction Fuzzy Hash: D52180715093845FD712CF65DC44A96BFF8EF06210F0980EAED85CF163D264A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05042142, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 050421B6

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 11dc8172707e8968d5ce78b7023524133cdfd087f24ce15449cbc9e278021861
Instruction ID: bd60f7fa7a69bcd5496a409b335fc6f706f8196a692dc64e1a6006883725105a
Opcode Fuzzy Hash: 11dc8172707e8968d5ce78b7023524133cdfd087f24ce15449cbc9e278021861
Instruction Fuzzy Hash: 3321A1B1500240AFE721DF59DD85F6AFBE8EF08310F04846AEA849B251D771B508CB75

Uniqueness

Uniqueness Score: -1.00%

Function 050417B2, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0504181E

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: f764e463a96c69dbf818e403b4d05ed86b77b033e6a6adbea4815651114b3378
Instruction ID: d21fa69a8b45ec450ad70599ce3d08416ad86715afb77ff2e2b6ffb2877ae45a
Opcode Fuzzy Hash: f764e463a96c69dbf818e403b4d05ed86b77b033e6a6adbea4815651114b3378
Instruction Fuzzy Hash: 6821CDB1500240AFEB21CF65DC85B6AFBE8EF08310F04886EE9858B642C371A404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050404EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 0504055C

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 69eee804232a90bec966cde72eb249e7fc24dc1d9f51a36f5209ff18192f493b
Instruction ID: 991933d6575f123dd3d7b0f7f8a897e045740b5deb0922f772e1a3e535554816
Opcode Fuzzy Hash: 69eee804232a90bec966cde72eb249e7fc24dc1d9f51a36f5209ff18192f493b
Instruction Fuzzy Hash: 92117FB2500644AFEB20CE55EC85F6BFBE8EF04710F04846AEE469B251D760E404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 050401F4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05040264

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 38c3650abbb1a5906287532c38666a01133c2e53f2d7d3081f4cc88149c79988
Instruction ID: 60bbd2e25bf5254712d810289300d01ed276f274bd3f79828209e9aea0f908e1
Opcode Fuzzy Hash: 38c3650abbb1a5906287532c38666a01133c2e53f2d7d3081f4cc88149c79988
Instruction Fuzzy Hash: E321C6B55057845FD711CF14DD49B55BFA8EF02320F0880ABED449F593D274A804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050425AE, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 0504260D

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 160a70b42bcc17dcb0aeace42bfad91b94d3072bbf6fe63302db4bad95b3eef9
Instruction ID: 193c08b3c454a7605e1a3d570bacc9de9d51f1a6a05a2cc7cb5ed58a563a95b1
Opcode Fuzzy Hash: 160a70b42bcc17dcb0aeace42bfad91b94d3072bbf6fe63302db4bad95b3eef9
Instruction Fuzzy Hash: 941193B5600200AFEB21CF55EC85F6AFBA8EF44710F14847AFA499B151D674A444CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05040E56, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 05040EAC

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 4147bfbfa791995c2d5bb24cf90316fd79a5a2358f3045a1216daa839f43aa87
Instruction ID: 853d7b0c71b14b11ad0e29458f1f70f45b4097e9f5004c79934449725e3785d5
Opcode Fuzzy Hash: 4147bfbfa791995c2d5bb24cf90316fd79a5a2358f3045a1216daa839f43aa87
Instruction Fuzzy Hash: 9311A3B1904204AFEB11DF69EC85BABBBA8EF44720F14C47AEE45DF241D674A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05040F32, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 05040F9B

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 25a778f3398779fed9edfc70602a5e124306798b8ed1daf050d271b9dca082ae
Instruction ID: 43e87d8a21600a3850867073fdfe64b6a64e6cc43e737a5aea2b915cef67a515
Opcode Fuzzy Hash: 25a778f3398779fed9edfc70602a5e124306798b8ed1daf050d271b9dca082ae
Instruction Fuzzy Hash: 8A1106B1600200AFF720DB19DC86BBAFBA8DF44720F14C07AFE459F681D6A4A5048E61

Uniqueness

Uniqueness Score: -1.00%

Function 050402DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 05040353

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0bb29a988faee502fc2b916a3bb6ef17f508a520075207fc3869b5f9dac9dd09
Instruction ID: a18f70be9fd94cf8e9526f9e4222c6b687011f3667528dc54a067ffc5e7b9d6c
Opcode Fuzzy Hash: 0bb29a988faee502fc2b916a3bb6ef17f508a520075207fc3869b5f9dac9dd09
Instruction Fuzzy Hash: 9511BFB1500200AFEB31DF15DC85F6AFFA8EF04711F1484AAFE455A291C2B5A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 050409F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 05040A51

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: e3fd7a66889416c27d4fbbaea8a9e9dfbe9626f21376bae72010101aba0e239b
Instruction ID: d0ffa7205a07355f18e44853b25b8e4bca97cc572ec5b92214a2de0d5d9857c3
Opcode Fuzzy Hash: e3fd7a66889416c27d4fbbaea8a9e9dfbe9626f21376bae72010101aba0e239b
Instruction Fuzzy Hash: B911C4B1900200AFEB21CF55DC85F6AFBA8EF44710F14C46AEE499F141C774A414CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05041158, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 050411B2

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c176c516ee7c3996a7ca15d8b472fbb8a333aa5557fc0b26b11d6bac51a52c93
Instruction ID: fdff964e084d54bf0846d10ed4b25a23dc49f6b9be488cb4d411342ee23d7193
Opcode Fuzzy Hash: c176c516ee7c3996a7ca15d8b472fbb8a333aa5557fc0b26b11d6bac51a52c93
Instruction Fuzzy Hash: C9114FB26003449FEB60CF19DC45B67FBE8EF44620F08846AED49DB252D370E444CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05040FDF, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05041044

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 724fe54d8b10b9530b233c29a5e6e4aad6ac6b3e27ca9c07a356fbbb1a47bec1
Instruction ID: 35c76beab8acb59606974030829456be9e08eecd7fcefcadfef6414f9871a655
Opcode Fuzzy Hash: 724fe54d8b10b9530b233c29a5e6e4aad6ac6b3e27ca9c07a356fbbb1a47bec1
Instruction Fuzzy Hash: D61160714093C49FD7128F25DC45B96BFB4EF06224F0984EBED888F163D275A549CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0504116A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 050411B2

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7a4f7e3618419489432e17d4625177a8ee59dbd0212839cc3d47afd3b0f5e842
Instruction ID: 9033e752294ef8a230d4ec7573f93fa4c791eb84afebf86ff244402f49933f34
Opcode Fuzzy Hash: 7a4f7e3618419489432e17d4625177a8ee59dbd0212839cc3d47afd3b0f5e842
Instruction Fuzzy Hash: DF1130B5A052408FEB50CF69E885B6AFBE8EF44620F08847ADD59CB652D374D444CE61

Uniqueness

Uniqueness Score: -1.00%

Function 05040932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,0D64F1C6,00000000,00000000,00000000,00000000), ref: 05040985

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 4d02a71a10f4d1dcd9eed48cf02f69a81fc0fbfa81d86545103af1c801dc489e
Instruction ID: dcedc0b40e60026610ac6377f4009b79f0948683d5b84347121963bf9ea7f970
Opcode Fuzzy Hash: 4d02a71a10f4d1dcd9eed48cf02f69a81fc0fbfa81d86545103af1c801dc489e
Instruction Fuzzy Hash: 6C01D6B1500304AEF710CF19EC85F6EFBA8EF44720F14C06AEE44AF241C674A804CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0504075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0504079F

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 90be0cce5a0020b5dfa5b0f72f13129d09ac262194b1aa87b1ed370443fdba0d
Instruction ID: b0819f8fd67873df18ae834010b82c9a664eca7e28725bb6de25a040471c2681
Opcode Fuzzy Hash: 90be0cce5a0020b5dfa5b0f72f13129d09ac262194b1aa87b1ed370443fdba0d
Instruction Fuzzy Hash: 461130B5A042448FDB50DF29E989B6ABBE8EF04610F08C4BADD49DF642D274E4048F62

Uniqueness

Uniqueness Score: -1.00%

Function 05041466, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,0D64F1C6,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 050414A6

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 55912dc766f61cb9fc50549bb478c5252e30d8f787778522e630189c9c89c53e
Instruction ID: 0d502cc2f44518b00cd0bb021ec702f02396e32bde931814e67b1853c68ef032
Opcode Fuzzy Hash: 55912dc766f61cb9fc50549bb478c5252e30d8f787778522e630189c9c89c53e
Instruction Fuzzy Hash: AD116DB5A002448FDB60CF69E884B6AFBE8EF44720F18C4BADD498B652D274E444CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05040B1A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 05040B6A

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 8b4315f44ffe8834eb8e9c679ec51d35cd51a7e2c2d237e02e5368139f086687
Instruction ID: 57d6855bb758c4bd80de47a5422e970de1c288951d48b38bb6759da61f7df3c9
Opcode Fuzzy Hash: 8b4315f44ffe8834eb8e9c679ec51d35cd51a7e2c2d237e02e5368139f086687
Instruction Fuzzy Hash: 5501B172900200ABD310DF1ADC86B26FBE8FF88B20F14812AED088B645E671F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05042B3A, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05042B85

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 554ce15def9d8a034a9ac986ceb7d6ce18c3b43bc8997cdc098393eaf956dbe2
Instruction ID: 42654966c0692d00c155459c2839c05fa3fcc9f9c799adc5a59f9982755f6f88
Opcode Fuzzy Hash: 554ce15def9d8a034a9ac986ceb7d6ce18c3b43bc8997cdc098393eaf956dbe2
Instruction Fuzzy Hash: 9101B172900200ABD310DF1ADC86B26FBE8EF88B20F14812AED088B645E671F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05041716, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 05041766

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 7f5ccf640fc05bd7fe0d9c4e32b2da79f7f0f0c7b6d4a8643ff72aea42d31f3d
Instruction ID: 18ed160491272432cecc5ae23f25153e77c2f9ae916a43f12265f8ad3b109f14
Opcode Fuzzy Hash: 7f5ccf640fc05bd7fe0d9c4e32b2da79f7f0f0c7b6d4a8643ff72aea42d31f3d
Instruction Fuzzy Hash: 17018F72500200ABD210DF1ADC86B26FBE8EB88B20F14811AED084B645E671F515CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 05040232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05040264

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6f138c6ea0589c71ca52e1f8bc2f4502393573bf39d9b21a5579cebe94523522
Instruction ID: cba038c480cac7b96dcbf14bed6e1d1ab2433533dfea240354da19686e66325f
Opcode Fuzzy Hash: 6f138c6ea0589c71ca52e1f8bc2f4502393573bf39d9b21a5579cebe94523522
Instruction Fuzzy Hash: 69018FB5A002409FDB50CF29E98976AFBA4EF44320F08C4BBDD499F682D275E444CE61

Uniqueness

Uniqueness Score: -1.00%

Function 050413BA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 050413EC

Memory Dump Source

Source File: 0000000F.00000002.506958521.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3ccfbb850b61eee06078320b93abc8b8996325c3b697e543ea60598ca4abcbbe
Instruction ID: 99ed43ce23064327ca6dc3d5bc0e63ea99dbd0b097d0f01a91a32bef85a6bf27
Opcode Fuzzy Hash: 3ccfbb850b61eee06078320b93abc8b8996325c3b697e543ea60598ca4abcbbe
Instruction Fuzzy Hash: 940171B5A042408FDB50CF59E88576AFFA4EF44621F18C0BADD498B642D274A444CE72

Uniqueness

Uniqueness Score: -1.00%

Function 04EE20D0, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

r*+, xrefs: 04EE230F

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: d658dd4fe17137b7f854b856a8c104db9cee6b76ad12cf198e658552b5937536
Instruction ID: ee3319e1c40202e5e43ceecc8184650a344ece83214d4f95fc95d651c544b6d9
Opcode Fuzzy Hash: d658dd4fe17137b7f854b856a8c104db9cee6b76ad12cf198e658552b5937536
Instruction Fuzzy Hash: CC717230E08246CFCB44DFA6C9816BEBBB5FF44300F1095AAC606EB255E771AE41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0682, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

Zq^, xrefs: 04EE06A1, 04EE06A6

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: Zq^
API String ID: 0-2875977508
Opcode ID: b7cafa4b52ff94509209ffe3628d247b0ab182d7bb7d8f4e627f0ff505307230
Instruction ID: d3d7c64820c947f9fda260acfda83c45434ec722007d64b8d953ac24de7d6335
Opcode Fuzzy Hash: b7cafa4b52ff94509209ffe3628d247b0ab182d7bb7d8f4e627f0ff505307230
Instruction Fuzzy Hash: D0416D71648290CFC7047B35EC997BD3B66BF80302B144669F602DB271DF705C429B91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2D58, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

, xrefs: 04EE2E76

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a290c5f8ecd83d5e3b772b9ea0e76c12751acc992686941db18a857b99818c7e
Instruction ID: e6c16e8cc0c39fccec2c04f3f419286c47171fd5cd25251ae1ba67eec505f44b
Opcode Fuzzy Hash: a290c5f8ecd83d5e3b772b9ea0e76c12751acc992686941db18a857b99818c7e
Instruction Fuzzy Hash: A541C470F041658BCB11CF66C8805FE7B66EBC1314B24D4B6C615DB665E231F802C752

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9058, Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

, xrefs: 04EE9176

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d653294112584d0f88dd604ecd4281ec21c80717f125526003356999dae23808
Instruction ID: ee4be43a06d5bc1309d5252a51265982a7a759499638e1cc9afbe8882b215864
Opcode Fuzzy Hash: d653294112584d0f88dd604ecd4281ec21c80717f125526003356999dae23808
Instruction Fuzzy Hash: 3D41C3B5F082058BDB10CF66CC885FEB7F2ABC1214B1A8A66D415DB606E277E942C791

Uniqueness

Uniqueness Score: -1.00%

Function 04EE8500, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 04EE8617

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 6095dd15bf4c410291b325434d6ef30ec97d80e81444e107c2b3c19467d46451
Instruction ID: d5ccb4868f0a7e48237056226227efddb9521841e72bf065f7a40a3b70d6c98a
Opcode Fuzzy Hash: 6095dd15bf4c410291b325434d6ef30ec97d80e81444e107c2b3c19467d46451
Instruction Fuzzy Hash: 3F411C30E0420ADFCB58EFA5D5456FEBBB1FF44304F50946AE402AB250EB35AA45DF52

Uniqueness

Uniqueness Score: -1.00%

Function 04EE8348, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

]Dq^, xrefs: 04EE8376, 04EE837B

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: ]Dq^
API String ID: 0-2976015736
Opcode ID: 3aca470cea182b8263aed35f357537f8e43a3ed94f1622f80c0bf12422cf3d32
Instruction ID: 3a0891c27e403309062e9fc986d8bdc3ebde53faa0ff94dbd5a90fc3e196e8b1
Opcode Fuzzy Hash: 3aca470cea182b8263aed35f357537f8e43a3ed94f1622f80c0bf12422cf3d32
Instruction Fuzzy Hash: 58316770B14600CFCB59BB39E4584BE3BA6FB8431171585AEE016CB398EF35AC019B51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE8358, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

]Dq^, xrefs: 04EE8376, 04EE837B

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: ]Dq^
API String ID: 0-2976015736
Opcode ID: 0e80dceedbae7be91808f06296db39d24acec7e6256eeaba30e0c91df735b944
Instruction ID: 52dbfb61026f67bf3a3e7932c0bc8990ebae2ab36f3ed2e70667924dd2b0e7b8
Opcode Fuzzy Hash: 0e80dceedbae7be91808f06296db39d24acec7e6256eeaba30e0c91df735b944
Instruction Fuzzy Hash: 43215530B14A14DFCB59BB39E4584BE3BA6FB84311B25856AE016CB398EF35AC019B51

Uniqueness

Uniqueness Score: -1.00%

Function 04EED050, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

=q^, xrefs: 04EED184

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: =q^
API String ID: 0-2102671325
Opcode ID: 5936cb70ceeb0af52cfd383b4347177ba70efbdb7bb4ed7fb89175a8f5fcf66b
Instruction ID: 6e0250f8306ccb1c22c0314d157af273df1c38950dce938b35da8b56f14a73c2
Opcode Fuzzy Hash: 5936cb70ceeb0af52cfd383b4347177ba70efbdb7bb4ed7fb89175a8f5fcf66b
Instruction Fuzzy Hash: 6F21AF752097918FC71A9F3499550597FB1EB4630872888EFE446CF397DB32980BCB81

Uniqueness

Uniqueness Score: -1.00%

Function 04EEC2B3, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

]?q^, xrefs: 04EEC351, 04EEC356

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: ]?q^
API String ID: 0-3498547322
Opcode ID: cc07c009f41e6e9a469f7069edd9e4c9e52a290300ce77bdf8f125d67d0379c6
Instruction ID: dff82400e630e86a95799143b1a5b35489d315fb8bc0310cb47046c22ce3ebd6
Opcode Fuzzy Hash: cc07c009f41e6e9a469f7069edd9e4c9e52a290300ce77bdf8f125d67d0379c6
Instruction Fuzzy Hash: 9411BF763047A09FD7066B38945973E3BAABB8A311F0905E9F44ACB399CE349C42C794

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5D88, Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

=Rq^, xrefs: 04EE5DA8, 04EE5DAD

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: =Rq^
API String ID: 0-4015769627
Opcode ID: 254c162e55fe23da37ad3db8e3dc048bbc3a963fcfcb1d8991527ee4e22832b4
Instruction ID: 0dfcb2b82f4555fbf6c573848f7aba5d5cbe95051ce66efe4094cfc359abd4d7
Opcode Fuzzy Hash: 254c162e55fe23da37ad3db8e3dc048bbc3a963fcfcb1d8991527ee4e22832b4
Instruction Fuzzy Hash: 5B01D432748254AFDB01D6B998111FDBBA69BC5628F0444AFDA0BEB351EA71AD0287C1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE05B9, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8Xq, xrefs: 04EE05D6

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: 8Xq
API String ID: 0-781766932
Opcode ID: 0c37a716ff9361502822bb883acdc2df84c6e01935ccef314e38772dd210ffd7
Instruction ID: d3b2212680dfde0015484b336a5a2ee956d01de606fc5f12cbf0cc6534fb8dd4
Opcode Fuzzy Hash: 0c37a716ff9361502822bb883acdc2df84c6e01935ccef314e38772dd210ffd7
Instruction Fuzzy Hash: 3501F2303002608FCB06667D94111BE6BCBAFC6750B58086EE006EB385DE696C0253E6

Uniqueness

Uniqueness Score: -1.00%

Function 04EE05C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8Xq, xrefs: 04EE05D6

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: 8Xq
API String ID: 0-781766932
Opcode ID: 210fecc26b6acb5548d7afea8df2ed99f3bce67cce9495aa4db204db058aed0a
Instruction ID: 601b0ad87bb29f2ea6ab32e8ba9e267955e5d555c48419e5978432dfc12ed0b7
Opcode Fuzzy Hash: 210fecc26b6acb5548d7afea8df2ed99f3bce67cce9495aa4db204db058aed0a
Instruction Fuzzy Hash: CCF090717002248FCE08767E54126BF66CBABC5691B58492EB106F7384EEB9AC0313F6

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5CF1, Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

-Sq^, xrefs: 04EE5D12, 04EE5D17

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: -Sq^
API String ID: 0-1138329456
Opcode ID: 265e5b80af5d42f19e9c0f36dfedb46101e4bcb977e9cd996a8de4523ed0f1d0
Instruction ID: dd45ef042113df05e4d76cd06a10fec05d3c1899878c56486be1b1bf4aff1893
Opcode Fuzzy Hash: 265e5b80af5d42f19e9c0f36dfedb46101e4bcb977e9cd996a8de4523ed0f1d0
Instruction Fuzzy Hash: 84E072343802A42FCB00AB79A88173E3B897FC1302308146CE403CA380DE108C0297D2

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5CF8, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

-Sq^, xrefs: 04EE5D12, 04EE5D17

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: -Sq^
API String ID: 0-1138329456
Opcode ID: 99d8dbb8588e974ef0f1b0fac5d5bc6c625617738604ce6211881366385dc06a
Instruction ID: 0acc5d7b102edc7ab07c108949eca47758d41df97b6d85dbe9cbeaaa1add10db
Opcode Fuzzy Hash: 99d8dbb8588e974ef0f1b0fac5d5bc6c625617738604ce6211881366385dc06a
Instruction Fuzzy Hash: 68D0A7747806682B9A04767A584573F378D7BC07563054428F606DB380EE11DC0253DA

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5D98, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

=Rq^, xrefs: 04EE5DA8, 04EE5DAD

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: =Rq^
API String ID: 0-4015769627
Opcode ID: 47d4d03b1e5a2683fe5916807a0a910d5c3689384adbcb303452bfd3c65bba27
Instruction ID: da91617c6150acfd5ee373b56a00b9e397afb465a066f19dbe3ff130f442f941
Opcode Fuzzy Hash: 47d4d03b1e5a2683fe5916807a0a910d5c3689384adbcb303452bfd3c65bba27
Instruction Fuzzy Hash: F1D0A7713402242BAA04E5AD885187A779EDBC5720304846EB90ADB341CE739C0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 04EEC6A8, Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

*, xrefs: 04EEC6A8

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: fdbd67e7d440ed2665bdf44b482c5b2eeadd5e8e9a4cbbbd7a6aeeb5f56429c2
Instruction ID: 29cb324ba04ee3340d101baeffaf0602d3a434a8fc35c5c00c71194c223634b8
Opcode Fuzzy Hash: fdbd67e7d440ed2665bdf44b482c5b2eeadd5e8e9a4cbbbd7a6aeeb5f56429c2
Instruction Fuzzy Hash: D8D01231815280CFCB2A0F3A881A7423F35EE47304BA508FAB8908D562EA28880ACB11

Uniqueness

Uniqueness Score: -1.00%

Function 04EE12A0, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0d07c95b22cdcaa2e645f29183607dabdfb076aa74098a5ca250c3160838b8
Instruction ID: 13521d9afaa1b7298c6fbe242e7e5d8ee5918b585731cdd21bea60c7ba3e7803
Opcode Fuzzy Hash: da0d07c95b22cdcaa2e645f29183607dabdfb076aa74098a5ca250c3160838b8
Instruction Fuzzy Hash: EE22E339A00A45CFC724DF29C580A6AFBF2BF88310F148999D85A9B756DB34BD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA9E0, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666c24519af71f2e842c474e440c5d3c66cd5e612465a556204abed30cf9b06e
Instruction ID: e9eece4ecd12d63765490f6c8b20fb65c3e07f7f1aec9f4529ca4f5fb6b1f6e1
Opcode Fuzzy Hash: 666c24519af71f2e842c474e440c5d3c66cd5e612465a556204abed30cf9b06e
Instruction Fuzzy Hash: AC91E4707006258BD704EB68C851A6E7BB2FFC4300F5085BEE2169B7A5DF70AD0697D2

Uniqueness

Uniqueness Score: -1.00%

Function 04EE51F2, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd204d153a669755001e3594763a188845778a272d2dda102b84bb9bf090ee2
Instruction ID: af61890d336e288086cb2c53ae0afc3bf98416f28a21fcedc1ccfa979d17a97a
Opcode Fuzzy Hash: 4fd204d153a669755001e3594763a188845778a272d2dda102b84bb9bf090ee2
Instruction Fuzzy Hash: A8910435A042449FDB05DBB8C448AFDBBF2BF89308F2444A9D106EB2B6DB316D09CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5E00, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad19056f6a934f5c0d06e609b93af47282578038b776825c622553db4ab3b71
Instruction ID: b25377f0bbdbd5db15b7d0fca35879cd56ffb91b02d22a5862ac61fd5865e7ed
Opcode Fuzzy Hash: 9ad19056f6a934f5c0d06e609b93af47282578038b776825c622553db4ab3b71
Instruction Fuzzy Hash: 67814B31A005198FCF15CF65C8806EEB7B2BF85304F558595D90AAF216DB71BA8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE768, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7022673364c8f36e3e2e531bbb8591977be06a32743eee30f79fe9d059f5c15
Instruction ID: 588ee61d3c59fcfeea78e58e6a1de607b60571e93bc46509181492bbc12a28fd
Opcode Fuzzy Hash: a7022673364c8f36e3e2e531bbb8591977be06a32743eee30f79fe9d059f5c15
Instruction Fuzzy Hash: EB713734A00605CFDB68CF6AC488BB9BBF1BF48314F18A559D556A7360DB31F882DB94

Uniqueness

Uniqueness Score: -1.00%

Function 04EE09A0, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0799f43e5dd22459b2b63e4a8bacb13df71b7d1c6bc7fe73a260553982111ff8
Instruction ID: 38545bc9bad629c900a6b067b8de0ac77c53e84f4c1bd3efd2b960d1bd0106e3
Opcode Fuzzy Hash: 0799f43e5dd22459b2b63e4a8bacb13df71b7d1c6bc7fe73a260553982111ff8
Instruction Fuzzy Hash: 8851B431B00165DFCB149B69D894BBEB7F2BF84304F258569E516DB360DB70AD02DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04EE02E8, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06c8d8db63962baabd366b663816ad6476178de1b0899b611d612c373cd04ec
Instruction ID: ae3184d9a6ea42e2071626a6afa83c7c3ae640d9de1c5334e0ee08e2bc544b8b
Opcode Fuzzy Hash: a06c8d8db63962baabd366b663816ad6476178de1b0899b611d612c373cd04ec
Instruction Fuzzy Hash: 4351AF70B04215CFCB09DF69C5A06BEBBF2EF89310F148069D506AB395EB75AC05DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE000, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b11535614c9c36809f53db508088e662bdd4d8021601ec25103ec910f729c3e
Instruction ID: 42fe3741e3587e34cd4faec493191ddf51766284bceac01f2c14d72abc3a9918
Opcode Fuzzy Hash: 4b11535614c9c36809f53db508088e662bdd4d8021601ec25103ec910f729c3e
Instruction Fuzzy Hash: D9519D31A00619DFCB18DF99C8808AEBBB7FF84310B558159E90AAB355DB31BD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7400, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4415921569ed47ccc2b5a5f5284d00e7d077ea157884108701b35e6dc21e02cb
Instruction ID: 834df4cbc6f61f32736145eb3fcc34ce0bcae47f49b393ba6b8a0580ed44938d
Opcode Fuzzy Hash: 4415921569ed47ccc2b5a5f5284d00e7d077ea157884108701b35e6dc21e02cb
Instruction Fuzzy Hash: 58311931A0062ACFDF11CF55C8546EABBB2AF85304F518494D909BB205DB707B8ACFD1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE6F10, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354a7102c0fcf1b97b2e1c6edd39a9701a01bbcdb26380ac4d6dfe2d011451f1
Instruction ID: 29d9a620899454ae1acccc7ce17c26e7f1d399926037603e881c8cf76b0ea466
Opcode Fuzzy Hash: 354a7102c0fcf1b97b2e1c6edd39a9701a01bbcdb26380ac4d6dfe2d011451f1
Instruction Fuzzy Hash: CE515E71B002598FCB08DBBAC4505BEB7F7BF88314F648569D40AAB345EE31AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE78E8, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eaec0da7ebf8c2d6bda19ed5b798b7686ceedacff725ff34930a2d392dcbaa9
Instruction ID: 7a0fbf31f53db8c53b50b1d8682159dabf1cfecb26b7d067bbf0941f5997e323
Opcode Fuzzy Hash: 7eaec0da7ebf8c2d6bda19ed5b798b7686ceedacff725ff34930a2d392dcbaa9
Instruction Fuzzy Hash: BA511275E00658CFCB14DFA9C9846ACBBF1FF48310F21866AD59AA7394E7316945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7BB9, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb089a1560ce95fc6a592c6e8a77e370128a363b5f25fb621b6921e31589f4bc
Instruction ID: 17513e5486d37a47c039d223c097b22cb587613df1d607202e5f8375d05a36d9
Opcode Fuzzy Hash: bb089a1560ce95fc6a592c6e8a77e370128a363b5f25fb621b6921e31589f4bc
Instruction Fuzzy Hash: 05511A34A00215CFDB14EF79C594AAD7BF2BF88304F6095B9D40A9B395DB31AC81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04EE4511, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7978eed0f50042b798150163898099bcd415cac6ec35ab04681c7e5e0d1704b
Instruction ID: 409eb7a26566d62965fd67f58db3b9bf2aa5ce6b0dad60fa4f4a8ed17c430fca
Opcode Fuzzy Hash: f7978eed0f50042b798150163898099bcd415cac6ec35ab04681c7e5e0d1704b
Instruction Fuzzy Hash: 8141E437A04191CFCB01EF69E8445FE7BB2FF85314B1480B9E5069B3A6DB31A909DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04EECAC8, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e23dcc9091c328fa54050f6783b1267d34ee405e634e5b99799e3319565c74
Instruction ID: 124a2a44875df582775e378482aca16005e8f7153a5cc232231ba66253971979
Opcode Fuzzy Hash: d0e23dcc9091c328fa54050f6783b1267d34ee405e634e5b99799e3319565c74
Instruction Fuzzy Hash: 1341B031A006459FD714DF7AC9846BFBBA2EB88314F249A2DC59A97291EB30B841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2BF8, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811809f9bc5053d5dcc19e803a008bdb7cf7523e84da5234c4255ee38fd4dda9
Instruction ID: 9c8f8a2021317774a385d984ce911a65f8ac475637f8b5a8711701cdd39de105
Opcode Fuzzy Hash: 811809f9bc5053d5dcc19e803a008bdb7cf7523e84da5234c4255ee38fd4dda9
Instruction Fuzzy Hash: 0341253470D381CFC7158F37D8949B87FB9AF42204B1995EBD286CF6A2D660AC05D752

Uniqueness

Uniqueness Score: -1.00%

Function 04EE6A90, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542afb204bacb6c0a8f296462a40b5a322d135ee02e0c6a674a8f7c2e831ea91
Instruction ID: 546394e5c505f40fdedf617716c66ca7d7b197c90a84e7469ddd635cd605062e
Opcode Fuzzy Hash: 542afb204bacb6c0a8f296462a40b5a322d135ee02e0c6a674a8f7c2e831ea91
Instruction Fuzzy Hash: F941CF36A01680CFC705AF79D15016D7BB6BB8D710B5440BDEA0AEB396DB31AC01DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93c25aef288d6afb01ae82938872854fb60e6cb4fe9c657e057e863b61397f7
Instruction ID: f90c5b06a086cbff2ed0499c7d3e097eae18dc7b220017e900e0618f69bc87f3
Opcode Fuzzy Hash: b93c25aef288d6afb01ae82938872854fb60e6cb4fe9c657e057e863b61397f7
Instruction Fuzzy Hash: 9841E532B051148FCB058B29C4146BE7BE6AFC5310F1580AAE90AEF3A1DEB1AD06D791

Uniqueness

Uniqueness Score: -1.00%

Function 04EE1458, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a799dab7455a6ef5e059879de677e160783c5a31510ff8eb31d0d756e05f2b71
Instruction ID: 40ec173654efe79cfd6eda0f9638099385c7540eeac675f5a4d47d16d12125a2
Opcode Fuzzy Hash: a799dab7455a6ef5e059879de677e160783c5a31510ff8eb31d0d756e05f2b71
Instruction Fuzzy Hash: F6510735A00258CFDB14DF64D994BADBBB2BF89304F5040E9D40AAB366DB35AD88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5508, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c2c821f462f62507394445059091c4ea495e4c5efe869ca160afac74583376
Instruction ID: e0781eba743b5f378b4bd3dfb1826878aec83235de88ce88854e869da22710fb
Opcode Fuzzy Hash: c6c2c821f462f62507394445059091c4ea495e4c5efe869ca160afac74583376
Instruction Fuzzy Hash: 2941AD31B04241EBDB056BF7981833E36AB6F84658F14A869D907CB394FF74F8058B52

Uniqueness

Uniqueness Score: -1.00%

Function 04EEAD60, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f5c891033aa0891ff6a8d2664394924c29b6701b474fd111c05a936c5ca036
Instruction ID: 0d475e176e5a09edf36b494ce0e0f893a6a79bc512ddff6f7915124ab57222d1
Opcode Fuzzy Hash: 38f5c891033aa0891ff6a8d2664394924c29b6701b474fd111c05a936c5ca036
Instruction Fuzzy Hash: F9410071A00A608FCB15DBA9C8901BEBBB2FF88304B14547EE456EB760DB34ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE6AA0, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af2b1e83cb6c6a3bd87f9861bf69386ff64bff4f365972ca283da3312d241e8
Instruction ID: 3259aa0da7e93562f11af261ab9d0489ffd2d983e45d8726a83cf563e412e9e1
Opcode Fuzzy Hash: 2af2b1e83cb6c6a3bd87f9861bf69386ff64bff4f365972ca283da3312d241e8
Instruction Fuzzy Hash: 0C418E36701640CF8705AF69D25016E7BB6BB8D711B5440BDEA0AEB386DF31AC41CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04EECEA0, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2e74de9909400794784afc0f1d9e2ef45f174940ad670c2eee2adcf2de6ef6
Instruction ID: f7dad6dd5bddf97c35fb5e75ec116f4267a8cd3fd3d11a99a53f2a8668a16f46
Opcode Fuzzy Hash: 2a2e74de9909400794784afc0f1d9e2ef45f174940ad670c2eee2adcf2de6ef6
Instruction Fuzzy Hash: 1541E675E00249DFCB14CFA9D5909ADBBF1FF48314F24946AE406AB351E731A942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE81E0, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07716f5bf67a3dff1921f13abc0b94c81affadf5dfd18a6f0dbfc49947f6b141
Instruction ID: 57905d2938f261bcc5506712d2423bf0055648c8e1812d53af866c0a62a89026
Opcode Fuzzy Hash: 07716f5bf67a3dff1921f13abc0b94c81affadf5dfd18a6f0dbfc49947f6b141
Instruction Fuzzy Hash: E841D135A00506DFC700EBA9C5449BEFBF0FF48324F109676E4169B252D731A856CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04EE02DA, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b7f6e56a30afe65c1241aa465c60b7a46242bb41e4c8e226fe4bdb814d2931
Instruction ID: 1b6cad591c07f27ac370f325359742a8b8ecab6296056384ff2d2c8894588747
Opcode Fuzzy Hash: 87b7f6e56a30afe65c1241aa465c60b7a46242bb41e4c8e226fe4bdb814d2931
Instruction Fuzzy Hash: 80417870B01215CFDB18CF6AC194BBE7BB2EF89314F245469D502AB3A1DBB1AC01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EEDFF1, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff50411d1f05b2f4e117ee34ea492752ca74384ae6fc0dc94377d1a4497102b
Instruction ID: 03133233f59808f17ff002fa8100e6891a68b1cb7596e56b9682271908854080
Opcode Fuzzy Hash: fff50411d1f05b2f4e117ee34ea492752ca74384ae6fc0dc94377d1a4497102b
Instruction Fuzzy Hash: F331D031B04249DFCB19DFA9C8408FDBBB7BF84310F54406AE506AB262EB31AD45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0170, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1da0df2a91ba699c161e9a0b883c7dbc98408b11de4fe5258d4d50fef336e2
Instruction ID: 86a73749faf8d526bcdad6aaba109345c5bd687e0fde9f4720092c88ae3f4cb9
Opcode Fuzzy Hash: 4b1da0df2a91ba699c161e9a0b883c7dbc98408b11de4fe5258d4d50fef336e2
Instruction Fuzzy Hash: 0031AEB07113549FEB108F79D880B2A7BE9EF8A794F200469E5069F391DAB1FC018B60

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7150, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bcf0ab0081b3b8c0b92bb75753532e87b90f6c682edab4e853ecff7b399f24
Instruction ID: 29c51b515807f793a6adc5c71c3ee689f6d0ea560b32266703a1b6600fce8d8b
Opcode Fuzzy Hash: 08bcf0ab0081b3b8c0b92bb75753532e87b90f6c682edab4e853ecff7b399f24
Instruction Fuzzy Hash: 0B312871B04141AFDB08ABFBD8546BFB7E6AFC8208B50517AD5029B386ED716C018792

Uniqueness

Uniqueness Score: -1.00%

Function 04EEDEDB, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9eccc217c581b2c8db9499243ca911d153a341ed7636bcf43afc602b7e1b8fd
Instruction ID: 03755502a08f878e905c7fe591b45584d5c7f4c94324a48a09dd54c5be97dc21
Opcode Fuzzy Hash: a9eccc217c581b2c8db9499243ca911d153a341ed7636bcf43afc602b7e1b8fd
Instruction Fuzzy Hash: 34314D71B05206DFCB64CF69C844ABEFBF2AF88314F14A569D00AEB241DB35E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04EE1290, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd4e2ed428137e39f7a91665c8b1d9149dd860313077c3b615d8bc1bb9f2e89
Instruction ID: 3b9e1612c9d16634c465e67e2da3f61e45b3199f0316f0507c49f2e845e84888
Opcode Fuzzy Hash: 3dd4e2ed428137e39f7a91665c8b1d9149dd860313077c3b615d8bc1bb9f2e89
Instruction Fuzzy Hash: 62412774A04258CFDB64DF69D880BADBBB1BF49340F0044EAD40AAB355DB30AD84DF61

Uniqueness

Uniqueness Score: -1.00%

Function 04EEEA49, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3c6679a28e4d35536c9cc6a0f06fd17241ecaa37f63fec4b6580ae484e8040
Instruction ID: bcf5529f033f22de12cee60578e56453b1f6b605457ca00002a37929b4d8b61d
Opcode Fuzzy Hash: 5f3c6679a28e4d35536c9cc6a0f06fd17241ecaa37f63fec4b6580ae484e8040
Instruction Fuzzy Hash: 8A411B30605B41CFD339CB2AC5447B6BBF2BF85309F18986EC49B86AA1D779B445DB00

Uniqueness

Uniqueness Score: -1.00%

Function 04EE6F00, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1afba9380a8cec77f45ea08a461327c60c05f42a7320e5b86fa0546a0c9ca8
Instruction ID: 07b6059dc27e75d1e2055d861a32e308361f7709c4ebc1def02f69ae7de498a9
Opcode Fuzzy Hash: 3e1afba9380a8cec77f45ea08a461327c60c05f42a7320e5b86fa0546a0c9ca8
Instruction Fuzzy Hash: 7F316E32E002599FCB04DFBAC4545AEBBF2BF88314B508569C806EB355DA31AD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA9CF, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb21cbed6304870057097c0f7bcfad67176efc97a976f998b04355e83448ed6
Instruction ID: 2f1d579e233a8377d50cd7c3a301e726a8d5962d5022dae4cf1565aa59937285
Opcode Fuzzy Hash: aeb21cbed6304870057097c0f7bcfad67176efc97a976f998b04355e83448ed6
Instruction Fuzzy Hash: 55311A31B501158FDB089BB9C859B7EBBF6AFC9301F558079E10AEB2A1CE715C058B91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE45C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5b06c70e62c2faea89a160fc842538cdceff06e278d6f713460c7b475b53c6
Instruction ID: 5fc0d8e5f12f7c822fe745fa121611a6d36a7be3aa410f79b5e2036e1fe3f6e2
Opcode Fuzzy Hash: 7f5b06c70e62c2faea89a160fc842538cdceff06e278d6f713460c7b475b53c6
Instruction Fuzzy Hash: C921A531F0010ADFDB10DAAAD981AFFB3B9FBC8244F105936E619D3284E67069159BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE447, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f78682ec1e40ae5b42089cc4f4970c0556a27623c3e292f9750c784d0f41d3
Instruction ID: a5b2f5baba3e2f952b328161264bb5ce7871daa154315c90d4809f90f77c7f8b
Opcode Fuzzy Hash: 13f78682ec1e40ae5b42089cc4f4970c0556a27623c3e292f9750c784d0f41d3
Instruction Fuzzy Hash: 16316F70B00605CFC765DFA995846AEBBF6AF88300F10842ED546AB791EA31E946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EECB30, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fff2837d20dde9bdec3afcd72a21bd9b81ad6bab66fed042aa166b5b61f7241
Instruction ID: 7e760b861e09c4ca17cfa70114cc0d4fb5ed0bfdd966e6d77f3ad9b6c94ce0b3
Opcode Fuzzy Hash: 5fff2837d20dde9bdec3afcd72a21bd9b81ad6bab66fed042aa166b5b61f7241
Instruction Fuzzy Hash: FB318071A00645CFD718EF76C984ABFBBB2EB88304F209929C95697355EB34B841DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04EE50E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971e18a195c3f192db3d817a6f747135f881865d24d189ab61aa3799919efa33
Instruction ID: 77cc817d73045270c700c6d99f5524245c0ca838ac8cc0dc98dd37250b6e09b7
Opcode Fuzzy Hash: 971e18a195c3f192db3d817a6f747135f881865d24d189ab61aa3799919efa33
Instruction Fuzzy Hash: F8219C71A007099FDF04DFBAC4146AEBBF6AF88308F104529D50AAF351EB71A946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04EE43CE, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47220bd524d964bd0f4e84af02c8aeaa44871f7a5dddace33c2d99e77817cca1
Instruction ID: f6111962d9953e12412fce89008bb36d26aef02c07c7071c98ee9fcc9b7594fe
Opcode Fuzzy Hash: 47220bd524d964bd0f4e84af02c8aeaa44871f7a5dddace33c2d99e77817cca1
Instruction Fuzzy Hash: 7D31B137600195CFCB01EF68D9889AD7BB2FF84304B1481A8E5069B3BADB31A915EF50

Uniqueness

Uniqueness Score: -1.00%

Function 04EEDCF1, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff485fa54ce4791b049bd02d156391c933140cffa7067d31baeca0180c47ed3
Instruction ID: c2c56785d01230a6a01b9166e74ac487c651805e8a36a182ae42e6599b4470ad
Opcode Fuzzy Hash: fff485fa54ce4791b049bd02d156391c933140cffa7067d31baeca0180c47ed3
Instruction Fuzzy Hash: D93138302006168FC755EB38C4A126A77A3BFC0344B648D2DD58A9B794DF76E8079F91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE43D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8d959c7d2ced008d15d6eb5bd2bf215729390c5782b5525d9484da2315eb47
Instruction ID: 2f0d850507d69b3cf1251c36711537b3551e306586c27a746b99d4d6a7caa548
Opcode Fuzzy Hash: bf8d959c7d2ced008d15d6eb5bd2bf215729390c5782b5525d9484da2315eb47
Instruction Fuzzy Hash: 6C31B137600195CFCB00EF68D9889AD7BB2FF84304B1480A8E5069B37ADB31A915EF90

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5738, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f96b0cb717e6b3ef5a3770303c3fe493eb66eb822d21ca0f1d2057d8f7b019
Instruction ID: 466671ee8861c417a6e18c50d6759bafdf50e982e25cd7d12af221731528d3de
Opcode Fuzzy Hash: 59f96b0cb717e6b3ef5a3770303c3fe493eb66eb822d21ca0f1d2057d8f7b019
Instruction Fuzzy Hash: 7B21C771B042059FDB089BBAC4502FE7BE6AF88754F10847ED406E7345EE35AC029BA5

Uniqueness

Uniqueness Score: -1.00%

Function 04EE01A8, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550dbad981e57d87b504c778f92646b680a3c9240176067415f672f4138c2e12
Instruction ID: 3f8c784f115a597093cb46072c5407b09c622d6cdf4e4701a91d68c7dcdf87a8
Opcode Fuzzy Hash: 550dbad981e57d87b504c778f92646b680a3c9240176067415f672f4138c2e12
Instruction Fuzzy Hash: F1216AB07112159FEB108F69D880F2A7BE9FF8A794F200569F505DB391EA71FC018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 04EE08AF, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc77f1902ccd09dd9b6e7d1756e0aec8d0b522d79daa4a834e1db4358edb6af
Instruction ID: 42409d1a1125dfae35d52ecc92b9a50bcd9153ece184433fd70024098b6ce97d
Opcode Fuzzy Hash: 3cc77f1902ccd09dd9b6e7d1756e0aec8d0b522d79daa4a834e1db4358edb6af
Instruction Fuzzy Hash: 61214C31A483B48FC7114F79AC906BF3FE59FC631070552ABD6469B255EAA41C03D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA658, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0645f9d9def5e115e9bfc9812754ee9528b29ed6bf461ef11df51290fd1081
Instruction ID: 66e902822397d58969916fe9220d127ccd416757c57b5365b8c59d05e70c2273
Opcode Fuzzy Hash: ad0645f9d9def5e115e9bfc9812754ee9528b29ed6bf461ef11df51290fd1081
Instruction Fuzzy Hash: B6215C71B00256DFCB24DF76C9419AEB7B1BF88744F10997DE002AB244EB70AC44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE68CE, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904df776fa4701121764926d7fdbe3accb0f53fee2646ec1ceccc2e4c1274b4
Instruction ID: 174da853a3d0a897250befbcde22d2a2fc0cc2e6e6e9dca3259a844249ffa8da
Opcode Fuzzy Hash: 8904df776fa4701121764926d7fdbe3accb0f53fee2646ec1ceccc2e4c1274b4
Instruction Fuzzy Hash: 8731CE36200A51CBC714AB38D29406D3BA2EF8530475485AEE10BCF345EF32AC07DB81

Uniqueness

Uniqueness Score: -1.00%

Function 04EE4FF0, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da22b452d06941bc7c536d3a72b09cc3e4414883ee0a80a2053b5cf99cea589c
Instruction ID: a57d8463a671e0fb4acf537d8e30b06a636f95e3d1240d1ef79cbc1b87a7d5bf
Opcode Fuzzy Hash: da22b452d06941bc7c536d3a72b09cc3e4414883ee0a80a2053b5cf99cea589c
Instruction Fuzzy Hash: B621C177A04655DFC700EFBAE6806BD3BB2BB84314F10552AD40687389EB703905DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04EE21E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6eff60fcbd69d56386ca2618d2226eed48ffe5be45bb16cc19942f37a809769
Instruction ID: 9bf9298ae35c62ee328ccb31e2e038d30c6fa6f1ffd5882f51d33b866f9f6658
Opcode Fuzzy Hash: f6eff60fcbd69d56386ca2618d2226eed48ffe5be45bb16cc19942f37a809769
Instruction Fuzzy Hash: 34317C70E0820ADFCB44DFA5C5417FDBBB5FB48300F1058AAC602AB266E634AA04DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04EE4F10, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fd0e1e7e8ed59eb853dd450d3479372e27d62643594917d78db6062bbcd0d0
Instruction ID: 2442792475b6fd8327bcf3cd8a5e69f4ed6c3894e25c8356ece8010fbde8d34f
Opcode Fuzzy Hash: 11fd0e1e7e8ed59eb853dd450d3479372e27d62643594917d78db6062bbcd0d0
Instruction Fuzzy Hash: 6B21C3333186558FC300EB76E6908B93B62FBC4B51B10B96AD043876CAEB307D05D792

Uniqueness

Uniqueness Score: -1.00%

Function 04EE88E6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff8a585215fdc982139a54837f5f7890506a716341cc558a64f991e089d36b6
Instruction ID: 2d378fa39c78d6c7b88c9338f3d6048b56cce8e7034988ba281e8b8311430830
Opcode Fuzzy Hash: dff8a585215fdc982139a54837f5f7890506a716341cc558a64f991e089d36b6
Instruction Fuzzy Hash: 2A31AB30E10646CFDB24EF6AD84126EBBB2BF84308F15D52DE005AF654DF74A885DB86

Uniqueness

Uniqueness Score: -1.00%

Function 04EE84F0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71f7c19b4bb6674a7e7f568e362f0dac94c334cc7c868082a4cabd87177adea
Instruction ID: a6af4d1a332f1e8e145198fa7bfe543e702fee9f4bd83cf86276444632d16338
Opcode Fuzzy Hash: f71f7c19b4bb6674a7e7f568e362f0dac94c334cc7c868082a4cabd87177adea
Instruction Fuzzy Hash: B131BD30E08209DFCB55EBB5C5517FE7FB0BF45304F10909AD402AB290EE35AA08DB42

Uniqueness

Uniqueness Score: -1.00%

Function 04EE25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9526be42f0bb4e46889d32dabba68c49ec29e643892a367e84623e4aace863f
Instruction ID: 47fc4c15aa2c82d9f3dcc3487ac62c039a527670495962099249b16dff214056
Opcode Fuzzy Hash: a9526be42f0bb4e46889d32dabba68c49ec29e643892a367e84623e4aace863f
Instruction Fuzzy Hash: 9831AD71E00286CFDB20CF66C98436EBBB2BF84308F10D6A9C2449F225DB74A589DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04EEDB87, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5623582064f7c64f803542d1200a995f9db5fe9f35da37c47445b9c0ad0d386
Instruction ID: 7e2b60945b47594e47d1f1e779d2787f52fd3dd855a27107c2912cd1a21d4c4f
Opcode Fuzzy Hash: a5623582064f7c64f803542d1200a995f9db5fe9f35da37c47445b9c0ad0d386
Instruction Fuzzy Hash: 0B210034708606CBCB05CB669800AFEBBF5BB88345F1464AED4429B340EBB1A845A792

Uniqueness

Uniqueness Score: -1.00%

Function 04EE46A9, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab247ee25454ee8608679ffefb78dff231f1ce3297f279e83cdfaed714cbf62
Instruction ID: ab9fbb4f72fb040b0c91e2fc398a0036346a285d46a65ecf5ea74221d22f4eef
Opcode Fuzzy Hash: 3ab247ee25454ee8608679ffefb78dff231f1ce3297f279e83cdfaed714cbf62
Instruction Fuzzy Hash: C6115E33708141CFCB11ABBAA4506FE3BA59F86358F1408FBE505CB6D2E672A8119B91

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA648, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f11065316def79796ab1ae2567e814ad23db33e2396ec649b8752031db72b77
Instruction ID: 197062778f3175ec5aa496e785d36722bdb14db2c0008adc69fdf260a0891302
Opcode Fuzzy Hash: 7f11065316def79796ab1ae2567e814ad23db33e2396ec649b8752031db72b77
Instruction Fuzzy Hash: EF21CD30B1425ADFCB24DE36C841AAE77B5BF85748F20587DE002AB280EB71BC0497A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3491633c45784c70541c835a33bb58de234ba927f94400edc3908e386fd54a23
Instruction ID: 8fdda8210186f1beec020d8fbafe0dfbfe432827466dbc4f43aae1cab8a3a63c
Opcode Fuzzy Hash: 3491633c45784c70541c835a33bb58de234ba927f94400edc3908e386fd54a23
Instruction Fuzzy Hash: 8021A270A04526DBD704DB29C550BBB7BF2AF94704F14486DD04AA7784DB31BD02DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7160, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320820ea9600b099154cb21ee64303987d723f611b21c2e66cff3709a92b3d58
Instruction ID: 96d8eb6ca89a96b5df22664965abd507600f33c7d548869ee5571ff30b75071b
Opcode Fuzzy Hash: 320820ea9600b099154cb21ee64303987d723f611b21c2e66cff3709a92b3d58
Instruction Fuzzy Hash: 8411E671700101ABDB08A7FBE8505BFB6EBAFC8244B50553E95039B356EDB1AC0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE21F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e48bd7ec2301a8a661dae6b951fac9cdeb5573d11fca14a05e46bafe0491e8
Instruction ID: 33854f633d1e4b58e94f90b7196d039b2da9cdc9406ff05e0fbd094c9cb3a8cc
Opcode Fuzzy Hash: 30e48bd7ec2301a8a661dae6b951fac9cdeb5573d11fca14a05e46bafe0491e8
Instruction Fuzzy Hash: 03212170E0820ADFCF44DFA6C5457FDBBB5FB48304F10549AD602AB252E771AA44DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE2F0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994bb349d3aed43f568e865aef9dbc40255096db0d272042c69a8ac5d83ec604
Instruction ID: 231fef3692a8c9d14bfdb49641efc145cc42700b66e0fc67a7e80e74ded02434
Opcode Fuzzy Hash: 994bb349d3aed43f568e865aef9dbc40255096db0d272042c69a8ac5d83ec604
Instruction Fuzzy Hash: 37215E31A00105DFCB54DFAEC5419BEBBF5AB48310B54906AD54AE7300E731BE01DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04EE48C6, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb70b99737e03443bbfbcfb619da12205b6f24d511aa6e6950f22c9a45e3181
Instruction ID: 8fcc813a18a0775a95a31a152201692e31835713e683ff9c18b79081d465d9d8
Opcode Fuzzy Hash: feb70b99737e03443bbfbcfb619da12205b6f24d511aa6e6950f22c9a45e3181
Instruction Fuzzy Hash: 8111A332B0411A9BCF05DA79D8508FEBBB7ABC4710B44602ADA06B72C1EE212A068795

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61eeb471cce9316950d1a62f0125949bc0276b1830f3bc1eabc55c989e7c40f
Instruction ID: 4ee1d0062549eca5abc1ccf1c61411831eebce9c3ea7088028e8ad22bb0df9e7
Opcode Fuzzy Hash: c61eeb471cce9316950d1a62f0125949bc0276b1830f3bc1eabc55c989e7c40f
Instruction Fuzzy Hash: A511AF32B001559FCB44EFB994502BE7BE1AB84218F54807AE906E7345EB3069029BE6

Uniqueness

Uniqueness Score: -1.00%

Function 04EE50DE, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed3dcc67db4728aa9dc37f3bdba1f3ec209628662cbed3f3b3f0b4ff14c5fdc
Instruction ID: 7f9e7952cc2e3a5be7e69a98fb729404d064a68c7c42caa853213f775e705baf
Opcode Fuzzy Hash: 9ed3dcc67db4728aa9dc37f3bdba1f3ec209628662cbed3f3b3f0b4ff14c5fdc
Instruction Fuzzy Hash: C0111871904749AFEF00CFE5C8546EEBBB2AF89308F104529D50AAB255EB71694ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE2E1, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8edf70e6288a469ab505a4c652e689f6febc303bf5bf5fee62d3d93cfccfc4
Instruction ID: ba32dcf21277493ab1fea146d4ec40028324dd027cab9021bf398c490dc8fcf3
Opcode Fuzzy Hash: 8e8edf70e6288a469ab505a4c652e689f6febc303bf5bf5fee62d3d93cfccfc4
Instruction Fuzzy Hash: 19116734A04205DFCB54CFAEC5419FEBBF1EB48210B20A46AD48AA3201E331BD06DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04EEC5A8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1627bfcbe74c3d351303e5605d548719a010c71b465897ab9904949217057063
Instruction ID: e67ef6bf4c04734205371afb2ff8d952420076cc6e8c972de0e746992e69c8df
Opcode Fuzzy Hash: 1627bfcbe74c3d351303e5605d548719a010c71b465897ab9904949217057063
Instruction Fuzzy Hash: CE119E71B000019BC708AB7AC454ABE77EBAFC8754B249469E40ADB351DF32BC02DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE78E1, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2d8381e1dd840573a3db722ac1b7840f7a653571784d81a6780927bea0cc65
Instruction ID: 714b4aca3fe9bb74748b11ad9d3293689d5fb3ff291e9b53256ce63dd853bdf6
Opcode Fuzzy Hash: 8e2d8381e1dd840573a3db722ac1b7840f7a653571784d81a6780927bea0cc65
Instruction Fuzzy Hash: B711BF36A04194DFDB11CBA9D844AFDBBF1EF88300F1154A9D642AB2A1E7327E45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04EED9F8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d211c3ba1a39912458bc75a94e4cb95f1592bfd95db74315c3ea95c7e3ad2805
Instruction ID: ec3e1b7376ef0bb7bdb4fd0556883bb73068025dc8225d34012543c8462f7758
Opcode Fuzzy Hash: d211c3ba1a39912458bc75a94e4cb95f1592bfd95db74315c3ea95c7e3ad2805
Instruction Fuzzy Hash: 5C0126717042A19FCB141BB59C5467F7FAABFC9254720857FE046DB352CD328C028761

Uniqueness

Uniqueness Score: -1.00%

Function 02A5087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.502344949.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdef2a4704803baab2737692c8cf6a73a077fae87d43f93cc52677fe461fb407
Instruction ID: f6f8be8bbb64ef8e811ea9299b807271f7ef6a4049c997a1bf0d532da849a674
Opcode Fuzzy Hash: cdef2a4704803baab2737692c8cf6a73a077fae87d43f93cc52677fe461fb407
Instruction Fuzzy Hash: BF11D231204644DFE705CB64D980F27BBA5EB8C708F24C99CED491B642CB7BD803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 02A50844, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.502344949.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007ced6e7bc3c51f4b2896fb9bfbb7e23ecea4c84d3ccecc96d23ea45295dba2
Instruction ID: 30e0203c63dd44e8003bdb32d621f8f2b94adbe237bb997dddb98fd3cd1f8193
Opcode Fuzzy Hash: 007ced6e7bc3c51f4b2896fb9bfbb7e23ecea4c84d3ccecc96d23ea45295dba2
Instruction Fuzzy Hash: 01215E7554D3C58FD703CB20C8A4B55BFB1AB5A304F29C5DED9898B6A3C73A8806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04EEC561, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66de748f987e95735e9e8100a6d944b3ea2c14a6e2b0f6e958a30443093676ab
Instruction ID: e3e8d9c36e6f4d2154c9b2d5263ad95c22c2c2e9fbc9aa30d3a27849c3132496
Opcode Fuzzy Hash: 66de748f987e95735e9e8100a6d944b3ea2c14a6e2b0f6e958a30443093676ab
Instruction Fuzzy Hash: 7A014072B091919FC3161BB764141BA3F698FC661433411ABF045CB341ED11AC09D3E7

Uniqueness

Uniqueness Score: -1.00%

Function 04EEC228, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9be733b1962348ed97fd97155a2910924178d4ec3b560db4e8037ee310de2c
Instruction ID: 7f85cf98544a7fb557affa7ccdbbdd0fd7cff16179a87e82d0f6572d836f50af
Opcode Fuzzy Hash: 1d9be733b1962348ed97fd97155a2910924178d4ec3b560db4e8037ee310de2c
Instruction Fuzzy Hash: 4C11F770700A148FC714DB6DD48486ABBEAFF893243258A69E86AC7761DB31EC018B51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE11DF, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a642819724bd1f97e1aa7a38d50b01fa10e0cc2b9ff527c96ec2f439aed427e1
Instruction ID: a8c3aea65c478e8c358ed7fdf1cb7cde72cfc1f02a1cdae5843a264a22383bb8
Opcode Fuzzy Hash: a642819724bd1f97e1aa7a38d50b01fa10e0cc2b9ff527c96ec2f439aed427e1
Instruction Fuzzy Hash: 89116131318190CFC706DB29D9589B9BFF6AF8A30071541EBE042CF277DA75AC49A752

Uniqueness

Uniqueness Score: -1.00%

Function 04EE238F, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d3e121084a9332c41f47be61360a4a24a799422dc5e4bd9e3fbe8f964b2f82
Instruction ID: 9bebcc85d34c916f6589d508b3c84243c162299fd85b3acaee232a2e9b63428a
Opcode Fuzzy Hash: f1d3e121084a9332c41f47be61360a4a24a799422dc5e4bd9e3fbe8f964b2f82
Instruction Fuzzy Hash: 2A116D71A0424ADFCB24CFA6C981AFEBBB5BB44304F1014AEC246AB344EB712842DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE4789, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f86f7b9248acc4fb932eacb8de7e341e59a4ee954de9f66ee3be792dc181bd3
Instruction ID: 69e55008486d3ea24f57e058e767a6372f6fc947cbf228e2b9672a321e58b5b7
Opcode Fuzzy Hash: 8f86f7b9248acc4fb932eacb8de7e341e59a4ee954de9f66ee3be792dc181bd3
Instruction Fuzzy Hash: 70011731A402489FCB94EFB994506AE7BF2FB89310F20447EC549EB241EA355A069BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CEAEC0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.500790343.0000000000CE2000.00000040.00000001.sdmp, Offset: 00CE2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c93006f6efb691c3551e78115eaddf4651a57f00e74ef38b29d7512b04d13c
Instruction ID: e5a50f22d1529e7302f4fd1dccc65977de46c6d46ea9c09a5bb500333c02be7d
Opcode Fuzzy Hash: 76c93006f6efb691c3551e78115eaddf4651a57f00e74ef38b29d7512b04d13c
Instruction Fuzzy Hash: 2F11ECB5608301AFD350CF19DC81A57FBE8EB88660F04892EFD9997311D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA0F8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea471db954357b0b20eeb5200ae906f04b2120e95de5930294990d11afc6d7b1
Instruction ID: b73c7565dba6a6b978eadf732e1648a05d011808440f3e4d332a65a3115562b6
Opcode Fuzzy Hash: ea471db954357b0b20eeb5200ae906f04b2120e95de5930294990d11afc6d7b1
Instruction Fuzzy Hash: 4601B1B1B08109CBCB14DA5AE850AFFBBF29B84714F14567EC416A7240EB72BE059BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7850, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781f04c930d7116dd4859fbd04cc2fa0afff29d7f3619b2104ba2eb54f216fed
Instruction ID: 80c9514f61e2c533fdca899e86ac8f0e979c5ff677dfe540afcff65ed4e521fd
Opcode Fuzzy Hash: 781f04c930d7116dd4859fbd04cc2fa0afff29d7f3619b2104ba2eb54f216fed
Instruction Fuzzy Hash: 8B01B132B04129CBDB188B56C850AFFBBB19B94314F10546EC11BA7280EB31BD03DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 04EEDA08, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3248185852eb033a45dafc0a9a9289735749566da547c98dc17b36b4e993e763
Instruction ID: 8821409737bf4e43918a3fa4e7256de6187271a45f686d15352faff792ea2a6a
Opcode Fuzzy Hash: 3248185852eb033a45dafc0a9a9289735749566da547c98dc17b36b4e993e763
Instruction Fuzzy Hash: 6401A7717002619FCB182BBA984967F7A9EFFC8664710843EE50AD7341DD719C0297A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0070, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626d54caba0211d47b5cf66ff6999ad204e85b8dd1948afc103392ebbe0a49b0
Instruction ID: 66ddc9da6e14646c39dab9077868c0724e3d9fb49153ecf6c3761650c65703e5
Opcode Fuzzy Hash: 626d54caba0211d47b5cf66ff6999ad204e85b8dd1948afc103392ebbe0a49b0
Instruction Fuzzy Hash: 09114FB0614396DFCB04FF75D59456D37E1FB90344F00892EA186CB358EB71AD00AB52

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA780, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60cb0c889adf078683e026f689050176db99b8c7d64ec9a8c8f0d9cfc50144d0
Instruction ID: 96122b1eb31c8b6d962c29376357824409e21a8ffd5c4799b99f0d256579c438
Opcode Fuzzy Hash: 60cb0c889adf078683e026f689050176db99b8c7d64ec9a8c8f0d9cfc50144d0
Instruction Fuzzy Hash: 00014F72A00219CFDB50EBB9A9497AEBBF4EB84324F10557AD518E3240EB3195058BE1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9F2F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0b1acc47f98ce424509ab81648889990c32f74d6cb435b155c581603c93d5b
Instruction ID: d50398f49f046de1cebf3100a5da261a733d59d49b64b4beefa5239f6e10d2a3
Opcode Fuzzy Hash: bb0b1acc47f98ce424509ab81648889990c32f74d6cb435b155c581603c93d5b
Instruction Fuzzy Hash: 4BF046B03482104FCB4056BD48506FC3BE6BBC63303A4037AE10ADF2D2EE685C0697B2

Uniqueness

Uniqueness Score: -1.00%

Function 04EE728A, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f0071dce8b73a7d7a47b925d0d112e4518ed1a82b59ae22d3afb2f0e872318
Instruction ID: a14e24715cd0239e58daf8895ab1f8fd2f34e2caf960e4e70658119c0ae5fabf
Opcode Fuzzy Hash: b9f0071dce8b73a7d7a47b925d0d112e4518ed1a82b59ae22d3afb2f0e872318
Instruction Fuzzy Hash: 30F042B17481104BC705567D5C8067D3796BFC5330364466BF106DF3C7EE259C0253A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5A08, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f092583040af02a6923cb2e37b81c882866de104ec6857a4f43667990ad59d
Instruction ID: 08454850b7f2ea50ec647f786568d444810f9e0b0d27ad71add66fe026889c2d
Opcode Fuzzy Hash: f8f092583040af02a6923cb2e37b81c882866de104ec6857a4f43667990ad59d
Instruction Fuzzy Hash: F1F0A472F051489FCF50EBFA98851FEBBF4AB86268B20556ED10ED7201FA3191019B91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE67C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c64104a1a9ae2ad2f6186124507522a867809351a1efc7d247f91123aac21f
Instruction ID: b96e84ebc7f68edfb45c82c60378f6a4b2f239d1090a528104778c17749ffa20
Opcode Fuzzy Hash: c0c64104a1a9ae2ad2f6186124507522a867809351a1efc7d247f91123aac21f
Instruction Fuzzy Hash: AF014BB2E001199FDB50EBBAE9407AEBBF4EB84714F50417AD508E3281EB30A9458BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA770, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0026155a4833eeefe048ba650e5ef4ca5fc18ccb4f2734d82de5b29b3f0acb1d
Instruction ID: 93727af8aeb54807acef0b071497ff7cbc0329ee0a23cd3089f65cc1ae686ea2
Opcode Fuzzy Hash: 0026155a4833eeefe048ba650e5ef4ca5fc18ccb4f2734d82de5b29b3f0acb1d
Instruction Fuzzy Hash: 3B01BC71A00209CFDB40EFB9D9497AA7BF0FF04314F20546AC504E7284EB30A901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA8F0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e18d703e93fcfee0a613e7e5d88c288ef1523ed883cd1aea641b0d78dc0a4c
Instruction ID: 33b97c413d91fbe443251673c98a2179e80f0fca00d870036a0049d27b9a0f0a
Opcode Fuzzy Hash: 86e18d703e93fcfee0a613e7e5d88c288ef1523ed883cd1aea641b0d78dc0a4c
Instruction Fuzzy Hash: 52012431304640CFC700A778E40A8697FB6AF85310B0940BEE207CB396EF31AC019751

Uniqueness

Uniqueness Score: -1.00%

Function 04EE67B9, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4537332eea5508fd4c8da5d8df66b80243d7e5e5b935db8bb7934c77e2102bd
Instruction ID: c2292fa4e1b7d3b94f7e38f2ba0a4de19da533f9f145f947e8773ff6426886ae
Opcode Fuzzy Hash: f4537332eea5508fd4c8da5d8df66b80243d7e5e5b935db8bb7934c77e2102bd
Instruction Fuzzy Hash: FF01B8B2E002188FDB10EB79E992BAEBFF4FB64300F50016AD108E7285E7709941CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02A505CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.502344949.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b501804396f3a26685074fa09ccab0e952c2da8fb89e1041a14e34bbc139a7e2
Instruction ID: 9930c073e013a86f4b11ceb667be4a5a619b6938ff222b07d7a8a7be3ace4656
Opcode Fuzzy Hash: b501804396f3a26685074fa09ccab0e952c2da8fb89e1041a14e34bbc139a7e2
Instruction Fuzzy Hash: 180186B65097806FD7128F16DC45863FFB8EF86620749C4AFEC498B612D225A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04EE4710, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244dc31b96adc4683de83483b3d28fac84197845d0517bbc4e5bbb618e05cd7f
Instruction ID: 1ccb77980e86852a96f4fdafbd27bd3c6516a6cc47d3e682c511508a9ed65067
Opcode Fuzzy Hash: 244dc31b96adc4683de83483b3d28fac84197845d0517bbc4e5bbb618e05cd7f
Instruction Fuzzy Hash: C7F02B323002504BC62566BAA4103BD32CA9BC5A55F54007ED206C77C0ED65A84263E1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780d39a92f3a6473030aee7899c8201026436cd929e529227de143886212c816
Instruction ID: 377f40778495d9d0a734dbfb944be7201054f9d2fac1c9f65ada0c099782d647
Opcode Fuzzy Hash: 780d39a92f3a6473030aee7899c8201026436cd929e529227de143886212c816
Instruction Fuzzy Hash: 03014431304110CFC704AB2DD5589BDB7EABFC9740B2440AAE506CB776DF75AC49A782

Uniqueness

Uniqueness Score: -1.00%

Function 04EEEF78, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cc019b9d201f01a2e212c07b806c2ce58ba774ef01c633f9fd51ca948904b5
Instruction ID: da2ce3e6052254f56527ab14e743afc0d5b3680c33a9cf1e32128c86ff4c9450
Opcode Fuzzy Hash: 17cc019b9d201f01a2e212c07b806c2ce58ba774ef01c633f9fd51ca948904b5
Instruction Fuzzy Hash: 28F0F676B4E1D45FCB02D7795C124EDBF64DE8226031849EFD485CB293C921480AC392

Uniqueness

Uniqueness Score: -1.00%

Function 04EE61F8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea201b789a4b23b86323a194e3c58340132f9f6c6cf7c3053c0e5844c3ae4173
Instruction ID: 7e4485f84cbfc5e8758d1f95f4641c9e4e27c647b1a0df2fb1393670cb143932
Opcode Fuzzy Hash: ea201b789a4b23b86323a194e3c58340132f9f6c6cf7c3053c0e5844c3ae4173
Instruction Fuzzy Hash: E9F0F631F145449FCB608779A8006FE7BF5AB99358F5045AAC94AE3252FA216A098BC2

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA6E9, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6353b0b2e8114d6e2ff9761bb94a57d4a1e3d45dfdb2765aeaf522bdbe2997e7
Instruction ID: 53dadbc47f63aeee4f7c6b7609ba44fb13760171cc54812d182b3f0f28c85929
Opcode Fuzzy Hash: 6353b0b2e8114d6e2ff9761bb94a57d4a1e3d45dfdb2765aeaf522bdbe2997e7
Instruction Fuzzy Hash: B4F0F431F00259DBCF04EB75D982A9EB331FFC4344F214529E2019F248DB70AD0097A4

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7298, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04098850af119f28df9d3cf638a0a919bf00712869eea2fcf61ba495dbb4c9e2
Instruction ID: 427ed039c69b981b11197d6222eee710ef136a59a061162e0277b0f5a7c2acff
Opcode Fuzzy Hash: 04098850af119f28df9d3cf638a0a919bf00712869eea2fcf61ba495dbb4c9e2
Instruction Fuzzy Hash: 01F0E9B174811053C74466AE5C80A7E6A8AFBC9370764472AB51AEF3C6EE616C0253A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9F40, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179f9792f56afdb78ade588794bad60471ab6cab4c94b1f6f269dc2fef30fe00
Instruction ID: 1f5085fcc5be5f40e69d317df136d15446de2040222878b71363a526484ca4ad
Opcode Fuzzy Hash: 179f9792f56afdb78ade588794bad60471ab6cab4c94b1f6f269dc2fef30fe00
Instruction Fuzzy Hash: 53F0E9B174811057C744666E5C409BD7ACBBBC53707A4423AB516DF3C6EE656C0193A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5DF0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfb67bb1b786ebe4ba380f45e73d687294f9241df929f9470172cf2cdd0c95e
Instruction ID: c43529b7386936df09c114206b5c4ceb0d25d7366c8790c7ad2f050ca72cb74a
Opcode Fuzzy Hash: 2bfb67bb1b786ebe4ba380f45e73d687294f9241df929f9470172cf2cdd0c95e
Instruction Fuzzy Hash: 30F05931B040149BCB10577AA8111FEBBA6DB85758F1000B9CD0AE3250F6316E16C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 04EE58B9, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2612b6b76c6f6c1e5d7696da6a5930faaff81c1deb489a8081555539a8c7bf
Instruction ID: 3a02486b0b704d1380062771f0f847321684ab5c6a83b0ca67414ca86603e28b
Opcode Fuzzy Hash: cb2612b6b76c6f6c1e5d7696da6a5930faaff81c1deb489a8081555539a8c7bf
Instruction Fuzzy Hash: E0F09072E042558FCB80EBBD98455AFBFF5AB88220B15416FD109E3351EB705A128BD6

Uniqueness

Uniqueness Score: -1.00%

Function 04EE6208, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12433ccc30d038426870c039f65872e3270f3c876378d53d7740649c8a6e95da
Instruction ID: aef0f48ead7a1e689ec973ee984e9eca8107dd2c84c77daa2ce0e4ed008f0601
Opcode Fuzzy Hash: 12433ccc30d038426870c039f65872e3270f3c876378d53d7740649c8a6e95da
Instruction Fuzzy Hash: C4F0E931B045559BCB10927BA8006FF7BA697D9654F801076C90BD3382FE207A0692D7

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE6F8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444d10bd0ec57ff8fb7b447c29df80f4e3cc064b883cc9cfef56ca33edbbcbc1
Instruction ID: 2e614ccf339c04701a3a5f0c173859bd1e53b51c0b2650b651466aabbb763a7c
Opcode Fuzzy Hash: 444d10bd0ec57ff8fb7b447c29df80f4e3cc064b883cc9cfef56ca33edbbcbc1
Instruction Fuzzy Hash: C5F0E2A2A0D3D1ABE73605AE58483F56FC44F76314F0964BBD9CADB183F46818459362

Uniqueness

Uniqueness Score: -1.00%

Function 04EE81D0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e51c7af96df92457049199dd0d93c084a9e0bea604d74b119c90c8bc3c7048
Instruction ID: 863b07532640acfccb0efc459529c8e1ea2542169e546d9bcabba2e7b78da647
Opcode Fuzzy Hash: 54e51c7af96df92457049199dd0d93c084a9e0bea604d74b119c90c8bc3c7048
Instruction Fuzzy Hash: 9FF09630B09645CFC701EB7A98458FBFFF1FF49210B1446ABD062D7163E27168059B55

Uniqueness

Uniqueness Score: -1.00%

Function 04EEC598, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812affc667eb4d164514d4186d503f9a362cbbfd8f0054d103ff7b75acb9b536
Instruction ID: 9b4dc429d5119958242a1c28e40491da22a004d13e049e38864328e09cc18978
Opcode Fuzzy Hash: 812affc667eb4d164514d4186d503f9a362cbbfd8f0054d103ff7b75acb9b536
Instruction Fuzzy Hash: 0EF0277270D1912F835A23B9583027F3FAECBC592032956ABE585D7742DD117C0283EA

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9298, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e845168a3d20252f56c755f1e9e4876d09afe74431d1a355574fe05084b192ea
Instruction ID: 24d24ee73b7d9eb77559c3eafe8e30aca52f7c938adde0f2b29d4bf234b06c02
Opcode Fuzzy Hash: e845168a3d20252f56c755f1e9e4876d09afe74431d1a355574fe05084b192ea
Instruction Fuzzy Hash: 5DF0F074F00206DFDF049BB8D4582AEBBF1EF85214B508976D904DB26AEB30A805CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04EE61B1, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f07d22652b5826215b4cf25683417546a4b1cf2543b37c5276fd8d826e4242
Instruction ID: 24fdb8f9f7b6ea685927258e7e3ac92e645b8292f657971ccea0ba9136a0ff6a
Opcode Fuzzy Hash: 52f07d22652b5826215b4cf25683417546a4b1cf2543b37c5276fd8d826e4242
Instruction Fuzzy Hash: 18F02732B4C056CBCB0162B978807FC7B80DB64356B900267DA0EC3103D7A368054342

Uniqueness

Uniqueness Score: -1.00%

Function 04EE9EC1, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6df18c484d3869e5505160cc8fd1edb4197e9f046516d1a514bf56835d126c
Instruction ID: b406420b347c25598b0656aa5904a47a896918d026f47059e29368d376a4f815
Opcode Fuzzy Hash: da6df18c484d3869e5505160cc8fd1edb4197e9f046516d1a514bf56835d126c
Instruction Fuzzy Hash: 76F0C27120C2808FC7159378A4550BD3FF19BC621430D88AFE18ACB352DE2968069712

Uniqueness

Uniqueness Score: -1.00%

Function 04EE45B9, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17906633de7298c65fcad3010293f7eacb31eedeb335473e9cd1533d15971334
Instruction ID: dde61ba7c3875ad2c6a091e441b2cf83fcdfd77dff8cd9b84b5c711dec3dfd8d
Opcode Fuzzy Hash: 17906633de7298c65fcad3010293f7eacb31eedeb335473e9cd1533d15971334
Instruction Fuzzy Hash: 48F0B431E443599FC711CB799C41AAABFF8AF85210F1541AED508D7152E23055148761

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bf850f2b9e0c525f82bb06c7ea775de41b67375afa12104d2aeef01c88ec0c
Instruction ID: 8f924a1273c8bb92e1b1134d16c4f7e88148b7a33abaf0958199378f1e0de88c
Opcode Fuzzy Hash: 39bf850f2b9e0c525f82bb06c7ea775de41b67375afa12104d2aeef01c88ec0c
Instruction Fuzzy Hash: 5BE0E532B15278DADB105EFAAC405FFBBA9D7C5660F0055779F0BA3200E9F168056291

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE679, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4734686b42bf3a77fb3e63a3afb9621e4683f7014768612dc9750c2ee5946ad4
Instruction ID: d72996d5c0dfb392f8cbeea90d7cf0230df7e689ff02d62ef5b024d4ed97ea38
Opcode Fuzzy Hash: 4734686b42bf3a77fb3e63a3afb9621e4683f7014768612dc9750c2ee5946ad4
Instruction Fuzzy Hash: 44F0E5312092914FC722DBBD84315AD7FB1CFC72143199CAFC5CACB382EE22A8069391

Uniqueness

Uniqueness Score: -1.00%

Function 04EE4700, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee003c1068df74ec049f081e4bc8541b752896e2a03b33371b25ac684dfa9ce
Instruction ID: 764e6ab00ca41a285ddc37d5515e6b56be2b3bb3265ebad1f57b992623bfd77d
Opcode Fuzzy Hash: 1ee003c1068df74ec049f081e4bc8541b752896e2a03b33371b25ac684dfa9ce
Instruction Fuzzy Hash: ECF02B323092809FC712A676A8107F53BA48FC7754F1504BFD001CB6D1E662B80257A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EEDE47, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8697881e7e55479b5e73336e4664935f35ad67955b5fe19999ed00dc1d26f562
Instruction ID: fafa37a1b5dbf43d0995c827d9626bca8b69a3307a697d97cd1500af4bd2451d
Opcode Fuzzy Hash: 8697881e7e55479b5e73336e4664935f35ad67955b5fe19999ed00dc1d26f562
Instruction Fuzzy Hash: 9DF0EC716046C14FC722DB2998649ED7FB6CFD132031848AFC48BCB392EE26AC059391

Uniqueness

Uniqueness Score: -1.00%

Function 02A50938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.502344949.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction ID: 76d06214c9aa134f9d92e016d315056392cb55eb0e903c0ee08028c9718c2fd0
Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction Fuzzy Hash: 1BF01D35104645DFC706CF40D980B16FBA2EB89718F24C6ADED490B752C737D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 04EEC8CE, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306e80429258016cac45cb03add5217b0e2d26e5a307b8d0cbd5433cce2d885b
Instruction ID: e4e63f22397d0019813c43318d52e3657751fe87545cfec4d28cf3c7af6ee166
Opcode Fuzzy Hash: 306e80429258016cac45cb03add5217b0e2d26e5a307b8d0cbd5433cce2d885b
Instruction Fuzzy Hash: 63E022327081509FCB019B6D80211FCBB969FCA11132B10ABD646DB261EA22BC06E3B2

Uniqueness

Uniqueness Score: -1.00%

Function 04EE8470, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d9bce794512849c684ab19c847b3478bd4fcca4f84341373d3c250e762af0d
Instruction ID: 48aef850b8130d979db8bb192644ea5c958d55a9cae5b3a71f4cd997cc312bf3
Opcode Fuzzy Hash: c2d9bce794512849c684ab19c847b3478bd4fcca4f84341373d3c250e762af0d
Instruction Fuzzy Hash: E3F0E53BF055218BC7956BB8A9142753FF6F74C3A2325416AE94BE3348DE348C118BD2

Uniqueness

Uniqueness Score: -1.00%

Function 04EE70E7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314614af0896d74fd6c6abc05a75599b41b05820ae60cbdd70910af0be457ea5
Instruction ID: 14b22c2496d5aea34e27d8119d9a77e0df17e39d8fada0fdf164c071e81ee119
Opcode Fuzzy Hash: 314614af0896d74fd6c6abc05a75599b41b05820ae60cbdd70910af0be457ea5
Instruction Fuzzy Hash: 7BF0ED307050820BDB08BBBAE8643BD7296AFC0A08F805178C606DF381EF601C028B83

Uniqueness

Uniqueness Score: -1.00%

Function 04EEAEB0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6fec05f5c2af837a3cabdff61db8e3b2f43bc2bf4737cb7ceecf095cdd2a8a
Instruction ID: b177576d6bf56a4b660cb60e479ad09f2f92661141a86cc06bbb7a51aee48168
Opcode Fuzzy Hash: bf6fec05f5c2af837a3cabdff61db8e3b2f43bc2bf4737cb7ceecf095cdd2a8a
Instruction Fuzzy Hash: 50F0E5729097508FC325DF6B9800002FFF9FEC26103198AAFD0D487552D7B16D088BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.502344949.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a988b82347c790421264c763132abb70399eed0a95994640e491ad343650ef23
Instruction ID: 93d38d076aa38511738fe8f1308f3c1d2a52992c30e74ca14da21b1b26aed5d4
Opcode Fuzzy Hash: a988b82347c790421264c763132abb70399eed0a95994640e491ad343650ef23
Instruction Fuzzy Hash: 5BE06DB6A406004B9650CF0AEC82462F7E8EB88630718C47BDC0D8B701D175B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA831, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da33dbaf3e258a24b6374d3e5d267e3c35b9ada921a7b1002bbfd5a458a1cb60
Instruction ID: d1661444d509ba00b855a8e0e2b734add44cfbf863c201f41a3dec56f4b176e7
Opcode Fuzzy Hash: da33dbaf3e258a24b6374d3e5d267e3c35b9ada921a7b1002bbfd5a458a1cb60
Instruction Fuzzy Hash: ACE06836B081808FC74177F9E9280BD3FE25F5A20131408EFD01ACB361ED329C029B21

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE688, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3848811b8adb4705182f9e463d8b9cbb3a0156c495d413abd6968e7e186074
Instruction ID: 11f6d715b8bb34eaf1626fd2ae8d35a21fb8af850a6cf1725b9b096d4b82116b
Opcode Fuzzy Hash: aa3848811b8adb4705182f9e463d8b9cbb3a0156c495d413abd6968e7e186074
Instruction Fuzzy Hash: 68E0DF313005018B8724DA6EC4208AE7BA9CBC16603108C3ED50A8B340EE63FC025790

Uniqueness

Uniqueness Score: -1.00%

Function 04EEDE58, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7f077c93ea7ce816edfaa65ed8afc392bdf12595c1791cd4ebcfca07cc8cc5
Instruction ID: 9744cf3bbeb061c12afb582d42dc11226c0918f38d9a1ed31340bfe7b362d222
Opcode Fuzzy Hash: bc7f077c93ea7ce816edfaa65ed8afc392bdf12595c1791cd4ebcfca07cc8cc5
Instruction Fuzzy Hash: DAE0DF327005014B8725D65EC820CAE7799CBD5760304886ED50A8B350EE62FC0257D0

Uniqueness

Uniqueness Score: -1.00%

Function 04EEBB18, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction ID: b7dd1f25544d90231d51af4ec2dcff5e01d20cab3e60dd27603ccd4bfe51d5a3
Opcode Fuzzy Hash: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction Fuzzy Hash: 7DF09236200B009F8334DE5AE944C63F7FAEF897203118A6EE59A87A14D670F9048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CEAF0F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.500790343.0000000000CE2000.00000040.00000001.sdmp, Offset: 00CE2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d9be0e9d7b696470c90aa89af1b0d9da55bc31614dd74109fc70bfa2028026
Instruction ID: 2894eb80ea3e578197a474b1a66d01b339c16b16167eac3e01609168b0b846bd
Opcode Fuzzy Hash: e9d9be0e9d7b696470c90aa89af1b0d9da55bc31614dd74109fc70bfa2028026
Instruction Fuzzy Hash: 64E0D8B2A4120467D2208E0ADC86B22FB58EB44A30F04C567ED0C1F302D171F514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 04EEAE68, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61616566cd93df09f141344c6c788f91adab434258892171821ee49509f0f5d
Instruction ID: aadf96ac73c1357d6e6268e102c32ed9a4395fde0a608a36d0b4689f34a54812
Opcode Fuzzy Hash: e61616566cd93df09f141344c6c788f91adab434258892171821ee49509f0f5d
Instruction Fuzzy Hash: 96E0C930600B40CFCB758E1AD1806A2B7E6FB49351BA46C7EE047C6A20EA71F8C08B40

Uniqueness

Uniqueness Score: -1.00%

Function 04EEC8E0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110787dc5e0dbb607f1d04efabb6c70f5e0425aad32327720081d9f4a8ccccd3
Instruction ID: 03b450b1914173ee0b5dd2212142feceed9b57a3cf704ef4317b7b32cb2c7386
Opcode Fuzzy Hash: 110787dc5e0dbb607f1d04efabb6c70f5e0425aad32327720081d9f4a8ccccd3
Instruction Fuzzy Hash: CFE02B313041149BCA14275F90214FEB28E9BCC5A1725206FE60BC7310EE42BC02F3B6

Uniqueness

Uniqueness Score: -1.00%

Function 04EEDE98, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ae7061e2bcbc954f5b8f0899830c04c91d974c8e1c0ec839f080f135256034
Instruction ID: 8f9f1c4779800c879d5a6da3aca4623efbeb09cf948bbe7d93ab2891a34b0b9f
Opcode Fuzzy Hash: 48ae7061e2bcbc954f5b8f0899830c04c91d974c8e1c0ec839f080f135256034
Instruction Fuzzy Hash: C1E0DF31A0E3C2CEC7320731492C8F6BFB16B2A11271928AFE0C786162F6247845E312

Uniqueness

Uniqueness Score: -1.00%

Function 04EEA081, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae643708d1e02b4e15ec2b5bba17ad7905dcb04f9171eb7108453f06b18dae68
Instruction ID: de96016b9f9f8a0530f09f98b7852652797f7ec54a9f6e805dbbca6d53ed6659
Opcode Fuzzy Hash: ae643708d1e02b4e15ec2b5bba17ad7905dcb04f9171eb7108453f06b18dae68
Instruction Fuzzy Hash: 0AE09A3014A390CFE3624A7292146F13FE06B46324B0515BEC0864A952E2A9A88AE7A3

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE6C9, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07263e1ae5e7c5000885cee074010ebe82b33f34966a16a3aba2c9a92283d1a
Instruction ID: 9c559255655b2705d00b3d5afe67a02433039e7b70de352c09e0a5bf42c16649
Opcode Fuzzy Hash: b07263e1ae5e7c5000885cee074010ebe82b33f34966a16a3aba2c9a92283d1a
Instruction Fuzzy Hash: C5E0863020E7D2CFC32A8B6E54604F57F716E032093181E9FE0C7C6993E6256C45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE02A0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d33c08986ef583ea74b56788cbc7d725ce50fd246366f733779208e748ed804
Instruction ID: b71f26125df2fc3460baed10bce41e00765c571c64387c4d9350e8564d5cb0ae
Opcode Fuzzy Hash: 6d33c08986ef583ea74b56788cbc7d725ce50fd246366f733779208e748ed804
Instruction Fuzzy Hash: 24E08C3021D680CFC352DB24D8928957BF1AF463003449C8EE0828B862C2B0BC058B11

Uniqueness

Uniqueness Score: -1.00%

Function 04EE61B8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575e7a35c846b4b1c1594ba4ead869916e087e74a17921cd227853465a87afa0
Instruction ID: af84aef0e9aedf1a66f7a44daef54ad7c917c7e4725c22a2857b22d6cdf25116
Opcode Fuzzy Hash: 575e7a35c846b4b1c1594ba4ead869916e087e74a17921cd227853465a87afa0
Instruction Fuzzy Hash: F0D02B3130C469C7D60133FA68407FD3A8C8750351F851226EE0FD6243EE87AC401397

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2D20, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6fef4df4831440cb104f9ef6411e0043141b45431829afef13201ac36eaf71
Instruction ID: fe78ea5ad9975f36280effe40d7ff905275f0b194efdf8570c8bb91110c5b728
Opcode Fuzzy Hash: 5d6fef4df4831440cb104f9ef6411e0043141b45431829afef13201ac36eaf71
Instruction Fuzzy Hash: 6FE0123015D3C09EC7524B659815BB43F789F1B215F1895D7D38A9D4E2D162A1059B13

Uniqueness

Uniqueness Score: -1.00%

Function 04EEDEA8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772d57a0a38bbb7a06c898f79f4949e77baf5b2448fecfcd013291e44a9f02f7
Instruction ID: bac09dcfc191e7cbcc3a4284f70053dd302dfa6d5a6765bf17aba02e3b7c37b2
Opcode Fuzzy Hash: 772d57a0a38bbb7a06c898f79f4949e77baf5b2448fecfcd013291e44a9f02f7
Instruction Fuzzy Hash: 1ED05E31B08626DBC73416679C0CDF2F3ADAB29612B14782FF54B86520FA72B841A791

Uniqueness

Uniqueness Score: -1.00%

Function 04EE064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae90e5a3a299c9b9574191ec3548fed0e3a76a1ddab41509bb14bc62abed1534
Instruction ID: 05d2fc083fe2c42dd0e2ccfa21d3b5cb8dfe468685e51088041d9eec33e5a0c5
Opcode Fuzzy Hash: ae90e5a3a299c9b9574191ec3548fed0e3a76a1ddab41509bb14bc62abed1534
Instruction Fuzzy Hash: ADD095F244D390CFC70107701C171F83F10DF7314170549B6C40151C31E0B525179B11

Uniqueness

Uniqueness Score: -1.00%

Function 04EE73C0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cbffc185975a32d655703ab27347247db35896572f48f636ad472639f6ec11
Instruction ID: 8b1d67bd441c63d649a050cf23de0ed8f686ae6c4a233d61b9a2c23edbd3f426
Opcode Fuzzy Hash: 32cbffc185975a32d655703ab27347247db35896572f48f636ad472639f6ec11
Instruction Fuzzy Hash: 3AD0C2302083508BC3B546A7E400AF6BA989B11748F04187FD9430594097A1F084E3A3

Uniqueness

Uniqueness Score: -1.00%

Function 04EEEF88, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae670f422ba5f640138f179412cd25e0d1acc68ccfc2ed7053bea172394e94c
Instruction ID: 518a1df8fb2f2ed4b77c301b24b812be8ede219ddd9f1c009b69927166b32e5f
Opcode Fuzzy Hash: 1ae670f422ba5f640138f179412cd25e0d1acc68ccfc2ed7053bea172394e94c
Instruction Fuzzy Hash: 24D0A7753401286B6A04E5AD881187E778EDBC5760304886EB90ADB341CE72AC0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 04EE59DE, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acef9b0894881551a215bdc1b46e912d0455dd3a0d86bbc0ce2bc39ee5db78d
Instruction ID: 9c4c6b3d1607b00d3aae2c6d64b21f43a39d0a7b1ea8915666e07de770daae8e
Opcode Fuzzy Hash: 2acef9b0894881551a215bdc1b46e912d0455dd3a0d86bbc0ce2bc39ee5db78d
Instruction Fuzzy Hash: 90D0222272A0942FCF1472FB10A20FE0ACA0BC453A300A67EE00B87741EC851C022781

Uniqueness

Uniqueness Score: -1.00%

Function 04EE8320, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be5afc6d625a08d0d0d7593325e126a1e35a778333693fce1f8d85fff97f602
Instruction ID: 1e96bc00c3689d9b59efb867c7c9104c4597d382f4d441d63ffc97421d18ccd3
Opcode Fuzzy Hash: 3be5afc6d625a08d0d0d7593325e126a1e35a778333693fce1f8d85fff97f602
Instruction Fuzzy Hash: EAE02B7142818ECBCF02EBBC9D849FC7F74FF42304B0C0465E4499610EE72145548BC2

Uniqueness

Uniqueness Score: -1.00%

Function 04EED020, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a232b1428cacc5891bbf132f6d1b8e432a04525cc54754cea1ab4c7a932d4e
Instruction ID: 9b8bb2d37d630eee107824ca08c434b98ef752c61015d95e4944c4551b253b0d
Opcode Fuzzy Hash: c1a232b1428cacc5891bbf132f6d1b8e432a04525cc54754cea1ab4c7a932d4e
Instruction Fuzzy Hash: 29D0C93031E20BCEC7554A57BC08FBA77A7D780665F0CB056900B47262F628BD43AA43

Uniqueness

Uniqueness Score: -1.00%

Function 04EE82FF, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1506bb73ecaa20419200628991038131f5d8af61cfb8326e4792796de47b3687
Instruction ID: 0d7f7980e09ac4675e28fa0cecf14be0e907699e94b347daaa2adf6fb9188c73
Opcode Fuzzy Hash: 1506bb73ecaa20419200628991038131f5d8af61cfb8326e4792796de47b3687
Instruction Fuzzy Hash: 50E0E23221061ACBCB00FF29E6808FC3B70FB40708B14A506E4218B61CE771B9099B42

Uniqueness

Uniqueness Score: -1.00%

Function 04EEEFC0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b23160ba44745eac5e0bfad2d7451aef441f6cf93b2c6ace190909b5ad0bcda
Instruction ID: d8f3fa544fb80b5b9f9489f1cc676e4ea7f248644e781535ab7a714c5a004040
Opcode Fuzzy Hash: 5b23160ba44745eac5e0bfad2d7451aef441f6cf93b2c6ace190909b5ad0bcda
Instruction Fuzzy Hash: 6AD0C92454EBC94FC7437B741C782A97F784D5301875914CBD8C8CA2A3EC9815489762

Uniqueness

Uniqueness Score: -1.00%

Function 04EE6D30, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: 8e5b66f157b019b6e4e20b5b3984b5ba81cd67f3470533eb74df7432b24a3aee
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: 6AD0673AA00004CFC704DB88D5949DDF7F1EB98329F68C1A6D915AB251C732ED56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04EEE6D8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5041c160984c6b63259dd024a6c48dad1f4f1b1e4443ac4330ec8b3960c690
Instruction ID: 9b08317179df1be064099b151cd6f32962d69996c0714f9c1fab81cc2db6bb31
Opcode Fuzzy Hash: ab5041c160984c6b63259dd024a6c48dad1f4f1b1e4443ac4330ec8b3960c690
Instruction Fuzzy Hash: C1D0C931219A26DBC6285E9ED4044F27769AB4666A3405D6EE00B47A60EB62BD40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04EEEA58, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction ID: 8992c20b9cfd67508d8db0c263b7f96bb4bba667f3441dcd87d18f9e4aee52ff
Opcode Fuzzy Hash: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction Fuzzy Hash: E4C02230A00214C34B20626A68000F8765C8B01029B0000B9D84946100F621A82882CA

Uniqueness

Uniqueness Score: -1.00%

Function 04EE6A28, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0315db1470801f57ea6f019653b25ea01f0eccfa9cb1f64705ab68b9b49b2e
Instruction ID: 533062a61aebb25fc471c3f8b9f8a870d42ec6026e07e04f73d6541be5419a69
Opcode Fuzzy Hash: cb0315db1470801f57ea6f019653b25ea01f0eccfa9cb1f64705ab68b9b49b2e
Instruction Fuzzy Hash: E5D01236650548CBC7256F75F2044FC3B35FB81356B84507EF90A98316EB369962DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04EE7B36, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda4dc8dec043b3d16fbf9c6195c529f98419ba8f3ef87af199ca69228eedbfb
Instruction ID: 5931a7a0b57c68b3a35d847b4a42b29248c61543c794c6a9f0368c4e23233583
Opcode Fuzzy Hash: bda4dc8dec043b3d16fbf9c6195c529f98419ba8f3ef87af199ca69228eedbfb
Instruction Fuzzy Hash: 81D05231A10A1ACFCB11CFB6DE501ED37F1EB09220B20032AD8029B381F7302C008B10

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eeb17743ec3c87c3891da73046d73238adc4827483fc6150cb29cbffcd1aafd
Instruction ID: dcf6e48d669687318178a7030e4f149d7030785c03c1ca7e536102ece1085e1d
Opcode Fuzzy Hash: 7eeb17743ec3c87c3891da73046d73238adc4827483fc6150cb29cbffcd1aafd
Instruction Fuzzy Hash: 13D01231211344CFCB082B70E45951C336AAB44245300087CE8078B750DF3AE840CA00

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5958, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2503f92b5ed9eeb5ee12f4fc60cf94dbb7f7724b3519ad76a9f12aa2c8c626b5
Instruction ID: 7f50cfc623f22ae8ca683d477f0a28ef3f903077fda59e5f5632634ffc8cf349
Opcode Fuzzy Hash: 2503f92b5ed9eeb5ee12f4fc60cf94dbb7f7724b3519ad76a9f12aa2c8c626b5
Instruction Fuzzy Hash: C4C08C302043058F8E002BF228893BD37484B40018B80021AA70E9D020EF26A8005651

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5DD0, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abd3e26fe18f8010eef66dea2e24a11ecd0b0484d9dbbf6ffc0992d2e0db70f
Instruction ID: 24af67850a776aa14876ee770a2e1b22b2246e195bed64000f9a112ea8d9f216
Opcode Fuzzy Hash: 8abd3e26fe18f8010eef66dea2e24a11ecd0b0484d9dbbf6ffc0992d2e0db70f
Instruction Fuzzy Hash: 00C08C2808D2C0CFCB038734A891C003FB06C031053A808CBC880CAA22D0096848C322

Uniqueness

Uniqueness Score: -1.00%

Function 04EE5951, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a58fe2a4b311ab76cc0c7cdaedeb6504baf21f630dbe46a330e2935bcea2826
Instruction ID: b33f917dab0f51949d62b3150b0435566e71c1413b53eec9cf1de5f2e7742476
Opcode Fuzzy Hash: 5a58fe2a4b311ab76cc0c7cdaedeb6504baf21f630dbe46a330e2935bcea2826
Instruction Fuzzy Hash: 6DC09B30544505568A005BF2A4D477C37545B0056C7082557D71E9D531F7B2A445D751

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd174b98eacef620f0d44f55858fb091f43e488dbc244f04ba6de694145c8b5
Instruction ID: 86313dca3f2f74eb866063b5245a7d3e08f2271298ddf5f2c7bb1a73e73ffc8e
Opcode Fuzzy Hash: 7bd174b98eacef620f0d44f55858fb091f43e488dbc244f04ba6de694145c8b5
Instruction Fuzzy Hash: 87C02BB0149364CFC20417B23C0577D720857C0305300DC31D90220820A9B27451A931

Uniqueness

Uniqueness Score: -1.00%

Function 04EEAF1B, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8bfcd4378816a63cfb1ef1866249cdf2a756df224951d3b03fd9261e93684e
Instruction ID: 987c4597b73abc5a0a73a984d2c7f9a2613ada4238fff2f9407f0a7145a2857e
Opcode Fuzzy Hash: 4f8bfcd4378816a63cfb1ef1866249cdf2a756df224951d3b03fd9261e93684e
Instruction Fuzzy Hash: 67B01233251615EBCF209BB4B0051C5BB54FB963E3700483FE208C40214B37401BDB62

Uniqueness

Uniqueness Score: -1.00%

Function 04EED080, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d2bd531488f000a26b7305a278c3712b07a136e71f3fa3a5fd25638e164658
Instruction ID: 27af40accf430213126bcdd89b7dadd5c875e7e0b6419fcae921efd4ecc8dcb7
Opcode Fuzzy Hash: 12d2bd531488f000a26b7305a278c3712b07a136e71f3fa3a5fd25638e164658
Instruction Fuzzy Hash: C3B09B31108795D7C1406716ED85DB93B29B701100F401114F40145159A7613D015695

Uniqueness

Uniqueness Score: -1.00%

Function 04EE91C0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e757adff095309fdc29a435ebb0a39580fa3eb39657ac579ee95653d8b41287
Instruction ID: b99cf608fcca5494e0b46008d1915878ef81c264f094f05e189a3ee67c4a38f4
Opcode Fuzzy Hash: 4e757adff095309fdc29a435ebb0a39580fa3eb39657ac579ee95653d8b41287
Instruction Fuzzy Hash: 16B012303146080B17509EB2280AA2237CC570090A7410824A84DC2001FA05E0000140

Uniqueness

Uniqueness Score: -1.00%

Function 04EE6D54, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 708599ff5d7f2ac356bba4e5e6d2cf929edc185c26542c9e13c61fa5a4507e7e
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 8BB092B7A04018C9DB009A85B4413EDF720E7A0229F504023C31056000D23211649692

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d970fddcc1351736f401b2bcc3f495704d9b41a646f328cb4709ad4067f806
Instruction ID: 5f7f1e284b525a82e4a938536c18d89cc9ff4c95af57215f140a6d0dbb9eb83e
Opcode Fuzzy Hash: 16d970fddcc1351736f401b2bcc3f495704d9b41a646f328cb4709ad4067f806
Instruction Fuzzy Hash: 84B012302042490B17505FB22C48BAA338C874040934420A0990CC4010F614E0902140

Uniqueness

Uniqueness Score: -1.00%

Function 04EEEFD0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.506646866.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bded595d55368fdf10e3da087a8fddfb9ac464edb9210a6a2343dfb6c37d7cfd
Instruction ID: af19b21fdc8f4d9eda551eb38f377643aac528a3365e9be515228e67e3e29713
Opcode Fuzzy Hash: bded595d55368fdf10e3da087a8fddfb9ac464edb9210a6a2343dfb6c37d7cfd
Instruction Fuzzy Hash: 59B0123094468C47CD8033F5680866D7B4C0A80104BC01011594D4B201FDA874040655

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: CONTRACT.exe PID: 4600 Parent PID: 904 CONTRACT.exeCOMMON

Executed Functions

Function 05779858, Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

EntryPoint, xrefs: 057799D2
Load, xrefs: 05779946
Invoke, xrefs: 05779AA5

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID: EntryPoint$Invoke$Load
API String ID: 0-1662677525
Opcode ID: 1fba07daedf98e7f59e454a2ccadcde9f3a676fcd54523c34c69249e94f37d7a
Instruction ID: 6c7a4a73158b4ad47f9f7d131166f13510d3801bd9e19ef6843d4aabc35e65ec
Opcode Fuzzy Hash: 1fba07daedf98e7f59e454a2ccadcde9f3a676fcd54523c34c69249e94f37d7a
Instruction Fuzzy Hash: 7991B074E002189FDB18DFA9D884A9EBBF2FF88300F25C06AD558AB354DB719945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05C31997, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05C31A17

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: dc875a3033795fa1836bfa5505e3d6b37524457b4b4c63fdb7c3d02e1e993066
Instruction ID: 2dd4a8a9d9d75af614aa7e474f0609ed05f8e374d86e61c1163eb67d76d2bdf8
Opcode Fuzzy Hash: dc875a3033795fa1836bfa5505e3d6b37524457b4b4c63fdb7c3d02e1e993066
Instruction Fuzzy Hash: CA21A1755097849FDB128F25DC45B92BFB8EF06310F0C85EAE9858F163D270A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05C319CE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05C31A17

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 91189ae5fbf68966919b3622aaa960460ea905cf7c9805ab730f4c536c637f74
Instruction ID: f29fccd4732a25d8158abe5262e7584d4b8492636b0acefbc570d429adbd4a09
Opcode Fuzzy Hash: 91189ae5fbf68966919b3622aaa960460ea905cf7c9805ab730f4c536c637f74
Instruction Fuzzy Hash: FA1170755047449FDB20CF65D885B66FBE8FF04321F08C86AED8A8B652D371E518CB61

Uniqueness

Uniqueness Score: -1.00%

Function 071F41D1, Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

C8{, xrefs: 071F4291

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID: C8{
API String ID: 0-2311792288
Opcode ID: c39dc56641b98cdc3cfbd57bbf3b9f227d33012755cfe32b419cd8d6f8e4cabe
Instruction ID: 6a25d07319b50494abd6c3eb8839c06e544e5988f4f466dfe04643acef504916
Opcode Fuzzy Hash: c39dc56641b98cdc3cfbd57bbf3b9f227d33012755cfe32b419cd8d6f8e4cabe
Instruction Fuzzy Hash: 457166B4C15289EFCB08CFA4E580AEEBFF0EB4A350F11942AE551BB290D7349545CF15

Uniqueness

Uniqueness Score: -1.00%

Function 071F41E0, Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

C8{, xrefs: 071F4291

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID: C8{
API String ID: 0-2311792288
Opcode ID: f39341058779e6c4ce20f90c60a7fb022c952e672045179ef38d942e3aacb843
Instruction ID: a80f9296efd078019e6083566515c53977fc2fe9057d8ac3c247b08c474ed719
Opcode Fuzzy Hash: f39341058779e6c4ce20f90c60a7fb022c952e672045179ef38d942e3aacb843
Instruction Fuzzy Hash: 977177B4C15299EECB08CFE5E580AEEFBB4FB4A350F11A42AE511B7290E73486418F14

Uniqueness

Uniqueness Score: -1.00%

Function 071F3600, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

pK/, xrefs: 071F374B

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID: pK/
API String ID: 0-430018697
Opcode ID: f6962b8274c66ee354439ef41895315297c98b599e59869d3fa62c8d40666915
Instruction ID: 5ce53c195d18ba6f766a84b1badde7456b005fae69a657c7c23c9a4adadc8666
Opcode Fuzzy Hash: f6962b8274c66ee354439ef41895315297c98b599e59869d3fa62c8d40666915
Instruction Fuzzy Hash: DC71EEB4D11209DFCB04DFE4D88459EBBB2FF89310F21906AD416AB398DB395A05CF55

Uniqueness

Uniqueness Score: -1.00%

Function 071F3610, Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

pK/, xrefs: 071F374B

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID: pK/
API String ID: 0-430018697
Opcode ID: 7cc08d1b453c5f57437e2ab49fcaba1328efde51df2bc5cb0fafa90549d3a60e
Instruction ID: 9a67134d28d91da9cb9801105c504163f594eed356401ec7ef13c39db6d3f363
Opcode Fuzzy Hash: 7cc08d1b453c5f57437e2ab49fcaba1328efde51df2bc5cb0fafa90549d3a60e
Instruction Fuzzy Hash: 2E71EFB4D11209DFCB04DFE4D9845AEBBB2FF89310F21906AD416AB398DB355A01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05772720, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

Bnn, xrefs: 05772873

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID: Bnn
API String ID: 0-2056956163
Opcode ID: 28704575b49cdfca4cc5db0186cc4c4221439008ce8dc3527bcd60270105cb1b
Instruction ID: 66ff78a20863140b69eafd3ae4b81b69fbda4b4512184f9ac5e15b73ef960259
Opcode Fuzzy Hash: 28704575b49cdfca4cc5db0186cc4c4221439008ce8dc3527bcd60270105cb1b
Instruction Fuzzy Hash: D241B2B0E016188FEB18CFAAD9547CEBBF2BF89304F14C1AAD418AB254DB750A45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05772710, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

Bnn, xrefs: 05772873

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID: Bnn
API String ID: 0-2056956163
Opcode ID: 8d041c2a7c9bc8d4538a4a95b5a56bbdeb1a769539351e5303cd74db34742eee
Instruction ID: 1e5b3495462c3af1ecc95fa62c1d7d12645879d9d3aa6b561de4d49a5ccdf504
Opcode Fuzzy Hash: 8d041c2a7c9bc8d4538a4a95b5a56bbdeb1a769539351e5303cd74db34742eee
Instruction Fuzzy Hash: 1E41E5B0E016588FEB18CFA7C95478EBBF2BF89304F14C1AAC448AB254DB750A45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 057755B1, Relevance: .8, Instructions: 794COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829776e672c73796d1e52aeeec627792f437296d4d24ffcb6ca08f649ebc792b
Instruction ID: 1af650325e09954c6e595dfc3353419a15bdb96b537a123a5c8040745c4be6d4
Opcode Fuzzy Hash: 829776e672c73796d1e52aeeec627792f437296d4d24ffcb6ca08f649ebc792b
Instruction Fuzzy Hash: 124239B1A045CEAFEF20CF70B48499EFBB1FB12E90B5D9669C06196111E360A541BFCD

Uniqueness

Uniqueness Score: -1.00%

Function 071F0006, Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf50a861b25f14a65a5fe390bb8d3437a3b269cf9bda75afc0976c07f2d4e3e
Instruction ID: 0f8520e036711ed87a8b2dcaa7bd2b604f62bf39ea2c7182a169fcc085fc1de0
Opcode Fuzzy Hash: 8cf50a861b25f14a65a5fe390bb8d3437a3b269cf9bda75afc0976c07f2d4e3e
Instruction Fuzzy Hash: 15E179B1915245CFCB14CFA8D68488CBFF1FB09304F1680AAE115EB2AAD7349E48DF55

Uniqueness

Uniqueness Score: -1.00%

Function 071F0070, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f4d16201a8361c37cf20a61d1c038280e4a206aaec1f3b2e8b6baf3a070ae3
Instruction ID: 03f72113190aa28cc60f62978912844d8f225545418d822bd0f48794aaf22bec
Opcode Fuzzy Hash: 29f4d16201a8361c37cf20a61d1c038280e4a206aaec1f3b2e8b6baf3a070ae3
Instruction Fuzzy Hash: 2ED158B091120ACFCB14DFA8D28498CBBF1FB49304F1280A9E516EB3A9D7749E44DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0577CD98, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36aabd17a6226838c5740aa0dfa7161b244fd0283198242a03f605420705c271
Instruction ID: 4a34bd6aedf699e9ea795aa0d98bbe1ebba886250c75db54d4a03b07de2f690e
Opcode Fuzzy Hash: 36aabd17a6226838c5740aa0dfa7161b244fd0283198242a03f605420705c271
Instruction Fuzzy Hash: 5DC13670D0521ADFCB18CFA4D5818AEFBB6FF4D310B21955AD416BB218C334AA41EFA5

Uniqueness

Uniqueness Score: -1.00%

Function 057758CB, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694c63c60c4c44472a25e247eb3a0d518dd100c9db5cbeb3d2cd97110e472258
Instruction ID: e06b0050c59cc140122adc103386c90e267aa4fb7d884ae1bff9c43dbaa42ce4
Opcode Fuzzy Hash: 694c63c60c4c44472a25e247eb3a0d518dd100c9db5cbeb3d2cd97110e472258
Instruction Fuzzy Hash: 50819B75E1868EEFDF10CFA4E48859EFBF2FB06350F19856AC011A7251D3349A05AF94

Uniqueness

Uniqueness Score: -1.00%

Function 071F2F38, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586e2d032f09301974e54da6f1dac3d08a068dcead17729d13ae1ac0918c0daa
Instruction ID: f54bb4b6e2178e61e7a59494c2c140fc011aae7a5011445f044cc739aba4ceb8
Opcode Fuzzy Hash: 586e2d032f09301974e54da6f1dac3d08a068dcead17729d13ae1ac0918c0daa
Instruction Fuzzy Hash: 1F9113B4D14219DFDB14CFA9C580A9DFBB2FF89304F2081AAD519AB355D734AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 071F3EA8, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767bc7f04f9910d16c465ddfa0b9604d072c0108b879f7342d49913614221d38
Instruction ID: 1c1fba98a569e029e20b1fb7f41e22ac5ef88988a7f1d2630b225d4a91d82039
Opcode Fuzzy Hash: 767bc7f04f9910d16c465ddfa0b9604d072c0108b879f7342d49913614221d38
Instruction Fuzzy Hash: DF7116B4D1920ADFCF04CFE4D5815AEBBB1FB4A310F11646AD925BB284D7349A40CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0577ADB8, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f34f2844b3b605dfc743f02f107173fba88c2e7fb96df89a8804bd676dd22b
Instruction ID: 5384a2c4b13f292c866265f96f4c949262175975dcdde34813d809ddca804d3a
Opcode Fuzzy Hash: 88f34f2844b3b605dfc743f02f107173fba88c2e7fb96df89a8804bd676dd22b
Instruction Fuzzy Hash: 4071E1B0D01209DFDF04CFA9D885AAEBBB2FF89300F10816AE415BB254DB349A46DF55

Uniqueness

Uniqueness Score: -1.00%

Function 05775C38, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a57fcd47f7777c34fd4b0fd7e097d58aada0f0dbf9c130bc31279b56de5a19
Instruction ID: 88f40490cc040c7b911f772bc8e67d6f085ddb6ad0cbb65f12527a2521ebd0b5
Opcode Fuzzy Hash: 31a57fcd47f7777c34fd4b0fd7e097d58aada0f0dbf9c130bc31279b56de5a19
Instruction Fuzzy Hash: 8D6101B4D06209DFCB44CFA5E5845AEBBF2FF88310F21906AD825AB358E7346A01DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05779EE0, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7b8463ac622fc0d8451a1e2710af0ead31f6a0fbdb7b7715765b44cea47825
Instruction ID: 62a940f8b5c74d11ad1bd589d89542119a20ed5fd115cfc05c739bce3af062a3
Opcode Fuzzy Hash: bd7b8463ac622fc0d8451a1e2710af0ead31f6a0fbdb7b7715765b44cea47825
Instruction Fuzzy Hash: 8751D4B4E052199FDB04DFA9D580AAEFBF2FF88300F24C565D414AB355D734AA41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 057794C8, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a58351d9b1a9961d15701c6e3bd1e7447b8e493fe08268104946048a74b439
Instruction ID: 10f4b7e183eda1c0ba3486cd12627a96cfe83a787c74f107f23d35fe2e81a6d7
Opcode Fuzzy Hash: 66a58351d9b1a9961d15701c6e3bd1e7447b8e493fe08268104946048a74b439
Instruction Fuzzy Hash: 6951D6B4E01219AFDB08DFEAD884AAEFBF2FF88300F10812AD515AB354D7759945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 05775C48, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d63c8d714b9b039cecf8b17bfc95d2fb4192c323de5cafc717136df405e3dad
Instruction ID: 9d58783239e96156e0ea6512e83f06bb51ee1962a968f61f5349c13ef76d6367
Opcode Fuzzy Hash: 3d63c8d714b9b039cecf8b17bfc95d2fb4192c323de5cafc717136df405e3dad
Instruction Fuzzy Hash: B351F1B4D05209DFCB44CFA5E5845AEFBF2FB88310F21906AD425AB348E7345A01DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0577B560, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5335482606fb2354c22417b6a655641c395f5a8e77894579e2d14da2d08e2370
Instruction ID: 367901de1a9bcfbcd7b7d23d67e1331b005a3c3b1fbf396f29a47c3b9c7f42f5
Opcode Fuzzy Hash: 5335482606fb2354c22417b6a655641c395f5a8e77894579e2d14da2d08e2370
Instruction Fuzzy Hash: 5B512871D0420E8FCB08CFAAD4405AEFBF2EB89300F14D46AD569BB250D7349A41DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 057759E0, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c946bc99624641ce3fa075e0c00189c81ebe317ad0a032b885848949227b0a
Instruction ID: 9862f05d6bdf221778325d8458507a6da4a9c5ce058510ea29eb0b3b35ad2f70
Opcode Fuzzy Hash: d2c946bc99624641ce3fa075e0c00189c81ebe317ad0a032b885848949227b0a
Instruction Fuzzy Hash: D2510074D1520EDFCF04CFA9E5805AEBBF2FB49300F10996AD516BB250D734AA019FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0577BEA0, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f1e06ce77d4828cab391721108d5162773a2d5571dd6d20be7e5f1ba2d0023
Instruction ID: f634be794430201da8889a859c2ced16730acaf0fe5451017e2dd1aa1fac07d4
Opcode Fuzzy Hash: a6f1e06ce77d4828cab391721108d5162773a2d5571dd6d20be7e5f1ba2d0023
Instruction Fuzzy Hash: 4531E7B1E002188BDB18CFAAD8446DEBBB3EF89314F15C0AAE419AB354DB355A45DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0577F140, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7b35fc9cdf93644e0634289283e1b8f3afb1a2d7d244e058cbe7d4b8816007
Instruction ID: 9c5926ff68772f25e6be5914e205db4bd3393491d6cf94f5139fa5c0ad785dc0
Opcode Fuzzy Hash: 4c7b35fc9cdf93644e0634289283e1b8f3afb1a2d7d244e058cbe7d4b8816007
Instruction Fuzzy Hash: E331E871E016199BEB18CF6BD84469EBBF3BFC9300F14C1BAD848AA214DB305A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 0577A320, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ae7fa75c3f0e436b3e79a7454a89fc442e8e4297a222dc9ae1c2c0020e6eb0
Instruction ID: ecc572dcf9c4bb40734a71c7cd3f6e7463083eddd2ddf6aa7d7872323ad94b4b
Opcode Fuzzy Hash: e9ae7fa75c3f0e436b3e79a7454a89fc442e8e4297a222dc9ae1c2c0020e6eb0
Instruction Fuzzy Hash: EC31D6B1E01619CFEB18CF6BD844A9EFAF3BFC9310F15C0A99448AB254DB354A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 071F57C8, Relevance: 2.6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

Strings

Jp5, xrefs: 071F5885
Jp5, xrefs: 071F588F

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID: Jp5$Jp5
API String ID: 0-132139368
Opcode ID: ab907f5d2d5f55768517e57eba14e026799057509933f441e88b8010d53f12f4
Instruction ID: 7ae22a55646720a77cc738ffb9ecde5ad7a886c836c56058dbeecf7c3a326e11
Opcode Fuzzy Hash: ab907f5d2d5f55768517e57eba14e026799057509933f441e88b8010d53f12f4
Instruction Fuzzy Hash: 672139B0D2512ACFCB24CF65D9957EDB7B2FB49300F1184E6C61AAA240E7309AA1DF04

Uniqueness

Uniqueness Score: -1.00%

Function 05C30FCE, Relevance: 1.6, APIs: 1, Instructions: 132fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05C310DD

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fbe8488e5c19eb53eee605472ffd0aa373c05147a2aab7f2aa5e5f82eb13c200
Instruction ID: 2100d6dee853f3ef8b2810d3bc09cc33d6d8605751f1fac937e3cb2b26ce8076
Opcode Fuzzy Hash: fbe8488e5c19eb53eee605472ffd0aa373c05147a2aab7f2aa5e5f82eb13c200
Instruction Fuzzy Hash: F54148714093C45FEB138B75CC55A92BFB8AF07610F0D84DBE8849F1A3D265A90AD772

Uniqueness

Uniqueness Score: -1.00%

Function 05C31443, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05C314F3

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 85bb553d1ae4ef665ddb943eaa587391cfa827b68ab8b5b49a03612b78e28a0a
Instruction ID: 2ba663c6fcee13809a97ae66e311454fce54b5750be8ac11ab94a40167234fb4
Opcode Fuzzy Hash: 85bb553d1ae4ef665ddb943eaa587391cfa827b68ab8b5b49a03612b78e28a0a
Instruction Fuzzy Hash: 5031B4714043846FEB228B65DC45FA6BFBCEF06310F0888AAF985CB152D764A909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C30A76, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,118A06E3,00000000,00000000,00000000,00000000), ref: 05C30B20

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 2d051963da7e504ca10768a2370e2d37ec59c3df2c081ca85d63f4985b42b4b0
Instruction ID: 4c105ad46ca0ac2b533e9eb5a03f034205c12dae1248408f2529b4b3970d29b1
Opcode Fuzzy Hash: 2d051963da7e504ca10768a2370e2d37ec59c3df2c081ca85d63f4985b42b4b0
Instruction Fuzzy Hash: FF31C7725093846FEB228F65DC85FA7BFB8EF06310F08849AE984DF153D624A508D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 05C31C1C, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,118A06E3,00000000,00000000,00000000,00000000), ref: 05C31CB0

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 03907d307785e29f8e1d5c7c9701feb97aab783bf2b850e80b353f0ceb1bdc23
Instruction ID: e8aee0f8a51b3fd7309e0dac322b9e6a930c4f874f73370842d05fa52814c16b
Opcode Fuzzy Hash: 03907d307785e29f8e1d5c7c9701feb97aab783bf2b850e80b353f0ceb1bdc23
Instruction Fuzzy Hash: 2521BA715093846FE7128B65EC85FA6BFB8EF46320F0884EBE984DF193D2649505C771

Uniqueness

Uniqueness Score: -1.00%

Function 05C30DA7, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 05C30E43

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: b633e74c4fa1859a1c171b2f55525091848d7918b0a5576f4e0dcc38f9601a7a
Instruction ID: 3bee839d138615814cb4cfdbec0f9c6c2421efbd4b9494cd9962030b28dd6701
Opcode Fuzzy Hash: b633e74c4fa1859a1c171b2f55525091848d7918b0a5576f4e0dcc38f9601a7a
Instruction Fuzzy Hash: FE218072504344AFEB21CF65DC89FAAFFB8EF05310F18889AED849B152D364A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C31476, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05C314F3

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4f9b911ac212ac7bf4e2ac5ea8e0483b28e2b1f2893c9aade00bd1ceccd63cef
Instruction ID: 39d65aabf23d7504d6ab631ad93bf32aeea37aa220807f48c76865ad53eb94e9
Opcode Fuzzy Hash: 4f9b911ac212ac7bf4e2ac5ea8e0483b28e2b1f2893c9aade00bd1ceccd63cef
Instruction Fuzzy Hash: 1C21A172500208AFEB21DF65DC85FAAFBACEF04310F18886AE946DB151D670E504DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C31551, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05C315D8

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0c55b63654504f2567240ff4eaa316edbc6b915aed872cce25e9db6926526e86
Instruction ID: 97e53fe0abf36e9cb484624e5b9ce7b14e54eda01f1384a565fe779871b0f979
Opcode Fuzzy Hash: 0c55b63654504f2567240ff4eaa316edbc6b915aed872cce25e9db6926526e86
Instruction Fuzzy Hash: 0721BF725093C09FDB128B35DC51B92BFB4EF07220F0D84EADC858F2A3D264A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C3105E, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05C310DD

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e55a420e9e6fa5fc29457fe6ef5b1763f42839349f768c12a6d48560efc6f9d9
Instruction ID: 4822a2adff1a0668d69526c43db43bb5e2e27f7651ef6b4a9b07b86dafcb97ac
Opcode Fuzzy Hash: e55a420e9e6fa5fc29457fe6ef5b1763f42839349f768c12a6d48560efc6f9d9
Instruction Fuzzy Hash: DD219D71500244AFEB21DF6ADD85F66FBE8FF08310F1888AAE9859B252D771E504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C31134, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,118A06E3,00000000,00000000,00000000,00000000), ref: 05C311C9

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b78832f386c70bb99892ed029546b90b8be61592c44d6578f3479ab9ad5f7001
Instruction ID: ed2949a50915e127c40f8bb60b8f217cac99837a0d3850bca6378ba7ab867894
Opcode Fuzzy Hash: b78832f386c70bb99892ed029546b90b8be61592c44d6578f3479ab9ad5f7001
Instruction Fuzzy Hash: 5D2107B54087846FE7128B25DC81FA3BFB8EF46720F18859AED848B153D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05C31204, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,118A06E3,00000000,00000000,00000000,00000000), ref: 05C31295

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 22e67324292cfae6495fbc42748c6cb45831c5916149182131b6c66522a969a6
Instruction ID: 94598a8faf0450e297b903857fdce06575e9fa8f6ba685c61219dfff5c8694b7
Opcode Fuzzy Hash: 22e67324292cfae6495fbc42748c6cb45831c5916149182131b6c66522a969a6
Instruction Fuzzy Hash: 5B21B6714093846FDB228F65DC85F56BFB8EF46314F0884DBE9849F153C265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C301B5, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05C30237

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: dfba50194aa6e51b74350f6ea09fac25a055725de620955163b437adb749b3c9
Instruction ID: dfbd91d17b612130be672fe5bf75938c90d4cd104493091b1e9e64943a8fe418
Opcode Fuzzy Hash: dfba50194aa6e51b74350f6ea09fac25a055725de620955163b437adb749b3c9
Instruction Fuzzy Hash: B721B272509384AFDB12CF65DC45B52BFF8EF06210F0884DAE9858F163D271E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C30DD2, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 05C30E43

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 7d4b0ae818fc4541517ad949a17498250461691c6507a834fa3843393aa75469
Instruction ID: c310678662011344d611f66edd76c6420cb2ec60767c3f0c1c407ec1d40f48ca
Opcode Fuzzy Hash: 7d4b0ae818fc4541517ad949a17498250461691c6507a834fa3843393aa75469
Instruction Fuzzy Hash: 82219072600304AFEB20DF69DC89F6AFBACEF44710F14886AED859B241D674E5088B71

Uniqueness

Uniqueness Score: -1.00%

Function 05C31A64, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,118A06E3,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 05C31ADE

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 765479f13159fa6ea6d403b373ae21ea8c83814415950b6f496ab0c3eb4ed580
Instruction ID: 0b58934d5c1f4aaa08625652398638cb3de79131e96b1e1e075f3e246475c8fd
Opcode Fuzzy Hash: 765479f13159fa6ea6d403b373ae21ea8c83814415950b6f496ab0c3eb4ed580
Instruction Fuzzy Hash: AD21C1715093C45FDB12CB25DC45A92BFE4AF46324F0D84EAE8848F263D2709908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C30AB6, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,118A06E3,00000000,00000000,00000000,00000000), ref: 05C30B20

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 003da84d9c183f70ba6f0cf2b0f37c381b84465cd67c820982701a7f179c36d4
Instruction ID: 771d1bd297d8694ef0c9f54eb4dfdaad5056d0ecd43831ea741374ebc040e245
Opcode Fuzzy Hash: 003da84d9c183f70ba6f0cf2b0f37c381b84465cd67c820982701a7f179c36d4
Instruction Fuzzy Hash: 751184B2500208AFEB21CF65DC85FAAFBACEF44714F14886AEA45DB251D774A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C306AD, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05C3071C

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2424295af66f9848ac807b13f95d63f52c51052cf7be88b82a0b624e7a17f9b4
Instruction ID: 26be5d20d7e9ed6bb2748a569ffd0370da777c7f8499cbb0594b613b246d0ec5
Opcode Fuzzy Hash: 2424295af66f9848ac807b13f95d63f52c51052cf7be88b82a0b624e7a17f9b4
Instruction Fuzzy Hash: 9D21A5755093C45FD7128F25DC99B92BFB8EF42220F0884EBED859F663D274A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C304D9, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05C30544

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d8d97f708d1359353db8a041714c9da5ca6555dd13b13e121ca3d2761ac5d63b
Instruction ID: c6f300fe5a558fc234751dbe80f7336261c5659fbc1002e1b7af295ecb91df97
Opcode Fuzzy Hash: d8d97f708d1359353db8a041714c9da5ca6555dd13b13e121ca3d2761ac5d63b
Instruction Fuzzy Hash: EC21A5715093C49FDB12CF25DC45B92BFB8EF02210F0984DBED859F663D2649908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C31D09, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C31D7C

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ad27dc4ed7b9c1032e1a3690c2f70e9cfd4c0b728edb82e3805015af5e4938e2
Instruction ID: a8da6709e32d14084ea282b2c4726cc907dafe45c1c35ad1289fb1e037b7f558
Opcode Fuzzy Hash: ad27dc4ed7b9c1032e1a3690c2f70e9cfd4c0b728edb82e3805015af5e4938e2
Instruction Fuzzy Hash: 1221C0751097849FDB228F25DC44A52FFB4EF06210F0C85DAED858B263D235E948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C31E5D, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05C31ED1

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 60054fc79b98e494f9317fff5d05be2d124ccc13ccbc14fa70fbbf6676510731
Instruction ID: 0780d80913cb80200e00b06f310416e346c783352dcc4d5a877cd2969c7bced4
Opcode Fuzzy Hash: 60054fc79b98e494f9317fff5d05be2d124ccc13ccbc14fa70fbbf6676510731
Instruction Fuzzy Hash: D1218C714093C09FDB138B25DC44A52BFB4EF07210F0D85DBED848F563D225A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05C31C5A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,118A06E3,00000000,00000000,00000000,00000000), ref: 05C31CB0

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 2053f28a014e2dd8d10e9c1096ff77f33ebe13c5c1522b1756a3e336d2cc6b0c
Instruction ID: 2fb9fa9bf0cfeb64ab17446714857597cfa6073e03c913258e8747248b654f4f
Opcode Fuzzy Hash: 2053f28a014e2dd8d10e9c1096ff77f33ebe13c5c1522b1756a3e336d2cc6b0c
Instruction Fuzzy Hash: 6B1106B1900204AFEB10CF69EC85BAAFB9CEF44720F18C46AED05CB251D674A504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05C31236, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,118A06E3,00000000,00000000,00000000,00000000), ref: 05C31295

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ffc8b0d5b5c2e06bb7ee88f532163a66d1c2858f04eb65f80ebf3b9bb77a6faa
Instruction ID: 1c50a168454b8760532bb5e0274329e91a7b274584ba8f1f6eaad5c1d5e04913
Opcode Fuzzy Hash: ffc8b0d5b5c2e06bb7ee88f532163a66d1c2858f04eb65f80ebf3b9bb77a6faa
Instruction Fuzzy Hash: A911E371400304AFEB21CF95DC85FAAFBA8EF44320F18C86AEE459B251C775A504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05C31773, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C317D8

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d0beddb953e70a163c887be52f0852d30d86fbd32804ed663b3094b1b00dd4a8
Instruction ID: e7e1a53b8a81ed6c9288c3eea871d4e8ca6085840ace4f1769355c19e5a9e6f4
Opcode Fuzzy Hash: d0beddb953e70a163c887be52f0852d30d86fbd32804ed663b3094b1b00dd4a8
Instruction Fuzzy Hash: 7E11D376409784AFDB228F21DC44A52FFB4EF06220F08859EED858A162D265A558DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05C321EF, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05C32259

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 82271e407bf0d7eaf05c133a5c628691648eb0cb865f7275ced9b98650557c08
Instruction ID: 1e8b318c3afdf5d5ca4e62181252bab9f323917a1d4dd261815502b2c909aaba
Opcode Fuzzy Hash: 82271e407bf0d7eaf05c133a5c628691648eb0cb865f7275ced9b98650557c08
Instruction Fuzzy Hash: 9B11D0754093849FDB228F15DC45B52FFB4EF06324F08C49EED854B663D275A518CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C316CC, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 05C3172B

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: bf25313d018e863205b8af1b5fa7f0673db8b9d674b41e6b1f1b1a611f95d0ce
Instruction ID: 34d52e2ffabe095a1c7e1f118ca9f2bb5299bfd31215ceb73cd64b56f864548f
Opcode Fuzzy Hash: bf25313d018e863205b8af1b5fa7f0673db8b9d674b41e6b1f1b1a611f95d0ce
Instruction Fuzzy Hash: 0F118F755093849FDB118F15DC85BA6FFF8EF06220F0D84AAED458B262D274A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C301E6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05C30237

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 89871973ed8a3c7a22cccaf4057e48ae000b743134b7c57d4c2abd631cd61485
Instruction ID: 8001fb8b80fb8926309a23ba8758287b49b7b1830041ad4221de891682f54ce2
Opcode Fuzzy Hash: 89871973ed8a3c7a22cccaf4057e48ae000b743134b7c57d4c2abd631cd61485
Instruction Fuzzy Hash: AC115E729043089FDB20CF66D889B66FBE8FF44710F08C8AADD459B652D371E504CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C31176, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,118A06E3,00000000,00000000,00000000,00000000), ref: 05C311C9

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 605eee3c3b51b388196360368186de1102b8283227ccb81a1f497e5a3028b9f4
Instruction ID: 5daab33ef5c10a70fb6b2fcdaebc1a6c8bcbb6563f95cbed584f74762cc3d2f6
Opcode Fuzzy Hash: 605eee3c3b51b388196360368186de1102b8283227ccb81a1f497e5a3028b9f4
Instruction Fuzzy Hash: B401F5B1500308AFEB10DB1ADC85FBAFBACEF44720F18C49AEE449B241D674A504CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05C31A9E, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,118A06E3,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 05C31ADE

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 6bb5dcd369f5a6092c3cb8d89d7d9de2bda27a26d535ffad8c1cdc55d29c1d64
Instruction ID: b6dd3ae565d003a8f93c0fd64983a138478b45796c2c3c25dab41133c80e7290
Opcode Fuzzy Hash: 6bb5dcd369f5a6092c3cb8d89d7d9de2bda27a26d535ffad8c1cdc55d29c1d64
Instruction Fuzzy Hash: 09116D756003448FDB10CF6AE885BA6FBE8EF44721F0CC4AADD49CB252D274E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C3159E, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05C315D8

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a1da9ffc4f5c1f9c0f292233f0922f315c410f07cc95ba8cfaad92986dfe91f5
Instruction ID: 3d7db2032c12b1c3b84626a7456d07597cfd2da3f713c0428555ebe6e4a1e5fa
Opcode Fuzzy Hash: a1da9ffc4f5c1f9c0f292233f0922f315c410f07cc95ba8cfaad92986dfe91f5
Instruction Fuzzy Hash: C0017171A042448FDB10DF6AD8857A6FBE8EF44321F1CC4BADD4ACB642D674E504CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C31D36, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C31D7C

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b0921f17f1040337ffe18652bc7912e84b4552c45dbb6a26d9da892fabc03594
Instruction ID: a9d1b10a27b413491512f1aba52fe7e5ecbcc27da4f5d99bb7a514e452964b41
Opcode Fuzzy Hash: b0921f17f1040337ffe18652bc7912e84b4552c45dbb6a26d9da892fabc03594
Instruction Fuzzy Hash: 5C01C075500A048FDB21CF16D885BA6FBE4EF05320F0CC4AAED468B652D235E548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C316EE, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 05C3172B

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d0c1a77731f83d1a6543025b3743c9b83cb1d08c0173b2916943762b585735cb
Instruction ID: 82e33c64062c1d11ed0e593f62f37586c69ee68e1d00d2eb85dab4d1862e8df6
Opcode Fuzzy Hash: d0c1a77731f83d1a6543025b3743c9b83cb1d08c0173b2916943762b585735cb
Instruction Fuzzy Hash: A001B1756002448FDB10CF16D885BA5FFA8EF05220F0CC4AADD498B251D274E944CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C306EA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05C3071C

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1fb27bc2eea5420df389e7ae3bc8947273388d9100c4f4e6ad8d4c587cc24307
Instruction ID: 6b73892795c05fe8b6eaf293d325e5aa163f77874857a1fa836baa79211f5b27
Opcode Fuzzy Hash: 1fb27bc2eea5420df389e7ae3bc8947273388d9100c4f4e6ad8d4c587cc24307
Instruction Fuzzy Hash: 4101A2769003448FDB10CF2AE8897A6FFA4EF45320F18C4BADD499F242D274A548CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C30512, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05C30544

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 99050a7835ef9a0d35fd5ab7c111dada1964be52baedfe9ae853a55ad386d7f1
Instruction ID: 15a70baaeccf1921cf3bf2a3e5c751baccce3583d2b66cac725165d1d945ce2c
Opcode Fuzzy Hash: 99050a7835ef9a0d35fd5ab7c111dada1964be52baedfe9ae853a55ad386d7f1
Instruction Fuzzy Hash: AB01D472500208CFDB10CF29E889756FBA4EF40220F08C4AADC499B242D274E404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05C3179A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C317D8

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d9516299153f17ef8ddafee2043a0b013d8eb8e0831605d213fa438011fbba1b
Instruction ID: ec28d5fd436175a9ddbe6fd5c46a2130e5e82dd674cbb739024223daa06805c4
Opcode Fuzzy Hash: d9516299153f17ef8ddafee2043a0b013d8eb8e0831605d213fa438011fbba1b
Instruction Fuzzy Hash: 4F019E315006089FDB208F56DC85BA6FFA4EF08320F0CC49EED454A651D271A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05C3221E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05C32259

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e136ae2c74c746b232a30370adfbd6cd0cc24af8d9871e38f3153595676d5049
Instruction ID: 8d4e10ac36e0acc5491d750278007c12c44f9a691b9e0098ce1dd1c5954e87f3
Opcode Fuzzy Hash: e136ae2c74c746b232a30370adfbd6cd0cc24af8d9871e38f3153595676d5049
Instruction Fuzzy Hash: F301B1755007048FDF208F16DC85B65FFA4EF44320F18C49AED454B652D272E518CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05C31E96, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05C31ED1

Memory Dump Source

Source File: 00000012.00000002.415859974.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b5a51203cceb7b2384905d26261fbe34b652dce32704d8d031f5d40cb7a73a61
Instruction ID: 9c265fc73b630cb98c2bdb3f9f2248a1c58396d09a6b1c10851eb820db16d9f1
Opcode Fuzzy Hash: b5a51203cceb7b2384905d26261fbe34b652dce32704d8d031f5d40cb7a73a61
Instruction Fuzzy Hash: A5018B31400744DFDB20CF56D889B66FFA1EF48320F08C89ADD490B652D276A518CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 071F26FC, Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

H<0m, xrefs: 071F266A

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID: H<0m
API String ID: 0-3201341484
Opcode ID: f5e38c16c1b9a38824b17394100dce5ce031d1cea35ab78be201ca5051f9ce58
Instruction ID: ff8d86352644011dc7bc502e80d4366e40741e4aee0cbfd4cc8be859c0dac19a
Opcode Fuzzy Hash: f5e38c16c1b9a38824b17394100dce5ce031d1cea35ab78be201ca5051f9ce58
Instruction Fuzzy Hash: C6E0B6B4A155059BCB14CF60E99069D7BB3FB8D311F1584A6E506A7288CB789E44CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05779BD0, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb0c05cca3da4ecba98c85d4e1ff86b5598e2060c986363597a7a4fb51c6207
Instruction ID: c5b9d9d939d52edbc5e134e14c297f137202db3f1b772611808b395a23922be6
Opcode Fuzzy Hash: 5bb0c05cca3da4ecba98c85d4e1ff86b5598e2060c986363597a7a4fb51c6207
Instruction Fuzzy Hash: B391E031D01229DFDF24CFA9D880BEDBBB2BF86304F5080A9D508AB251DB759A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 071F1071, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e60a65d77e8d74a753974eb87e00e5c2d14dbeadbd20db218c5f1979ecfbb2a
Instruction ID: 01798875bc04ce309fd138ce2a3ef345be17b11e7bbcb7d73b1f834c4e170374
Opcode Fuzzy Hash: 4e60a65d77e8d74a753974eb87e00e5c2d14dbeadbd20db218c5f1979ecfbb2a
Instruction Fuzzy Hash: D931907AD0425ADFCB01DFB4E8425EEBFB2EB49320F2091A7D410B7641D3310A89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0577A170, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5753d416e3ae0d1f374c27505ca52f5db760188041e8c9f555c1fe1a2f005b0e
Instruction ID: cb1f1eef1ff48b813a420144fb9226f7489096f850b5ea4e1259819e30733fb2
Opcode Fuzzy Hash: 5753d416e3ae0d1f374c27505ca52f5db760188041e8c9f555c1fe1a2f005b0e
Instruction Fuzzy Hash: F041B7B4E00208DFDB18DFA9E895A9EBBF2BF89300F248029E915BB354DB715841CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0577B748, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648fc892eb92dfc1b84dad7449b8b30f011b4c6cdada146da67328fba3e0bef8
Instruction ID: a56dac37d298c4737af336b10cbed585fcd7ee9d63499913f8c3aec4327d3fda
Opcode Fuzzy Hash: 648fc892eb92dfc1b84dad7449b8b30f011b4c6cdada146da67328fba3e0bef8
Instruction Fuzzy Hash: DE31F8B4E04209DFCB44CF99D5809AEBBB2FF48300F1091AAD819AB354D738AA41DF95

Uniqueness

Uniqueness Score: -1.00%

Function 057701C8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dbb4d907a3b336f70d0bdda01f5d4dd67f84ce77535752f541fb3b2766383ee
Instruction ID: 4dae376b72b4e82a1806dae6cc0de4f35657addee9375f37466d76a97152ae59
Opcode Fuzzy Hash: 1dbb4d907a3b336f70d0bdda01f5d4dd67f84ce77535752f541fb3b2766383ee
Instruction Fuzzy Hash: F3219D71D15209EFCF44CFA5E584A9DBBB6EF89300F1095AAD401AB265D730AB04DB11

Uniqueness

Uniqueness Score: -1.00%

Function 0577D308, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54014fad524820516e5c665ef76d1003cdaf5fbadb696bf962b95e7b6aaaf50c
Instruction ID: 30d484a9c4f2517c7b7d9486a749f7b338cfe266f7bd06a5127f2a1a4f99ec8f
Opcode Fuzzy Hash: 54014fad524820516e5c665ef76d1003cdaf5fbadb696bf962b95e7b6aaaf50c
Instruction Fuzzy Hash: ED214AB0D0920EEFCB14CFA9D6409AEFBF2FF49300F1094AA9415AB254D7709B00EB51

Uniqueness

Uniqueness Score: -1.00%

Function 03170724, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.411257598.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1386002c95a307ad4b6854f96728e601283eb9a67fc24b621198458cd5c25134
Instruction ID: ba15abb6ad129538ee81ff53d5e6c42595d0f902f47b952a0719b123e270cced
Opcode Fuzzy Hash: 1386002c95a307ad4b6854f96728e601283eb9a67fc24b621198458cd5c25134
Instruction Fuzzy Hash: A621383510D3C59FC713CB60D894B95BFB1AF4B218F1D85DED8889B6A3C32A9816CB52

Uniqueness

Uniqueness Score: -1.00%

Function 071F3C00, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c65674e4bb02ff15363546f7c440975c2bc5373509f0c05e373734f3d7c2071
Instruction ID: f4f34ef30ed48435935b9ad3e6766ede626ed8cbc4ec684aad40b0026df1831f
Opcode Fuzzy Hash: 2c65674e4bb02ff15363546f7c440975c2bc5373509f0c05e373734f3d7c2071
Instruction Fuzzy Hash: 03116AB4D25208AFCB66DFB8D4056ECBFB0EB0A310F1041EBD954A7351D7368989CB91

Uniqueness

Uniqueness Score: -1.00%

Function 057701D8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a44f193b2ca158ef11f372fa387ec98cf7517fe039a03ea07c39098f3667a4
Instruction ID: 4b8f98ee76afa86f37b0ba345e6b92a218068186729f4ae049a4c1a87d2619e3
Opcode Fuzzy Hash: b3a44f193b2ca158ef11f372fa387ec98cf7517fe039a03ea07c39098f3667a4
Instruction Fuzzy Hash: 43215C71D16209EBCF44CFE5E6859ADBBB2EF89300F20A5A99405AB254D730AB04DB00

Uniqueness

Uniqueness Score: -1.00%

Function 071F28E6, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23332c5b90c4868264726735b4c56853f19028178f7d9e53ed3879ffc2f85ae
Instruction ID: 4337cedf437d7f344aa2c522ab0d8fca50c83966f838882b44065e7f60136158
Opcode Fuzzy Hash: b23332c5b90c4868264726735b4c56853f19028178f7d9e53ed3879ffc2f85ae
Instruction Fuzzy Hash: 5631CEB4D11328CFDB64CFA4D98479CBBF1BB49314F2150AAD50AAB395DB344A85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 0317075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.411257598.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f4e11b487074e7ef2d3fcb1ff737094f11779d0209bf4d55ec523960e70fc5
Instruction ID: abedd237343099580be30c8113bc33621686c9955cbefc181f5d7eef12caf8b0
Opcode Fuzzy Hash: f9f4e11b487074e7ef2d3fcb1ff737094f11779d0209bf4d55ec523960e70fc5
Instruction Fuzzy Hash: 1011AF35204344DFD715CB24C984B66BBA9EB8C708F2CC9ACE9891B652C77BD843CE51

Uniqueness

Uniqueness Score: -1.00%

Function 0577B870, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f1f9158ba32b2d3d1e1646f29abba5d9a1b34250b8caa25fb37d1e1285a60b
Instruction ID: 34051f40972758dc7aefc7382e006966a973377e87e8a2f78a3d225c05e0a069
Opcode Fuzzy Hash: 74f1f9158ba32b2d3d1e1646f29abba5d9a1b34250b8caa25fb37d1e1285a60b
Instruction Fuzzy Hash: 0821E7B4D1420EDFCB04DFA9D5859AEFBF1FF89300F158595D419AB214E730AA409F91

Uniqueness

Uniqueness Score: -1.00%

Function 05770091, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be27020f703f3cb6b28e0d0d068d604878cf48c69e09d529e5598a889fe6096
Instruction ID: c46fec4f5dd97f997ac508c58f236dd3b844db15ebcaa91275cef332ddfe2f3b
Opcode Fuzzy Hash: 4be27020f703f3cb6b28e0d0d068d604878cf48c69e09d529e5598a889fe6096
Instruction Fuzzy Hash: CC11A070805208EFCB44DFB4E54559EBFB0EF47310F1190AAD006EB215E7319A14EF56

Uniqueness

Uniqueness Score: -1.00%

Function 071F10C0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c7813cf9cf130106dfbcc46c1661fa8407e3ddadb883c3d898a240ea1aed5a
Instruction ID: 46734c993461ac8c95584a942a05736b6e34a8c68745f49293341481adee2ae9
Opcode Fuzzy Hash: 05c7813cf9cf130106dfbcc46c1661fa8407e3ddadb883c3d898a240ea1aed5a
Instruction Fuzzy Hash: 762112B4E0420DDFCB04CFA9C5946AEBBF2FB89300F2181AAC925B7348D7355A059F91

Uniqueness

Uniqueness Score: -1.00%

Function 0577D418, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510c591d8d666d7ee0b3831cfcbaa2bdeb6daeca70c60e28038c505eb11019d7
Instruction ID: 4208b7c5d2ba2f4acc77cf34ac78d9295aa4728e036d8bf70ba9c1c34e4bbf96
Opcode Fuzzy Hash: 510c591d8d666d7ee0b3831cfcbaa2bdeb6daeca70c60e28038c505eb11019d7
Instruction Fuzzy Hash: 0411E674E04109EFCB14DFA9D589A5DFBF2FF88300F55C099A919AB355DB70AA00DB40

Uniqueness

Uniqueness Score: -1.00%

Function 057700A0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca3d0069084b277c47ef3311d412514fd9338b902f3ad3fa849067ecd4cee3b
Instruction ID: 089654d121accd99d09796a8cbc9892256b298b624c6ab1772dd5f32cc0a6da1
Opcode Fuzzy Hash: 7ca3d0069084b277c47ef3311d412514fd9338b902f3ad3fa849067ecd4cee3b
Instruction Fuzzy Hash: 7C018C7080520CEBCF44DFB5E14A5AEBFB0EB46311F2194AAD016AB214EB708A54EF56

Uniqueness

Uniqueness Score: -1.00%

Function 031705CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.411257598.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524a844287731edc4f11c408bfcff6fbe06edd6ca5ee0e906091d5b9cabf31a5
Instruction ID: 1b9cf1aec1e66593684e696405f38d9b1d9e0f93d02f52442ef012701b5da8ee
Opcode Fuzzy Hash: 524a844287731edc4f11c408bfcff6fbe06edd6ca5ee0e906091d5b9cabf31a5
Instruction Fuzzy Hash: 91018BB65093405FD711CF06EC44862FFB8EB86620749C49FEC498B611D2257549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05772DEE, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d2329f0392aeef38387bcac32a29f7903831c4536e3faffbd24e41bbc838d6
Instruction ID: b8f6396e0df3ea2a0c57496d349d3fc9090c9166e35bc0fa2e7374207e9f387a
Opcode Fuzzy Hash: 30d2329f0392aeef38387bcac32a29f7903831c4536e3faffbd24e41bbc838d6
Instruction Fuzzy Hash: FE1104B4D012288FDB66CB65D844A9DBBBABB88304F1050DAD508B6355DB314F859F01

Uniqueness

Uniqueness Score: -1.00%

Function 071F3C79, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df728db62870497d04b8462fd5a8f10a6ab494142ad95efaa067a3451fa018d0
Instruction ID: e47e3cdc749a2c207e07855dd002cf2dfcc0e82628ad2b1b54f2ea2d430aec5c
Opcode Fuzzy Hash: df728db62870497d04b8462fd5a8f10a6ab494142ad95efaa067a3451fa018d0
Instruction Fuzzy Hash: 60011AB4C15208AFCB55DFA8D4456EDBFB1FB49300F1181ABD824A7250C7360685CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 071F3CC8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f43d97153e4ef5cdf4fbabc3dfd20db324a36af74f8b47bd4dd388f83c50ea5
Instruction ID: 522c3c9324b4938628d81a14ee840695c9e748ed03f3a7cdfc6de6b83ead3053
Opcode Fuzzy Hash: 3f43d97153e4ef5cdf4fbabc3dfd20db324a36af74f8b47bd4dd388f83c50ea5
Instruction Fuzzy Hash: 6DF05EB4D55208AFCB56DFA8A4025EDBFB0EB45310F1186EBEC28A3251D7360A458B51

Uniqueness

Uniqueness Score: -1.00%

Function 071F3DE8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb986b23a198c6f85c1348de13f68041c2c2346c26fbf738157db095e496ee1
Instruction ID: add35019f5edb502fd94e2356c0b9a9f78d69b876f0a2bb889d73a010ae782b1
Opcode Fuzzy Hash: 6eb986b23a198c6f85c1348de13f68041c2c2346c26fbf738157db095e496ee1
Instruction Fuzzy Hash: A7F05EB1D153899FCB66DB74A4112E8BFB09F46211F0141EFE854A7352D7364A48CB52

Uniqueness

Uniqueness Score: -1.00%

Function 071F3E28, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379d0515cd75e0e381112a0df36053e42784fc6c6002b28d466bb6d092f8b919
Instruction ID: 4527a2906c793d8c472db03cbe36b3242261f3c3ca0158868db0f435da389ec8
Opcode Fuzzy Hash: 379d0515cd75e0e381112a0df36053e42784fc6c6002b28d466bb6d092f8b919
Instruction Fuzzy Hash: 78F0A7B18562449FCB559A74A4022F87FB1EB02311F1105EED904A6651D7360955CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0577DE68, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d693f2b5be6ec34412f65b44fb52d6afc3747c35495c7d1c11eb9b2398d37bca
Instruction ID: 975a4e8590da4772646f4f5e5c682925d98b49b4f1a0de29c58cefe301a300f0
Opcode Fuzzy Hash: d693f2b5be6ec34412f65b44fb52d6afc3747c35495c7d1c11eb9b2398d37bca
Instruction Fuzzy Hash: 3701F6749042199FCB50EFA8D8449AEFBF0FF08300F1181A6E8A4A7345D734AA84DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03170818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.411257598.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction ID: 86a0d15ee7e4ac96555e16d834f524bc295c5b78d4a4ffbaf1f061a30b671d6c
Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction Fuzzy Hash: 1AF0FB35104645DFC706CB40D940B15FBA6EB8D718F28C6A9E9890B652C337D813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 057761B2, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b8fd0ff2c826f878ca597e2c52ec0c7240c3b9187641df70f875bbc08c9135
Instruction ID: 221a1c243afef63a8bf96492cdad7d49e265b039d1480974a3b736752c283eea
Opcode Fuzzy Hash: b1b8fd0ff2c826f878ca597e2c52ec0c7240c3b9187641df70f875bbc08c9135
Instruction Fuzzy Hash: FEF04931805208AFCF45DFA8D84059DBFB1FF0A310F00849AE814AB215C3718A20EF11

Uniqueness

Uniqueness Score: -1.00%

Function 057718E6, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb8651c7b799ec0ead1d9f7b145f5b0c9b4779e9bbfc9582375ee0a76d8af14
Instruction ID: 1403fdc25dfd925f70074ab414d14859da5cd4bf27d9ccd30b64c15786825dd4
Opcode Fuzzy Hash: cdb8651c7b799ec0ead1d9f7b145f5b0c9b4779e9bbfc9582375ee0a76d8af14
Instruction Fuzzy Hash: CEF0623591060DDFCF51CFA0D8888EDB7B2FF49320F064595D119AB224D7345A41EF91

Uniqueness

Uniqueness Score: -1.00%

Function 05775E70, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cc1488528c9f019ee6287fdc11f9ca69177a96b15ae10f3bb4bec9ef73c0fa
Instruction ID: 02120a7c70f319ffa6f8b97c439c27da0b269508231156ea8057b6cecd9ce545
Opcode Fuzzy Hash: b6cc1488528c9f019ee6287fdc11f9ca69177a96b15ae10f3bb4bec9ef73c0fa
Instruction Fuzzy Hash: 16F0ED749442089FCB51EFB8E94526C3FB0FF82310F1400AACC00DB355CA305A59EB23

Uniqueness

Uniqueness Score: -1.00%

Function 031705F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.411257598.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa34f9699c89476ccb336deb042a2a26c01b6e6a491af945f6aa17b56c1ac7d0
Instruction ID: 4c1d3f659131320122f7d26c7e5d6561c1993e9959ade3321bce4f0691cf1564
Opcode Fuzzy Hash: aa34f9699c89476ccb336deb042a2a26c01b6e6a491af945f6aa17b56c1ac7d0
Instruction Fuzzy Hash: ECE06DB66007004B9650CF0AFC81456F7D8EB84630718C46BDC0D8B701E135B505CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 05770B4C, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55cb053ff934abb754fc467cf74050b1b43ffbc01c4007bbc8188ebe67f4a9af
Instruction ID: 521a2c32cc4a559123001ef5195bc4e807bfe55b903332147701d87e66bcbec1
Opcode Fuzzy Hash: 55cb053ff934abb754fc467cf74050b1b43ffbc01c4007bbc8188ebe67f4a9af
Instruction Fuzzy Hash: 9A01F270A10219DFCB26CF10E988BE9B3B2FB89300F1189E5C15EAB224D7305E80DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05775BF0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593df4c45ed4a925f65a1efdcbea74941f459901fe05db7588ea8bef65f204f5
Instruction ID: cea4d9725e51e747f2d63207f41b946b860db9a548369ab3dbd150db82eef545
Opcode Fuzzy Hash: 593df4c45ed4a925f65a1efdcbea74941f459901fe05db7588ea8bef65f204f5
Instruction Fuzzy Hash: 93F08C70D092489FCB45EFACD8812ADBFB0EB46310F0486EAC81897342C2345915DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05775EB8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63465b3e32b8b6202df0bd79ba15ee1875de51150610835b4ac102713fcc83fb
Instruction ID: 9c85bd1efb492bc447f046b23a780530fa8816aa6d154c663cd6426496e5b531
Opcode Fuzzy Hash: 63465b3e32b8b6202df0bd79ba15ee1875de51150610835b4ac102713fcc83fb
Instruction Fuzzy Hash: 73F0ED309052089FCB48EBB8E95169C3FB0FB46310F1400EAC800DF241C7315A88DB62

Uniqueness

Uniqueness Score: -1.00%

Function 071F51A2, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbca57631cbb238142ddbf1b683afbdb39be829f8e2a723b2e70f24d1c6fe66
Instruction ID: df3a8328af4cde20aac5f53c42d7ada6ef1ecce9e4aa5bcba325f138ea414979
Opcode Fuzzy Hash: bdbca57631cbb238142ddbf1b683afbdb39be829f8e2a723b2e70f24d1c6fe66
Instruction Fuzzy Hash: AE0192B4D4A26ACFEB64CF55CD84BD9BBB1BB44710F0080D9C609A7290DB755A80CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05771DF9, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa1f1fbaa89278b21bf41646ed837b38a811a478032bc40d1e8bec024a11145
Instruction ID: 1553000de5427041de5d28e10d7207a78c5d547b5529ef7de7e12c090af9d8e2
Opcode Fuzzy Hash: 7aa1f1fbaa89278b21bf41646ed837b38a811a478032bc40d1e8bec024a11145
Instruction Fuzzy Hash: 2DF06D30806248EFCB52DFA4DD55A997FB4EF06300F0441EAD8449B261E3359A68DFA3

Uniqueness

Uniqueness Score: -1.00%

Function 05771DB0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19dec3ecbd3b623f408e3017ff39232bfac1c48dc9db1968b61290394beff4c6
Instruction ID: 6a03fb5b691f33e6db52aea22207fba8a04e01c42427871994025652fe71b79f
Opcode Fuzzy Hash: 19dec3ecbd3b623f408e3017ff39232bfac1c48dc9db1968b61290394beff4c6
Instruction Fuzzy Hash: C5F03970E04208AFCB54DBA4E4896E9BBB0EB4A321F1081EBD844A7715D6391A19CF42

Uniqueness

Uniqueness Score: -1.00%

Function 071F485E, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370bcac98559b006f05c06447655c4d4c0c61520a13cbb6e6fe61c75444cba4a
Instruction ID: a0ad3f799e6038b1d93ede05030de2232007b83b5e8c1e71ad351e72e2bf776b
Opcode Fuzzy Hash: 370bcac98559b006f05c06447655c4d4c0c61520a13cbb6e6fe61c75444cba4a
Instruction Fuzzy Hash: 39F0CAB5C0626EDECB24DF54CD487D9BBB1AB68340F1085DAD919AB291D3B80BC0CF51

Uniqueness

Uniqueness Score: -1.00%

Function 057717EF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf094962e69a5777ab7e14964a84ebad4eeb804aa1f3274b8fb2eb533675c733
Instruction ID: 6d08704c724f2727eefe93e4170d1e94e790f0742325a5cd7371421c9e40be09
Opcode Fuzzy Hash: bf094962e69a5777ab7e14964a84ebad4eeb804aa1f3274b8fb2eb533675c733
Instruction Fuzzy Hash: A8F0A934A11318CFD725CF10D859BE9B7B1FB49301F1250D6E509AB294DB306E85DF91

Uniqueness

Uniqueness Score: -1.00%

Function 071F35C0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca57ed75e6acf68c7392878e045253d96038e5aacd9cb4bf56430a09d3415274
Instruction ID: 3759b19b85a2f8d2efdc347ec7cd4207e26ee4c09332a5533a32be4a66cca912
Opcode Fuzzy Hash: ca57ed75e6acf68c7392878e045253d96038e5aacd9cb4bf56430a09d3415274
Instruction Fuzzy Hash: 7EE0D8B0C093889FCB12EFB4A8152DCBFB4AB01304F1442EFD4D4A6262D33A8644CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 05772577, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472c5e3fd42169da2e634c5bfdc0d8e0bc6dfdcfdc1a496f3e714337a4ccae5e
Instruction ID: 00c556f8ca36320046065c651d1e0bc9f56a8fcf298f0a26cb1dba4491c4fad5
Opcode Fuzzy Hash: 472c5e3fd42169da2e634c5bfdc0d8e0bc6dfdcfdc1a496f3e714337a4ccae5e
Instruction Fuzzy Hash: E2F039349093489FCB41DFB4D898698BFB0AF06310F1481EAC898DB356D6355958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05770189, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736d019e886f6903b0b109b8d5282fade778302326bbb0364470d91486ac6c81
Instruction ID: 8b95245c37c0e1d281f2e34e8370642b86012f7fce0f129b8f16870e7f75e0b9
Opcode Fuzzy Hash: 736d019e886f6903b0b109b8d5282fade778302326bbb0364470d91486ac6c81
Instruction Fuzzy Hash: 9EE0DF708193989FCB86DB789D492AC7FF0DF07300F2901EAC880EA256C2750A18DB62

Uniqueness

Uniqueness Score: -1.00%

Function 071F3E6A, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf1a89bdcb14e5e323250aeb94a5825fad8aa5aa4315da314da742d97b2805c
Instruction ID: 265f9aaa5655015076d177df58091804d13009409a08b1fb24d172684c4b9056
Opcode Fuzzy Hash: 0cf1a89bdcb14e5e323250aeb94a5825fad8aa5aa4315da314da742d97b2805c
Instruction Fuzzy Hash: A1E086798663449FCB56DB74A8057ED7F70AB02310F2005EBD814B72A1D7350A59CB61

Uniqueness

Uniqueness Score: -1.00%

Function 057761C0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da9cf4f0998e22de6ddc78cfd1808b799c7376891a1f31e59b64abf1cafa6d6
Instruction ID: f6740b6b0fa54698d56a6dca416bd8b4e90a7495fbeab8e877c4600b96e298cd
Opcode Fuzzy Hash: 3da9cf4f0998e22de6ddc78cfd1808b799c7376891a1f31e59b64abf1cafa6d6
Instruction Fuzzy Hash: 81F01C7080020CEFCF45DFA8D9445AEBBB1FB48300F008469E81466314D3719A60EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0577620A, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9d9e122947c1a33ea0ee29d986124f455922f3565620dcaad053112443f605
Instruction ID: 2ba4caca3bd57a06fcf5aae7490c0eb405c663ef75902c745a8a93b56f9e8721
Opcode Fuzzy Hash: 1e9d9e122947c1a33ea0ee29d986124f455922f3565620dcaad053112443f605
Instruction Fuzzy Hash: B8E0C970E052489FCB55DF79D98469CBFB0EF46310F1440EBC8449B256D6745918DF51

Uniqueness

Uniqueness Score: -1.00%

Function 071F5D20, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249cfb20ff3694ef04a2a1a3467fdc74a463fff02d12ada49345f251a9cfa136
Instruction ID: 377399ee23039b6b00e906bc047381f2abf133f45d6fffa26d08bc77bb59c383
Opcode Fuzzy Hash: 249cfb20ff3694ef04a2a1a3467fdc74a463fff02d12ada49345f251a9cfa136
Instruction Fuzzy Hash: 0FE026B0C15344AFC7259B78980A7D83FB2DB01300F0000EADD0466281E77A4898C791

Uniqueness

Uniqueness Score: -1.00%

Function 071F539D, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cb600239afa237a42672edca97052435400538c4c765cfd7511b9c8c8fefc1
Instruction ID: bf3f77badda7ce83da9f31195b770bef64f2b0f0b2a58413e1a38609125f7f72
Opcode Fuzzy Hash: 64cb600239afa237a42672edca97052435400538c4c765cfd7511b9c8c8fefc1
Instruction Fuzzy Hash: C7F0D4B19152298FCB64CFA0C950BDDBBB5AB45300F5000A9D259AB290D7346B84CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0577604F, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d508f57e0a13d0c93e7731ae0c131abe5b1448de3f493fdb6d3a3da31ab222
Instruction ID: 89fdb2086a2eca22b40b1be95bf05a661d6cc1681f01220c1a29e015909e1ce5
Opcode Fuzzy Hash: f0d508f57e0a13d0c93e7731ae0c131abe5b1448de3f493fdb6d3a3da31ab222
Instruction Fuzzy Hash: 03E06D70E092089FCB15EFB8E884AA87FB0EB06300F0040E6C404A7324E7751514DB12

Uniqueness

Uniqueness Score: -1.00%

Function 071F3EB8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad09a0ec6fa5ca7d64193dd8ad993b3f13438adfbe1f91aa957fa254fea3ed5
Instruction ID: a93cffc960f401d6846c8130e2878813150282fc0e4ca187b690de02a0729d73
Opcode Fuzzy Hash: 5ad09a0ec6fa5ca7d64193dd8ad993b3f13438adfbe1f91aa957fa254fea3ed5
Instruction Fuzzy Hash: 92E04F70E11308DFCB10EFB4E809AADBB70EB49301F1151A9D824A7384EB755E48DF95

Uniqueness

Uniqueness Score: -1.00%

Function 05770CD9, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d325a98e577ecf9473c7fa78312c9d549a7b3c1e9f50a0cf1b4246cf0684fe
Instruction ID: b863a3f4da29a6966314653570ccfdada629060997477da355a8bc7d09adf3e6
Opcode Fuzzy Hash: 31d325a98e577ecf9473c7fa78312c9d549a7b3c1e9f50a0cf1b4246cf0684fe
Instruction Fuzzy Hash: 10F01C749016299FEF91CB60C844ADDB7B6FF49300F4144E5D109A7260D7309A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05770151, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b13c2a4ccbb0f3f140f39fafbda81b2b2864625c9c18fa90825f79cf33356c5
Instruction ID: 505b3ca75126cd718f8899177c904b3b82f38d52429d5e845d683eea66ec8913
Opcode Fuzzy Hash: 2b13c2a4ccbb0f3f140f39fafbda81b2b2864625c9c18fa90825f79cf33356c5
Instruction Fuzzy Hash: EBE0C23044A3088FC761CF78A8892A97BB0EF03300F1542E7C444DB143C6380C15CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 071F547A, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65dba24808276ccafde038f77553b1dc7410755ea108fa75c1a004478601e66b
Instruction ID: a0984bcf63ea52edb8c3db0d463ec47e33879abeaf5612a4db040ba24e3ed120
Opcode Fuzzy Hash: 65dba24808276ccafde038f77553b1dc7410755ea108fa75c1a004478601e66b
Instruction Fuzzy Hash: 85F0C9B2C542298FCB58DF60CA857DDBBB4AB69351F2041EA8119A6250E7356B84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05771E08, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a1db7fd77c43738c8fc220139866bed7eb1d8b64f2befe6b9823b54f348e9d
Instruction ID: cd04fde427ee5fe7541d8167452bae2e1251d7c68db722fec6c56bc7ee4799a7
Opcode Fuzzy Hash: 97a1db7fd77c43738c8fc220139866bed7eb1d8b64f2befe6b9823b54f348e9d
Instruction Fuzzy Hash: DFE08C3080120CEFCB44EFB4D504A99BFB5FB05301F5040A9D90457220E7729A68EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 071F4B9B, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e9d0f59d969be7156f4a0871a356248bd8890a5bed189ff05367ba2f95ae79
Instruction ID: 052a79bb030d9a2288dd9465d3340d1bd28eeab8bc8ecc630f3bc880a0f3e413
Opcode Fuzzy Hash: 21e9d0f59d969be7156f4a0871a356248bd8890a5bed189ff05367ba2f95ae79
Instruction Fuzzy Hash: 53F09BB590522ACFDF28CF64C984BDDBBB5BB48314F0091EAD61DA6251D3309A90CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05771DC0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d3bc5dd5a5f919c810ee980d3f0aff63f68c52940c9ec54baa843b9884710b
Instruction ID: 463230468407cc060555725344c76493f9d0bbec934221411b43553e6200d942
Opcode Fuzzy Hash: a5d3bc5dd5a5f919c810ee980d3f0aff63f68c52940c9ec54baa843b9884710b
Instruction Fuzzy Hash: 89E08C30D04208AFCB44EFB8E0486ADBBF0EB49300F1081F99848A7300D6701A54CF82

Uniqueness

Uniqueness Score: -1.00%

Function 05772588, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9181685c9b1ef6d056930beafdcebcae16376e16fcf18ddbb83e2d10b872081c
Instruction ID: 722fca1dd572a175767abfe5fabfd0f3017a112dee95f7d8e760e559312b73fe
Opcode Fuzzy Hash: 9181685c9b1ef6d056930beafdcebcae16376e16fcf18ddbb83e2d10b872081c
Instruction Fuzzy Hash: ECE08C74D04208AFCB44EFA8D0487ADBBF0FB45300F1080F9D808A7300D7301A08CB82

Uniqueness

Uniqueness Score: -1.00%

Function 05775C00, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8865dfc406faf3f92671b587b998b139d2474c2cbe24ae076f167b70ea8381ef
Instruction ID: d276beb94a16bf7bb9f690a5bb61894f9f17be10034a88cdb7124668861639d7
Opcode Fuzzy Hash: 8865dfc406faf3f92671b587b998b139d2474c2cbe24ae076f167b70ea8381ef
Instruction Fuzzy Hash: D1E0ECB4D0520CAFCB44EFECD9456AEBBF4FB44300F1089AAD828A7340D7706A55DB91

Uniqueness

Uniqueness Score: -1.00%

Function 071F4E7E, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c70fffc5263a828b9b365db3cf3f99fc081e6d97f582985ee5d1d452ed91739
Instruction ID: 208485832c54e98b13c5229a586698819ea7bba67bfacd454770f22ee5516cbe
Opcode Fuzzy Hash: 6c70fffc5263a828b9b365db3cf3f99fc081e6d97f582985ee5d1d452ed91739
Instruction Fuzzy Hash: 33E0E5B1C0626A8FCF24DFA0CA44BDDB7B5AB55300F4084DAC259AB191D2345A81CF20

Uniqueness

Uniqueness Score: -1.00%

Function 071F4A97, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da48fe37a1c0930b198defe3d8a9179a4e95127283107764912a9273e62dc7f
Instruction ID: 9c82520c0643f05e0673e434f5d78750729f7d5580092d6dc9203e548ab4ffc3
Opcode Fuzzy Hash: 6da48fe37a1c0930b198defe3d8a9179a4e95127283107764912a9273e62dc7f
Instruction Fuzzy Hash: 20F0A5B580126DEFCB249F24C9543EDBB70AB01711F8085D9861ABB290DB700BD2DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0577082C, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768c5caf9d7a787b352db682410e60d92f15e204a76d5eea9b068960763053ca
Instruction ID: 124f6964833de3633d186cbef69c68911fac5b9b0630231fc61f6f81dacd0821
Opcode Fuzzy Hash: 768c5caf9d7a787b352db682410e60d92f15e204a76d5eea9b068960763053ca
Instruction Fuzzy Hash: 1CE01A70911319CFDB60CF10E999BAEB772FB48310F108196951AAB399DB305F85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05775EC8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca8228e59bd3c2165dcb6e850ef551f57164206ca56f6568a9aa187e2e14441
Instruction ID: 3cad9b0f4bab14ab3960528354c0cbd9c6ca1c73392aaa4d3debb76de41d3561
Opcode Fuzzy Hash: 2ca8228e59bd3c2165dcb6e850ef551f57164206ca56f6568a9aa187e2e14441
Instruction Fuzzy Hash: B5D01774D54208AFCB54FBB9A54926DBBB5BB44300F1100A88845AB340EB719A98D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05775E80, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967d00a9e1a7f9f80c199b8add26d734151f36e6714238acbfa8e8d0425f6c2d
Instruction ID: 08790c7d5a6ef3ba87634a6ceb996f87287ab405e098ffb74098f85e10d92f4a
Opcode Fuzzy Hash: 967d00a9e1a7f9f80c199b8add26d734151f36e6714238acbfa8e8d0425f6c2d
Instruction Fuzzy Hash: 72D0127494410C9FC754FBBC954926D7BB5BB44201F1004A498059B340DA715A54D7A3

Uniqueness

Uniqueness Score: -1.00%

Function 071F3C10, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfa8278d50ff3d82e9cff46861f72128f4f748bf12d3f0cbe8a3b87da8b0ef7
Instruction ID: dea6806d1c07e3ffacf4798a494ef48d3e3d28ab4d3dfecedb81213a762f1225
Opcode Fuzzy Hash: 4cfa8278d50ff3d82e9cff46861f72128f4f748bf12d3f0cbe8a3b87da8b0ef7
Instruction Fuzzy Hash: 43E0EC74D102089FCB54EFB8D44865CBBF4EB08700F1041EAD81897350E7359948CF41

Uniqueness

Uniqueness Score: -1.00%

Function 071F3CD8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c38f1da9e59235720c22efbc69c53b2357a1ea5bafec6b851e4a2f7fa18a01
Instruction ID: f11550960a25e944f1d0a119ba5014011f485c1fd6187466e9a45887159f6510
Opcode Fuzzy Hash: 58c38f1da9e59235720c22efbc69c53b2357a1ea5bafec6b851e4a2f7fa18a01
Instruction Fuzzy Hash: 04D017B4D1420CABCB54EFB9D44969DBBB4EB88300F1082AADC28A3380D7351A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05776060, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7351c5b1ceb9826c98e2996fe13c25dc15e7e462a4a19ef1137ff5d6dce6ab
Instruction ID: 29b736e2951eb27cfec7bf211da9851cbcb44234d97207645c67738b9b4aa2d9
Opcode Fuzzy Hash: 0b7351c5b1ceb9826c98e2996fe13c25dc15e7e462a4a19ef1137ff5d6dce6ab
Instruction Fuzzy Hash: 5AD01770E0420CAFCB54EFACE5486ACBBB4EB04300F0080A98858A7340E6755A54CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05776218, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f044d015df12f5334b23f5c743cccab3f59725113cba63d61bb048362962c0e
Instruction ID: d8a8511410150ecabe26098dcada9f15f047e4f0b2277e43a0ca0fa2bb7bba42
Opcode Fuzzy Hash: 0f044d015df12f5334b23f5c743cccab3f59725113cba63d61bb048362962c0e
Instruction Fuzzy Hash: 41D01770E0520CAFCB94EFA9D54469CBBF4EB04300F0040EA8848A7340EB745A58CF92

Uniqueness

Uniqueness Score: -1.00%

Function 071F5D30, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73855b3aadb1ec9a4a97ba1b088f6e8b7ff1a742675673b5cd8ea5fba269a650
Instruction ID: e7d45b513ea15d9e96f99aac0a16e8b2d0fa7bd7625ba3d5e6b8396a06f63edc
Opcode Fuzzy Hash: 73855b3aadb1ec9a4a97ba1b088f6e8b7ff1a742675673b5cd8ea5fba269a650
Instruction Fuzzy Hash: 6CD0A7B0C11208DFC764EFB8940975C7BB5EB00301F1001FEC91457340E7369554CB91

Uniqueness

Uniqueness Score: -1.00%

Function 071F2F48, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4daa28370e705408cf4b5a585df74814d7badda9351624faf52b90726c99488b
Instruction ID: e725c99a612816515d4ff6482dd720b1f3f65e1e8faec95cec4a51cdc9f958fc
Opcode Fuzzy Hash: 4daa28370e705408cf4b5a585df74814d7badda9351624faf52b90726c99488b
Instruction Fuzzy Hash: 9CD017B0D10208AFCB64EFB8D44569CBBF4EB04700F1041AAD818A3340E7345A04CF81

Uniqueness

Uniqueness Score: -1.00%

Function 071F35D0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270a94a4ae9f298efd0dd5d2db34e03ddc6dcfa1871cb03816e316c4183b07d8
Instruction ID: aa3d54dd4c2d7628bfe30551faaaf1feb26c851e577eadb6d0d2d79885dd5b8a
Opcode Fuzzy Hash: 270a94a4ae9f298efd0dd5d2db34e03ddc6dcfa1871cb03816e316c4183b07d8
Instruction Fuzzy Hash: BFD05BB0D1420C9FCB50EFB9940435CBFF4AB44300F1041EAD86492340E7359644CF91

Uniqueness

Uniqueness Score: -1.00%

Function 071F3DF8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3453b7b7e6ba42815de1b72d4cd04321b09d6c59c8601f5fbf15f0e2b37827bd
Instruction ID: b4f5326fd355468fbc30865d12d63f4d3dadef686a35adc7be35166f6933a953
Opcode Fuzzy Hash: 3453b7b7e6ba42815de1b72d4cd04321b09d6c59c8601f5fbf15f0e2b37827bd
Instruction Fuzzy Hash: 68D017B0D10209AFCB50EFB8E40479CBBB4EB44300F0041AA9828A7340E7345A58CF92

Uniqueness

Uniqueness Score: -1.00%

Function 05770198, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dd86f7bf249f52add81d1ce2a62c44c97fe353d2f46ebb81e8d573e0b779d5
Instruction ID: a79caaeff0648d5091ad1fb5d37b4788c6c976616334256e3fdb4d5357803ebd
Opcode Fuzzy Hash: e5dd86f7bf249f52add81d1ce2a62c44c97fe353d2f46ebb81e8d573e0b779d5
Instruction Fuzzy Hash: 7FD0A7B081521C9FCB44EBBC550936DBBF49701201F1001F9984466240E6741B149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 071F3E78, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dccdd6756746b1a1db80f776f2923201878b070c0245ad7ec4bfb5e4116a6f2
Instruction ID: 4173699435375533d53f337fa369676a6a314dced20b9792a17aa6f58f1d43fe
Opcode Fuzzy Hash: 4dccdd6756746b1a1db80f776f2923201878b070c0245ad7ec4bfb5e4116a6f2
Instruction Fuzzy Hash: 6AD0A7708211089FC750FBB8D40876CBBB4EB00301F1005A9881463280EB711954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0577A2E8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7b2d3295eef57e2dcf007dd844640e32f5677bd851616445916f8cb513302a
Instruction ID: b27bb28340b97d59a695bb44a8714380cc395dd05b9d019176e768b91c3e918c
Opcode Fuzzy Hash: 6d7b2d3295eef57e2dcf007dd844640e32f5677bd851616445916f8cb513302a
Instruction Fuzzy Hash: 1CD0C9724242099BC760ABB4A80DA697BA8E70A202F1245A6A42997104EB761484ABA6

Uniqueness

Uniqueness Score: -1.00%

Function 071F3C50, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714055205e8d9b476c7853c0b61615b6cf9cbadc029fdb4d3472e375a9a62b82
Instruction ID: 56be139055fcfcebf803568579068bf12b8f46adc7a1ba6a0f26f07a067e2934
Opcode Fuzzy Hash: 714055205e8d9b476c7853c0b61615b6cf9cbadc029fdb4d3472e375a9a62b82
Instruction Fuzzy Hash: ABD0A9B0C202089BCB90FFBCA40924CBBF4EB08300F1005A6D818A3340E73126489BE2

Uniqueness

Uniqueness Score: -1.00%

Function 05770160, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598e63655197ee748d63e45e0d92aea4b1497a27346dd59377d54fbc1afb50e4
Instruction ID: 2519718e44e29210d975fe5410bbf411a73bdc35722d6e35568120da851bc99e
Opcode Fuzzy Hash: 598e63655197ee748d63e45e0d92aea4b1497a27346dd59377d54fbc1afb50e4
Instruction Fuzzy Hash: 56C0807044620C9FC750EEB9550D71E779CD701100F010565540493201D5791D1496F7

Uniqueness

Uniqueness Score: -1.00%

Function 0577159D, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41736fc8c4ab14dfe5269cdc0471073521881bfabf8d4a503a2294e24d4483b
Instruction ID: fafb24dac320fc386a382ce79b856e00df63c624b6cbe6765917681f707357c4
Opcode Fuzzy Hash: d41736fc8c4ab14dfe5269cdc0471073521881bfabf8d4a503a2294e24d4483b
Instruction Fuzzy Hash: 0EE0E2B4C2636ACFCF25DFA0CA495EDBBB2FB48350F10089BC815AA600D7308B848F51

Uniqueness

Uniqueness Score: -1.00%

Function 071F4949, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f5ae962ceda3f6f5453bd0d46ea58070a8600c865e84bc65e6f046b2c88547
Instruction ID: 5ce7745601a0a33555ffecf6df876324c1e629e3a10beab783517aeca9c319a7
Opcode Fuzzy Hash: b7f5ae962ceda3f6f5453bd0d46ea58070a8600c865e84bc65e6f046b2c88547
Instruction Fuzzy Hash: 30E0E2B5C1526A8FCF28DF60C9847EABBB0BB51350F0084EA8449AA180D3784B80CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0577196A, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd89d04896280b7cf5a1ad343e9816f01faf176dbad87cc465ba11fa8c037fa
Instruction ID: 0b790a8f880af8e32798b919def868f546abe54da81fc1bbe0707c984407f1a0
Opcode Fuzzy Hash: fdd89d04896280b7cf5a1ad343e9816f01faf176dbad87cc465ba11fa8c037fa
Instruction Fuzzy Hash: B5C01239E162889FCB11CFA8E0444D8BBF0EF8A222B4214A3D214EB110D230A528CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05771919, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19493e4ac4f8b869dca81ba938ca66a3efc98a302b4179df08d63cb108db885d
Instruction ID: ff15235fb971fdd1eef8ac51633563d1f505f6d8ce2c232693b21dabaf2d8ff7
Opcode Fuzzy Hash: 19493e4ac4f8b869dca81ba938ca66a3efc98a302b4179df08d63cb108db885d
Instruction Fuzzy Hash: 57E0EC70910119DFCB64CF60D8995EDB771FF45321F0284D6950EA7254DB305E81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0577099E, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc822885fca21afd922ef63e6ebccb92fc45b8f6c7af07a19d51bfd0f43100e
Instruction ID: 6f48ce5b3f211f1ea11d17c50d1b847ce3d55d868e8879d73c1a525a90fc048d
Opcode Fuzzy Hash: 2bc822885fca21afd922ef63e6ebccb92fc45b8f6c7af07a19d51bfd0f43100e
Instruction Fuzzy Hash: 6CE0B6709151198FCB94DF20C8885EDBBB1EB44300F0190E6881DAB254DB705A918F90

Uniqueness

Uniqueness Score: -1.00%

Function 071F4FE6, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec24c502360b6a3b7bbd766ee7a3f54429921c061e14bf4b53bd389c4fb4768
Instruction ID: 22f966fc7585070fcc82a91f6343fcd1362ba0981b38d2620bb31f39668efa52
Opcode Fuzzy Hash: 0ec24c502360b6a3b7bbd766ee7a3f54429921c061e14bf4b53bd389c4fb4768
Instruction Fuzzy Hash: DCD05EB4C196198FC7A8CF35CA00689FBB2BB58310F0184AAC509A2100EB300B859F00

Uniqueness

Uniqueness Score: -1.00%

Function 071F501D, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bd874d47eaa1346e49b1c28f499a86f4c77aa1500345de3bc93fa1f13c5ba2
Instruction ID: cf059e95e684bd41d4666509c59042d5ffe709a33d1e810f47bb7e879e48c555
Opcode Fuzzy Hash: e7bd874d47eaa1346e49b1c28f499a86f4c77aa1500345de3bc93fa1f13c5ba2
Instruction Fuzzy Hash: D3D06CB59192A88ECF24DF24C8847DDBBB0AB50351F1044DA89097A281D7744BC1CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05771778, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6870c3538e4926f83e9f5a75345b3ec67f362304f1467bc0d0219bb292bf14
Instruction ID: 94b8e092c9637787d0bfc66b242729060031cae7d4b3cfe74abae9c51a7c29e1
Opcode Fuzzy Hash: aa6870c3538e4926f83e9f5a75345b3ec67f362304f1467bc0d0219bb292bf14
Instruction Fuzzy Hash: A4D012349063198FCB44CF50C5496EE7772FB44311F1514A580099B255DB305B41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05771507, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e36b98b1919019a27d44f65d09c6c8c2f0199c1683f11a46619a5d4d4031d1
Instruction ID: a12d0774a2d150e359045d7d7c2f24cbe1c577b973e8dacd316fc5a2285c657d
Opcode Fuzzy Hash: 19e36b98b1919019a27d44f65d09c6c8c2f0199c1683f11a46619a5d4d4031d1
Instruction Fuzzy Hash: AFD0A938801209CFC704CB50D8888E9BBB5FB88301F0141A9C009AB700D3305A88CF80

Uniqueness

Uniqueness Score: -1.00%

Function 071F2C38, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.418199529.00000000071F0000.00000040.00000001.sdmp, Offset: 071F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ec65cdcbeee09156e367e1c2143b0bc33a15199c1f4c9ba39af3e4d60f8d6a
Instruction ID: 7b6a16d27144c603deed0a62a215c639c5c6750a26b6d9243612c8e02f098b9a
Opcode Fuzzy Hash: 97ec65cdcbeee09156e367e1c2143b0bc33a15199c1f4c9ba39af3e4d60f8d6a
Instruction Fuzzy Hash: 08C08CB08361089FC324CF60E58486DFB32FB4F211F232016D012EE088C7309804CF09

Uniqueness

Uniqueness Score: -1.00%

Function 05772FC4, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413963532.0000000005770000.00000040.00000001.sdmp, Offset: 05770000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f99ed80fdf2c03fdf664710702dd46f3294961ee401e98c703a73106b19072
Instruction ID: 7f2d67769d2f75f081069a48b5e5fc81d7d6277ef7ed0b08cf24a26ac6fbc039
Opcode Fuzzy Hash: 92f99ed80fdf2c03fdf664710702dd46f3294961ee401e98c703a73106b19072
Instruction Fuzzy Hash: 2DC08C3091A1698FCBA4CF60E85429DB731EB4F301F0086C5C01E9E194CB309A91CF02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: CONTRACT.exe PID: 1388 Parent PID: 4600 CONTRACT.exeCOMMON

Executed Functions

Function 00F83850, Relevance: .7, Instructions: 744COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a4272d8b29c25c1cb371313715821052f06887c59bdc345233c3b823c724bf
Instruction ID: 8afde75e05b09151702a4f1bcddbd58c00ad29ad8fb70a435792aafb8d9b6889
Opcode Fuzzy Hash: 19a4272d8b29c25c1cb371313715821052f06887c59bdc345233c3b823c724bf
Instruction Fuzzy Hash: A9421771A04115CFCB05EF68C8849AEBBF2FF85710B29C5AAD5159F222C771ED41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F823A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d170bed7e56160fbcb18dd0785925290ea36ab2657f14ce203e78c903771de24
Instruction ID: b873d9d57abb1fbb21cabb6a3e09f1a13515c82eb8c52839f53da3a360bc0ba3
Opcode Fuzzy Hash: d170bed7e56160fbcb18dd0785925290ea36ab2657f14ce203e78c903771de24
Instruction Fuzzy Hash: C412BD31E00215CFCB64EF69C8847ADBBF2BF84314F688169D416EB265DB38AD45EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F82FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31ccccb8db32b0fc312d2f9b8b39a5c8f119725cb16f3c9093f522a3d54ca71
Instruction ID: e471ed468b3ce44f8ee874dffb6d29c0f7bef86a69939780c13752e9adc062c0
Opcode Fuzzy Hash: f31ccccb8db32b0fc312d2f9b8b39a5c8f119725cb16f3c9093f522a3d54ca71
Instruction Fuzzy Hash: 3D817D72F001159FCB04EB69D854AAEBBF3AFC8714F2A8075E405EB369DE319D019B90

Uniqueness

Uniqueness Score: -1.00%

Function 04DE00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04DE019D

Memory Dump Source

Source File: 0000001C.00000002.425774707.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 02119477c585db5e3ccc143a5aab845b99478147d0a4b9e33856558e5ca65662
Instruction ID: cfc8b8ba9c2a2260b55a7345b14e01c597dbcc236b1175813b09df073612eddd
Opcode Fuzzy Hash: 02119477c585db5e3ccc143a5aab845b99478147d0a4b9e33856558e5ca65662
Instruction Fuzzy Hash: C731AF715097806FE712DF25DC84B56BFF8EF06310F08849AE984CF292D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04DE012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04DE019D

Memory Dump Source

Source File: 0000001C.00000002.425774707.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1ba9edaf2478e627550fd4068e5571a3f6d11fe0d1e75c01d086ba6fa96487a7
Instruction ID: e02446acb0e97ebb53a24228b5744b4ed562e85f87240ceb1136e05a6b0e159a
Opcode Fuzzy Hash: 1ba9edaf2478e627550fd4068e5571a3f6d11fe0d1e75c01d086ba6fa96487a7
Instruction Fuzzy Hash: 67217F71604240AFE721EF6AD885B6AFBE8EF04310F14846AE945CF241D7B1F504CA71

Uniqueness

Uniqueness Score: -1.00%

Function 04DE04EF, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04DE0550

Memory Dump Source

Source File: 0000001C.00000002.425774707.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d525012bbd29da22a0f49dee2967d1d22975682ce7dba54cd98336bc1cec2b5a
Instruction ID: b8f91e369de59c0c1093d84451c83e0246048b1304d2fd7fa9eeef7c98c99e62
Opcode Fuzzy Hash: d525012bbd29da22a0f49dee2967d1d22975682ce7dba54cd98336bc1cec2b5a
Instruction Fuzzy Hash: B111B2715093849FDB12CF25DC85B52BFB8EF06220F0884EBED858F653D275A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04DE051E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04DE0550

Memory Dump Source

Source File: 0000001C.00000002.425774707.0000000004DE0000.00000040.00000001.sdmp, Offset: 04DE0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3976bb794102ea4677b806546235da798cfa8ccf11a41479d91b2d9bab05a5ef
Instruction ID: a6fff4f1373cef395a5f01bd9fc6e032ff709607c3b3e8e5031e50c148f26d90
Opcode Fuzzy Hash: 3976bb794102ea4677b806546235da798cfa8ccf11a41479d91b2d9bab05a5ef
Instruction Fuzzy Hash: 730188755002418FD711DF19D889765FFA4EF45620F04C0AADD498B652D2B5E404CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00F82D58, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

, xrefs: 00F82E76

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 713b510233388c4bd852b1afe4f8cc0cf622d5ad6bc73afdb89f326ea4876a09
Instruction ID: f7ce84aeb26afe26b246d4fc9fc1811de46af2ae569116913259954dc192dbcc
Opcode Fuzzy Hash: 713b510233388c4bd852b1afe4f8cc0cf622d5ad6bc73afdb89f326ea4876a09
Instruction Fuzzy Hash: EB41E332E082459FCB50EF69C8846FEBBA2ABC0315B28C476C416DB645C635F802E786

Uniqueness

Uniqueness Score: -1.00%

Function 00F821F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 00F8230F

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 65422014dafff21678b0dfea98f5c7549697fbbada5541ce44a5cf1b0f00658e
Instruction ID: f30fb2f41d3bce500737b891eaa4cb8183e31e6aadbd1b3f1f08e1c86c10282f
Opcode Fuzzy Hash: 65422014dafff21678b0dfea98f5c7549697fbbada5541ce44a5cf1b0f00658e
Instruction Fuzzy Hash: 3C41FA31E08209DFDB84EFA5C5557EEBBF1FB45300F6080AAD406A72A0DB35AA45EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F805B9, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8Xq, xrefs: 00F805D6

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID: 8Xq
API String ID: 0-781766932
Opcode ID: bbd434460030cf895f0f9cf52c7f3ee40c98c9f8fdb35c0911c06168af1ff816
Instruction ID: 77743c51f4f779e1e93ccf89cc26e1eeed8b202db9ad52a13e58cbe4c200d954
Opcode Fuzzy Hash: bbd434460030cf895f0f9cf52c7f3ee40c98c9f8fdb35c0911c06168af1ff816
Instruction Fuzzy Hash: 8B01D1613042604FCB09323C64222AF1BD7ABC6A41B68445BF00AEB391DD7C9C0A53F6

Uniqueness

Uniqueness Score: -1.00%

Function 00F805C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8Xq, xrefs: 00F805D6

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID: 8Xq
API String ID: 0-781766932
Opcode ID: 4ee7428a0a274973d788ebc0c298b81ce22f02565d21a8a92f384bd3fd6e533f
Instruction ID: d201ae9daf4d8eb2f3379a8895b540e946f6b182eb06e0caabdfa7871c9238e6
Opcode Fuzzy Hash: 4ee7428a0a274973d788ebc0c298b81ce22f02565d21a8a92f384bd3fd6e533f
Instruction Fuzzy Hash: B3F090617002248BCA48767D64126BF66CBABC5B91B64452AF10AF7384DD799C0253F6

Uniqueness

Uniqueness Score: -1.00%

Function 00F812A0, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94036334756eff73b2693b344c13c1a4160b3c4b5a8ca222b02c13a33934514f
Instruction ID: 4239ab36ce2f74b981af9ad91460369ffeebbb1295c32f07ca23b4e52a13126f
Opcode Fuzzy Hash: 94036334756eff73b2693b344c13c1a4160b3c4b5a8ca222b02c13a33934514f
Instruction Fuzzy Hash: 55220734A00A45CFC724EF28C890AAAB7F2FF88314F14C699D85A9B755DB34AD46DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F802E8, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ed2229be030282f48059285559beb2eee629fdee23bdb2e4d2327d1cca72cb
Instruction ID: 51ea1b5734390884ec6e0eeb4057af012d41757c0e270b4a356576c521442014
Opcode Fuzzy Hash: 80ed2229be030282f48059285559beb2eee629fdee23bdb2e4d2327d1cca72cb
Instruction Fuzzy Hash: C361A231B052058FDB48EF68C4A47AE7BF2EF89310F6880ADD506AB365DE359C09DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F80681, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90781711b8ae2b67c3ac7626459af39aaa09913cbb7ac7065891c3a0089aa497
Instruction ID: 55d38ba2964a1331349ec3f55675936241f5099fa916371cd14b14f11c7b2879
Opcode Fuzzy Hash: 90781711b8ae2b67c3ac7626459af39aaa09913cbb7ac7065891c3a0089aa497
Instruction Fuzzy Hash: EF516C71688240CFC7447B34EC1966D3BA6BF8131AB6485A9F402D72B1DF708C46DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F809A0, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7679e1113d35c91fee11c79447f8695f76f0603d720f4ab2f8e0e39a3912d415
Instruction ID: 1659492b3e3879f49b3f2f4dd5ef824e1bb9e0bfc53bdc6c4a00dbe69431a20f
Opcode Fuzzy Hash: 7679e1113d35c91fee11c79447f8695f76f0603d720f4ab2f8e0e39a3912d415
Instruction Fuzzy Hash: B241E831B00104DFCB04EF68D854AADB7F2FF85704F6581A9E116AB2A1CF31AC06DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F80BC0, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e4d99a663bc6f2f235aac96760c50b6fd42643e9d738c4982a3e9dfd9210f5
Instruction ID: 321e18602a676848cfb0350789bd86a49099b6a51da88466bdd904a255d07bc0
Opcode Fuzzy Hash: 21e4d99a663bc6f2f235aac96760c50b6fd42643e9d738c4982a3e9dfd9210f5
Instruction Fuzzy Hash: 3641E532B04104CFCB559F68C4147AE77E6BFC6310F65816AE80AEF3A1CE719C0A9791

Uniqueness

Uniqueness Score: -1.00%

Function 00F81458, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d142e3731375d012dc1751eb525b0a9bb3929f7c74e08d9d6f38cf92f88d56e4
Instruction ID: cbeeac18ad21bf862bd8ec082fb99d38f8a9446362e07968000ad8ffa46ccf32
Opcode Fuzzy Hash: d142e3731375d012dc1751eb525b0a9bb3929f7c74e08d9d6f38cf92f88d56e4
Instruction Fuzzy Hash: 4E51E134A00258CFDB54EB68C894B9DBBF2BF49304F5441E9D40AAB366CB35AE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F80690, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20c45b70a0e8a2f6701fb48adc9704d76a936c33dbf1f3c97d887cd5b770076
Instruction ID: a582c88a901048cbb0585079fea61dca73ad15a643a5c077dc0d6aa96d349e68
Opcode Fuzzy Hash: b20c45b70a0e8a2f6701fb48adc9704d76a936c33dbf1f3c97d887cd5b770076
Instruction Fuzzy Hash: 5A4138716842008FC7447F38EC5D66D3BA6BB8031AB648578F406D72B1CF708C46DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00F82BF8, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79eb072e7a7412e7c5867fc94ffb006056a42e2cce5e1792797173c9c44096b8
Instruction ID: d5f556a6089e7009fd979b862c3c9d423a09091ce1c46ca618f7922b58cc6f2a
Opcode Fuzzy Hash: 79eb072e7a7412e7c5867fc94ffb006056a42e2cce5e1792797173c9c44096b8
Instruction Fuzzy Hash: D331293260C295CFC755A76898986BC7FF1AF43330B2985A7D046CF2A2C720AC05E351

Uniqueness

Uniqueness Score: -1.00%

Function 00F802D9, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7589bde3a00cd38423d5b7a303473ca00debc9ace754b5541c1f6a7f295dc1e
Instruction ID: 6d980a7724689e305d5661b66b718eec00d224c97e38e7bd994c98c51d289710
Opcode Fuzzy Hash: c7589bde3a00cd38423d5b7a303473ca00debc9ace754b5541c1f6a7f295dc1e
Instruction Fuzzy Hash: 6E416D31B002058FDB58EB68C564BEE7BB2EF89310F644069D506AB3A1CF75AC48EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F820D0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e82793ccf32807d732ff416f86ad452d874029145e1b880f0144722f54741e6
Instruction ID: 0c4e00f055a747e7ad0c172d66516ff853956f74da70bba663819d8e2df40b2b
Opcode Fuzzy Hash: 9e82793ccf32807d732ff416f86ad452d874029145e1b880f0144722f54741e6
Instruction Fuzzy Hash: AF318E35A08645DFCB45EF68CC956BEBBB2FF85300B3084A6C516EB255DB30AC41EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F81290, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3508fb11f85cd6a8dd1c882c5b96c811668d04d3e84b8a225caf71e198c838a5
Instruction ID: b078c176a11dcd3d559cb0f2dc6f9e787368b674a282a3a4a2e425ad9d9fb82b
Opcode Fuzzy Hash: 3508fb11f85cd6a8dd1c882c5b96c811668d04d3e84b8a225caf71e198c838a5
Instruction Fuzzy Hash: 2B412374A04258CFCB24EB68D884BAEBBB1BF49304F1441EAD40AEB355DB309D85DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F80018, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70a23be3d6dae90f71c6cf17faaa539ab3d963dec57ee90cedaa46e4dc41d66
Instruction ID: d41da2a54b54fec0e783e3e4502301d481ee09a69352561e53b86c3067588225
Opcode Fuzzy Hash: c70a23be3d6dae90f71c6cf17faaa539ab3d963dec57ee90cedaa46e4dc41d66
Instruction Fuzzy Hash: 6031327150D3C2DFC706AB7498696983FF1AF42305F0984DED486CB266EA389C05D723

Uniqueness

Uniqueness Score: -1.00%

Function 00F825DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005dd554473c6f50ea9591ba3a7bf190602d2b37bc5f080ccd535bd012084674
Instruction ID: 17e7f740014296199bfc75dacc8e42bc7556058feb283104dfbd0cf85c1d7788
Opcode Fuzzy Hash: 005dd554473c6f50ea9591ba3a7bf190602d2b37bc5f080ccd535bd012084674
Instruction Fuzzy Hash: FC318B70E00246CFDBA4EF65C84439ABBF2BF84724F24C16DC005AB265DB78A949DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00F821E9, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ecba97e691a55358aec662dba68a5c614ff1550286eb2be2f528f7b2a114543
Instruction ID: 5587615ef8c9d354d2a573cbeead1e2e351c91f2b3ae8f90f7f930f057dde166
Opcode Fuzzy Hash: 9ecba97e691a55358aec662dba68a5c614ff1550286eb2be2f528f7b2a114543
Instruction Fuzzy Hash: 86314A31E08209DFDB84EBA8C5557EDBBF1BB45300F6040AAC402E72A5DA34AE44EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F84190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1942355c8f5832075533323301ec311a33ced275526a220c06dda01948b9dd77
Instruction ID: 83a4cd2a63b98fee8555bfee4ae4396ee1ca7d1fbd60aae9289da955468cc8fa
Opcode Fuzzy Hash: 1942355c8f5832075533323301ec311a33ced275526a220c06dda01948b9dd77
Instruction Fuzzy Hash: A7112672B042168BCB14FBB5D8052FF7AB6AFC4340F61453BE507D7240DE71A840A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F80B18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc9e32b45e60005535797db9441f7efdc9de10e1673e3be033b174f4096b1fc
Instruction ID: aa80df06d955822fb01319e9b0e973048d88ef73622176ee4458fe4e6d423b64
Opcode Fuzzy Hash: 5bc9e32b45e60005535797db9441f7efdc9de10e1673e3be033b174f4096b1fc
Instruction Fuzzy Hash: CC118E32F58155EACBA075749C027EA62D55BC4B98FB088AAA913EB640DE308D08F791

Uniqueness

Uniqueness Score: -1.00%

Function 00F811DF, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ab6b05bd55dfd031475197d54c9ce8e62cfa14be3ad3024ca50f6ba006b20e
Instruction ID: 8223f073dd651619b189c4e1946998d9169e17ab24499c8264e43c5f820d2c4e
Opcode Fuzzy Hash: a2ab6b05bd55dfd031475197d54c9ce8e62cfa14be3ad3024ca50f6ba006b20e
Instruction Fuzzy Hash: 0D11563530D590CFC745A728C464AA97FF57F86304B2941EBD046CF2B6CE654C099752

Uniqueness

Uniqueness Score: -1.00%

Function 00F84180, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2cd50138fb9dc5d314916f416c430395c166850e08124de26acf19ae925aa9
Instruction ID: 9ef7d4f21a7ea0ed56cd90493821def004210fdafdf8a780564036eb8722e42d
Opcode Fuzzy Hash: ae2cd50138fb9dc5d314916f416c430395c166850e08124de26acf19ae925aa9
Instruction Fuzzy Hash: E501423670CA86CECB13B7B4AC1C1EA7FB59BE1380720047BC513C7111EA36A082B322

Uniqueness

Uniqueness Score: -1.00%

Function 00F8238F, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c24d81c6fc08261026f193daecfcecfaee0bb9a6893911889b8dcd50fab3530
Instruction ID: f81c2fe69ef4bfbae9a59c5433bb7f9ef05feed318562ea2bdb568d4ff2b4336
Opcode Fuzzy Hash: 4c24d81c6fc08261026f193daecfcecfaee0bb9a6893911889b8dcd50fab3530
Instruction Fuzzy Hash: 51115A7190825ACFCBA4EFA4C9657EE7BB1BB44304F20406ED502A7391DB356942EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F81218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6efe286e6247084040c3e97b702bf678c50b68a5d0e02065e2ecfe7a7565be8
Instruction ID: baa97257a176db74d9441504b5708ad7390d53db9390a0005e9a165a7d91771b
Opcode Fuzzy Hash: e6efe286e6247084040c3e97b702bf678c50b68a5d0e02065e2ecfe7a7565be8
Instruction Fuzzy Hash: 84013131304010CFC744AB2CD558AAE77EABFC5714B2441AAE406CB775CF759C0AA781

Uniqueness

Uniqueness Score: -1.00%

Function 00F80918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bbe4f91156b607853cd762a91ae0f3a381fab07fbbf7264b55c007d0d4a5b66
Instruction ID: 7cbd174c2236060fa40173c041763f34e7e31134d85c822ceca63c95da83c8a5
Opcode Fuzzy Hash: 4bbe4f91156b607853cd762a91ae0f3a381fab07fbbf7264b55c007d0d4a5b66
Instruction Fuzzy Hash: 3CE0A033A552189A9B906AB898006EFBBA99785760BA04467D907A3301DD744809B391

Uniqueness

Uniqueness Score: -1.00%

Function 00F80908, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afbdfa21805c5a3098bb5ff69bd5c1ef8ddb0b2d29822838149da0f65c9045d
Instruction ID: 1512baacbf2fc768d0eec394586a84a24c5298178bf23c92730392e2ee406ae7
Opcode Fuzzy Hash: 8afbdfa21805c5a3098bb5ff69bd5c1ef8ddb0b2d29822838149da0f65c9045d
Instruction Fuzzy Hash: 5CF02731A493408FD7896AB44C257AF2E754B42300B9640AB9803E7392CC6C4C0DB351

Uniqueness

Uniqueness Score: -1.00%

Function 00F80170, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71fe54283000f37996c472324fb653d8a6b987097989d066fbd73e5ad6c39622
Instruction ID: 048dcb892c3b4c4e8d6a117cf7226c88c117c05e0875d8f1b7faa2a9e83faaac
Opcode Fuzzy Hash: 71fe54283000f37996c472324fb653d8a6b987097989d066fbd73e5ad6c39622
Instruction Fuzzy Hash: 49E01271109390CFC7065770952A0683BF15E4610A30508EFD406CBBB1DA3ACC55C711

Uniqueness

Uniqueness Score: -1.00%

Function 00F82D20, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea363682d55a2b909d6edae037e0c99d293226e0b98adc6e17ef7eda2ded42f0
Instruction ID: f1b9127ddc71fb9e88d5576e46a81246dcfa9feb8462cd224e2cd3df2a1f18e7
Opcode Fuzzy Hash: ea363682d55a2b909d6edae037e0c99d293226e0b98adc6e17ef7eda2ded42f0
Instruction Fuzzy Hash: B3D05E3304D2C0AFD68216A41D267A07F609B1B305F2C09C3908B8D0B6A015A905E312

Uniqueness

Uniqueness Score: -1.00%

Function 00F802A0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777c9e1157984ea791801f35fd406b9f94300345afdfd83e1dce388e5bbda354
Instruction ID: b3312161ef97ff3782d8abbcfd16749fc385d2a7366ca0543962db1d75e9eb6d
Opcode Fuzzy Hash: 777c9e1157984ea791801f35fd406b9f94300345afdfd83e1dce388e5bbda354
Instruction Fuzzy Hash: 6EE01231509741CFC3419764A6A95957BB0AF86300354889BD097CB665CB24AC05D701

Uniqueness

Uniqueness Score: -1.00%

Function 00F8064F, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90cc63268f0976e2541915b481182512174192b1e854096ed8cdc392960221dd
Instruction ID: 10734a7e6ad2fbb0e4b6e418a164699f03d19db3f8eae8ecb0e62373e5610341
Opcode Fuzzy Hash: 90cc63268f0976e2541915b481182512174192b1e854096ed8cdc392960221dd
Instruction Fuzzy Hash: D0D0A7734493808FC3421B7019391D03F20DFB22043655497D41096C32E875A59FE732

Uniqueness

Uniqueness Score: -1.00%

Function 00F80180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453dea75af0d3c0b83e97a0b8991cbce6d70ce13b68eb082026ff29be8362a83
Instruction ID: b72c40cfecaba60907cf9541a1dfb1b101d19a2456b4778d152869e8b2162492
Opcode Fuzzy Hash: 453dea75af0d3c0b83e97a0b8991cbce6d70ce13b68eb082026ff29be8362a83
Instruction Fuzzy Hash: 5CD01230200308CFCB082BB0E41D42C33AAAB8820A700087CE806C7BA0EF3AEC80CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00F82EB8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b8b47ec2c9d879a244d80a56e0a43e7956ef1df2bc42d94337e43877e7f8a7
Instruction ID: f785151a698ad42ceada5f557fdbdbe1c317c44067b0461aad2e7aaa6caa52c3
Opcode Fuzzy Hash: 02b8b47ec2c9d879a244d80a56e0a43e7956ef1df2bc42d94337e43877e7f8a7
Instruction Fuzzy Hash: 3FC08C3490C2C22BCF209670188A8A92FD4899014832C04ADC817D6852E461C092A701

Uniqueness

Uniqueness Score: -1.00%

Function 00F82D30, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a780e22af53752012ddf1e07e38d52a49769439ad63124197f621e7834a2b73
Instruction ID: 549d82918ac06b92c3830dd436e11001cadb1537c4eca9c1f763c023b8ceb6dc
Opcode Fuzzy Hash: 8a780e22af53752012ddf1e07e38d52a49769439ad63124197f621e7834a2b73
Instruction Fuzzy Hash: 5CC0923718C608F6E9D43684AC5EFF4BE18970CB16E340802A20F1D0B82A81B110B396

Uniqueness

Uniqueness Score: -1.00%

Function 00F80660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8c1ab24cd537a7a0c858fdd81fd85bf309ef2dd38253e67afcc5680e0c17fb
Instruction ID: 645afd405d0bf8b1ad578821e6c4dd20ea4463a69bad48c5687e0f39057c1093
Opcode Fuzzy Hash: 8e8c1ab24cd537a7a0c858fdd81fd85bf309ef2dd38253e67afcc5680e0c17fb
Instruction Fuzzy Hash: EAC02B72089304CEC28437B01C0997973085AC03043B0C431A80110430ED32B475FF31

Uniqueness

Uniqueness Score: -1.00%

Function 00F82EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.425083125.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737a136495533b08e5ceeb6b25c0753da7be553f28b175b6333feb9b9c11f38b
Instruction ID: 16f8e6bf11383bc0e2fc92ce92c2dfcc9ec7b7004909a12c1f124660f3d619ed
Opcode Fuzzy Hash: 737a136495533b08e5ceeb6b25c0753da7be553f28b175b6333feb9b9c11f38b
Instruction Fuzzy Hash: 5AB012302082091B1B8077B52C0CA62338C45405153440060980CD2010FD10E4907344

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CONTRACT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre