Play interactive tour

Edit tour

Analysis Report 7lQnHeq3XF

Overview

General Information

Sample Name:	7lQnHeq3XF (renamed file extension from none to exe)
Analysis ID:	432802
MD5:	9750dee05b47f072e5975895dcf61ae5
SHA1:	95f456ae508245b4c6891ad1c847227d0c012d90
SHA256:	eea0f064af6e7b61e19ff9ade76eead562f5d3933d52c5cc7f2f5721d81b8c3d
Tags:	exeNanoCoretrojan
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

7lQnHeq3XF.exe (PID: 5360 cmdline: 'C:\Users\user\Desktop\7lQnHeq3XF.exe' MD5: 9750DEE05B47F072E5975895DCF61AE5)

schtasks.exe (PID: 3688 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp6F2E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

7lQnHeq3XF.exe (PID: 784 cmdline: {path} MD5: 9750DEE05B47F072E5975895DCF61AE5)

schtasks.exe (PID: 3032 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8362.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

7lQnHeq3XF.exe (PID: 3088 cmdline: C:\Users\user\Desktop\7lQnHeq3XF.exe 0 MD5: 9750DEE05B47F072E5975895DCF61AE5)

schtasks.exe (PID: 5336 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1E69.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

7lQnHeq3XF.exe (PID: 3508 cmdline: {path} MD5: 9750DEE05B47F072E5975895DCF61AE5)

7lQnHeq3XF.exe (PID: 576 cmdline: {path} MD5: 9750DEE05B47F072E5975895DCF61AE5)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6ceec185-c99e-4d5c-8685-49487283", "Group": "Guage12", "Domain1": "185.136.169.24", "Domain2": "127.0.0.1", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435b5:$a: NanoCore 0x4360e:$a: NanoCore 0x4364b:$a: NanoCore 0x436c4:$a: NanoCore 0x56d6f:$a: NanoCore 0x56d84:$a: NanoCore 0x56db9:$a: NanoCore 0x6fd53:$a: NanoCore 0x6fd68:$a: NanoCore 0x6fd9d:$a: NanoCore 0x43617:$b: ClientPlugin 0x43654:$b: ClientPlugin 0x43f52:$b: ClientPlugin 0x43f5f:$b: ClientPlugin 0x56b2b:$b: ClientPlugin 0x56b46:$b: ClientPlugin 0x56b76:$b: ClientPlugin 0x56d8d:$b: ClientPlugin 0x56dc2:$b: ClientPlugin 0x6fb0f:$b: ClientPlugin 0x6fb2a:$b: ClientPlugin
0000000C.00000002.476199801.0000000003261000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x94ff5:$x1: NanoCore.ClientPluginHost 0x95032:$x2: IClientNetworkHost 0x98b65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x94d5d:$a: NanoCore 0x94d6d:$a: NanoCore 0x94fa1:$a: NanoCore 0x94fb5:$a: NanoCore 0x94ff5:$a: NanoCore 0x94dbc:$b: ClientPlugin 0x94fbe:$b: ClientPlugin 0x94ffe:$b: ClientPlugin 0x94ee3:$c: ProjectData 0x1783d5:$c: ProjectData 0x958ea:$d: DESCrypto 0x9d2b6:$e: KeepAlive 0x9b2a4:$g: LogClientMessage 0x9749f:$i: get_Connected 0x95c20:$j: #=q 0x95c50:$j: #=q 0x95c6c:$j: #=q 0x95c9c:$j: #=q 0x95cb8:$j: #=q 0x95cd4:$j: #=q 0x95d04:$j: #=q
00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd46f5:$x1: NanoCore.ClientPluginHost 0xd4732:$x2: IClientNetworkHost 0xd8265:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd445d:$a: NanoCore 0xd446d:$a: NanoCore 0xd46a1:$a: NanoCore 0xd46b5:$a: NanoCore 0xd46f5:$a: NanoCore 0xd44bc:$b: ClientPlugin 0xd46be:$b: ClientPlugin 0xd46fe:$b: ClientPlugin 0xd45e3:$c: ProjectData 0xd4fea:$d: DESCrypto 0xdc9b6:$e: KeepAlive 0xda9a4:$g: LogClientMessage 0xd6b9f:$i: get_Connected 0xd5320:$j: #=q 0xd5350:$j: #=q 0xd536c:$j: #=q 0xd539c:$j: #=q 0xd53b8:$j: #=q 0xd53d4:$j: #=q 0xd5404:$j: #=q 0xd5420:$j: #=q
0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35b5:$a: NanoCore 0x360e:$a: NanoCore 0x364b:$a: NanoCore 0x36c4:$a: NanoCore 0x16d6f:$a: NanoCore 0x16d84:$a: NanoCore 0x16db9:$a: NanoCore 0x2fd53:$a: NanoCore 0x2fd68:$a: NanoCore 0x2fd9d:$a: NanoCore 0x3617:$b: ClientPlugin 0x3654:$b: ClientPlugin 0x3f52:$b: ClientPlugin 0x3f5f:$b: ClientPlugin 0x16b2b:$b: ClientPlugin 0x16b46:$b: ClientPlugin 0x16b76:$b: ClientPlugin 0x16d8d:$b: ClientPlugin 0x16dc2:$b: ClientPlugin 0x2fb0f:$b: ClientPlugin 0x2fb2a:$b: ClientPlugin
00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x94ff5:$x1: NanoCore.ClientPluginHost 0x95032:$x2: IClientNetworkHost 0x98b65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x94d5d:$a: NanoCore 0x94d6d:$a: NanoCore 0x94fa1:$a: NanoCore 0x94fb5:$a: NanoCore 0x94ff5:$a: NanoCore 0x94dbc:$b: ClientPlugin 0x94fbe:$b: ClientPlugin 0x94ffe:$b: ClientPlugin 0x94ee3:$c: ProjectData 0x1783d5:$c: ProjectData 0x958ea:$d: DESCrypto 0x9d2b6:$e: KeepAlive 0x9b2a4:$g: LogClientMessage 0x9749f:$i: get_Connected 0x95c20:$j: #=q 0x95c50:$j: #=q 0x95c6c:$j: #=q 0x95c9c:$j: #=q 0x95cb8:$j: #=q 0x95cd4:$j: #=q 0x95d04:$j: #=q
0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.483484770.0000000005930000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000C.00000002.483484770.0000000005930000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000018.00000002.410520702.0000000002CB1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.410520702.0000000002CB1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6930f:$a: NanoCore 0x69368:$a: NanoCore 0x693a5:$a: NanoCore 0x6941e:$a: NanoCore 0x69371:$b: ClientPlugin 0x693ae:$b: ClientPlugin 0x69cac:$b: ClientPlugin 0x69cb9:$b: ClientPlugin 0x5f482:$e: KeepAlive 0x697f9:$g: LogClientMessage 0x69779:$i: get_Connected 0x59745:$j: #=q 0x59775:$j: #=q 0x597b1:$j: #=q 0x597d9:$j: #=q 0x59809:$j: #=q 0x59839:$j: #=q 0x59869:$j: #=q 0x59899:$j: #=q 0x598b5:$j: #=q 0x598e5:$j: #=q
00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd46f5:$x1: NanoCore.ClientPluginHost 0xd4732:$x2: IClientNetworkHost 0xd8265:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd445d:$a: NanoCore 0xd446d:$a: NanoCore 0xd46a1:$a: NanoCore 0xd46b5:$a: NanoCore 0xd46f5:$a: NanoCore 0xd44bc:$b: ClientPlugin 0xd46be:$b: ClientPlugin 0xd46fe:$b: ClientPlugin 0xd45e3:$c: ProjectData 0xd4fea:$d: DESCrypto 0xdc9b6:$e: KeepAlive 0xda9a4:$g: LogClientMessage 0xd6b9f:$i: get_Connected 0xd5320:$j: #=q 0xd5350:$j: #=q 0xd536c:$j: #=q 0xd539c:$j: #=q 0xd53b8:$j: #=q 0xd53d4:$j: #=q 0xd5404:$j: #=q 0xd5420:$j: #=q
Process Memory Space: 7lQnHeq3XF.exe PID: 576	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xcb2d:$x1: NanoCore.ClientPluginHost 0x126ec:$x1: NanoCore.ClientPluginHost 0x23a8c:$x1: NanoCore.ClientPluginHost 0x4bba9:$x1: NanoCore.ClientPluginHost 0x9ecb8:$x1: NanoCore.ClientPluginHost 0xcb53:$x2: IClientNetworkHost 0x12731:$x2: IClientNetworkHost 0x23ad1:$x2: IClientNetworkHost 0x4bc0a:$x2: IClientNetworkHost 0x9ecde:$x2: IClientNetworkHost 0x5100f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5ef81:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 7lQnHeq3XF.exe PID: 576	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 7lQnHeq3XF.exe PID: 576	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xca1f:$a: NanoCore 0xcac0:$a: NanoCore 0xcb2d:$a: NanoCore 0xcbee:$a: NanoCore 0xdabf:$a: NanoCore 0xdb12:$a: NanoCore 0xdb4b:$a: NanoCore 0xdbbe:$a: NanoCore 0x12666:$a: NanoCore 0x12693:$a: NanoCore 0x126ec:$a: NanoCore 0x19efb:$a: NanoCore 0x19f0e:$a: NanoCore 0x19f40:$a: NanoCore 0x23a06:$a: NanoCore 0x23a33:$a: NanoCore 0x23a8c:$a: NanoCore 0x2b29b:$a: NanoCore 0x2b2ae:$a: NanoCore 0x2b2e0:$a: NanoCore 0x47b28:$a: NanoCore
Process Memory Space: 7lQnHeq3XF.exe PID: 3088	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5a0ed:$x1: NanoCore.ClientPluginHost 0x5a14e:$x2: IClientNetworkHost 0x5f553:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6d4c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 7lQnHeq3XF.exe PID: 3088	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 7lQnHeq3XF.exe PID: 3088	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 7lQnHeq3XF.exe PID: 3088	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x59bf2:$a: NanoCore 0x59c0e:$a: NanoCore 0x59d69:$a: NanoCore 0x59d78:$a: NanoCore 0x5a051:$a: NanoCore 0x5a07d:$a: NanoCore 0x5a0ed:$a: NanoCore 0x69b2f:$a: NanoCore 0x69b41:$a: NanoCore 0x69b7d:$a: NanoCore 0x59c99:$b: ClientPlugin 0x59dc2:$b: ClientPlugin 0x5a086:$b: ClientPlugin 0x5a0f6:$b: ClientPlugin 0x69b4a:$b: ClientPlugin 0x69b86:$b: ClientPlugin 0x432a1:$c: ProjectData 0x44136:$c: ProjectData 0x59f0f:$c: ProjectData 0x69a7c:$c: ProjectData 0x8883e:$c: ProjectData
Process Memory Space: 7lQnHeq3XF.exe PID: 5360	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16ce60:$x1: NanoCore.ClientPluginHost 0x16cec1:$x2: IClientNetworkHost 0x1722c6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x180238:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 7lQnHeq3XF.exe PID: 5360	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 7lQnHeq3XF.exe PID: 5360	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 7lQnHeq3XF.exe PID: 5360	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x16c965:$a: NanoCore 0x16c981:$a: NanoCore 0x16cadc:$a: NanoCore 0x16caeb:$a: NanoCore 0x16cdc4:$a: NanoCore 0x16cdf0:$a: NanoCore 0x16ce60:$a: NanoCore 0x17c8a2:$a: NanoCore 0x17c8b4:$a: NanoCore 0x17c8f0:$a: NanoCore 0x16ca0c:$b: ClientPlugin 0x16cb35:$b: ClientPlugin 0x16cdf9:$b: ClientPlugin 0x16ce69:$b: ClientPlugin 0x17c8bd:$b: ClientPlugin 0x17c8f9:$b: ClientPlugin 0xbd5b9:$c: ProjectData 0xbe44e:$c: ProjectData 0xd0b09:$c: ProjectData 0xd199e:$c: ProjectData 0x16cc82:$c: ProjectData
Process Memory Space: 7lQnHeq3XF.exe PID: 784	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2f9f1:$x1: NanoCore.ClientPluginHost 0x9f2ca:$x1: NanoCore.ClientPluginHost 0x125dff:$x1: NanoCore.ClientPluginHost 0x12b9be:$x1: NanoCore.ClientPluginHost 0x13cd5e:$x1: NanoCore.ClientPluginHost 0x2fa17:$x2: IClientNetworkHost 0x9f32b:$x2: IClientNetworkHost 0x125e25:$x2: IClientNetworkHost 0x12ba03:$x2: IClientNetworkHost 0x13cda3:$x2: IClientNetworkHost 0xa4730:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb26a2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 7lQnHeq3XF.exe PID: 784	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 7lQnHeq3XF.exe PID: 784	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2239b:$a: NanoCore 0x22402:$a: NanoCore 0x224a7:$a: NanoCore 0x2f8e3:$a: NanoCore 0x2f984:$a: NanoCore 0x2f9f1:$a: NanoCore 0x2fab2:$a: NanoCore 0x30983:$a: NanoCore 0x309d6:$a: NanoCore 0x30a0f:$a: NanoCore 0x30a82:$a: NanoCore 0x54d85:$a: NanoCore 0x9edcf:$a: NanoCore 0x9edeb:$a: NanoCore 0x9ef46:$a: NanoCore 0x9ef55:$a: NanoCore 0x9f22e:$a: NanoCore 0x9f25a:$a: NanoCore 0x9f2ca:$a: NanoCore 0xaed0c:$a: NanoCore 0xaed1e:$a: NanoCore
Click to see the 52 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5c7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5f4:$x2: IClientNetworkHost
24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5c7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6a2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e1:$s5: IClientLoggingHost
24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d57d:$a: NanoCore 0x2d592:$a: NanoCore 0x2d5c7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d339:$b: ClientPlugin 0x2d354:$b: ClientPlugin
12.2.7lQnHeq3XF.exe.5b90000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
12.2.7lQnHeq3XF.exe.5b90000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.2.7lQnHeq3XF.exe.5b90000.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.7lQnHeq3XF.exe.3d04c35.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24168:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24195:$x2: IClientNetworkHost
24.2.7lQnHeq3XF.exe.3d04c35.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24168:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25243:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24182:$s5: IClientLoggingHost
24.2.7lQnHeq3XF.exe.3d04c35.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.7lQnHeq3XF.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.0.7lQnHeq3XF.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.0.7lQnHeq3XF.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.7lQnHeq3XF.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5c7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5f4:$x2: IClientNetworkHost
12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5c7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6a2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e1:$s5: IClientLoggingHost
12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d57d:$a: NanoCore 0x2d592:$a: NanoCore 0x2d5c7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d339:$b: ClientPlugin 0x2d354:$b: ClientPlugin
12.2.7lQnHeq3XF.exe.42b4c35.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24168:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24195:$x2: IClientNetworkHost
12.2.7lQnHeq3XF.exe.42b4c35.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24168:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25243:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24182:$s5: IClientLoggingHost
12.2.7lQnHeq3XF.exe.42b4c35.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.7lQnHeq3XF.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.0.7lQnHeq3XF.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.0.7lQnHeq3XF.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.7lQnHeq3XF.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.7lQnHeq3XF.exe.5930000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.7lQnHeq3XF.exe.5930000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.0.7lQnHeq3XF.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.7lQnHeq3XF.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.7lQnHeq3XF.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.7lQnHeq3XF.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
24.2.7lQnHeq3XF.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.7lQnHeq3XF.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.2.7lQnHeq3XF.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.7lQnHeq3XF.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.7lQnHeq3XF.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.7lQnHeq3XF.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.7lQnHeq3XF.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.7lQnHeq3XF.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.0.7lQnHeq3XF.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.7lQnHeq3XF.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.7lQnHeq3XF.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.7lQnHeq3XF.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
24.2.7lQnHeq3XF.exe.3d0060c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
24.2.7lQnHeq3XF.exe.3d0060c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
24.2.7lQnHeq3XF.exe.3d0060c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.7lQnHeq3XF.exe.5b94629.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
12.2.7lQnHeq3XF.exe.5b94629.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.2.7lQnHeq3XF.exe.5b94629.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.7lQnHeq3XF.exe.42b060c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.7lQnHeq3XF.exe.42b060c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.7lQnHeq3XF.exe.42b060c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.7lQnHeq3XF.exe.3c0d568.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.7lQnHeq3XF.exe.3c0d568.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.7lQnHeq3XF.exe.3c0d568.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.7lQnHeq3XF.exe.3c0d568.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.7lQnHeq3XF.exe.5b90000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.7lQnHeq3XF.exe.5b90000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.7lQnHeq3XF.exe.5b90000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.7lQnHeq3XF.exe.328ca84.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.7lQnHeq3XF.exe.328ca84.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.2.7lQnHeq3XF.exe.35ed568.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.7lQnHeq3XF.exe.35ed568.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.7lQnHeq3XF.exe.35ed568.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.7lQnHeq3XF.exe.35ed568.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.7lQnHeq3XF.exe.42b060c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28791:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287be:$x2: IClientNetworkHost
12.2.7lQnHeq3XF.exe.42b060c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28791:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2986c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287ab:$s5: IClientLoggingHost
12.2.7lQnHeq3XF.exe.42b060c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.7lQnHeq3XF.exe.2d19530.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
24.2.7lQnHeq3XF.exe.2d19530.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
24.2.7lQnHeq3XF.exe.3d0060c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28791:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287be:$x2: IClientNetworkHost
24.2.7lQnHeq3XF.exe.3d0060c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28791:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2986c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287ab:$s5: IClientLoggingHost
24.2.7lQnHeq3XF.exe.3d0060c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 75 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\7lQnHeq3XF.exe, ProcessId: 784, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\7lQnHeq3XF.exe, ProcessId: 784, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\7lQnHeq3XF.exe, ProcessId: 784, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\7lQnHeq3XF.exe, ProcessId: 784, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6ceec185-c99e-4d5c-8685-49487283", "Group": "Guage12", "Domain1": "185.136.169.24", "Domain2": "127.0.0.1", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CLJgKpOuw.exe	Metadefender: Detection: 28%			Perma Link
Source: C:\Users\user\AppData\Roaming\CLJgKpOuw.exe	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Show sources

Source: 7lQnHeq3XF.exe	Virustotal: Detection: 74%	Perma Link
Source: 7lQnHeq3XF.exe	Metadefender: Detection: 28%	Perma Link
Source: 7lQnHeq3XF.exe	ReversingLabs: Detection: 79%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476199801.0000000003261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.410520702.0000000002CB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 576, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 3088, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 5360, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 784, type: MEMORY
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d04c35.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b4c35.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d0060c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.7lQnHeq3XF.exe.3c0d568.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b90000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7lQnHeq3XF.exe.35ed568.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d0060c.3.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CLJgKpOuw.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 7lQnHeq3XF.exe

Joe Sandbox ML: detected

Source: 24.0.7lQnHeq3XF.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.7lQnHeq3XF.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.2.7lQnHeq3XF.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.7lQnHeq3XF.exe.5b90000.10.unpack	Avira: Label: TR/NanoCore.fadte

Source: 7lQnHeq3XF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 7lQnHeq3XF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 185.136.169.24
Source: Malware configuration extractor	URLs: 127.0.0.1

Source: global traffic

TCP traffic: 192.168.2.3:49732 -> 185.136.169.24:54984

Source: Joe Sandbox View

ASN Name: VELIANET-ASvelianetInternetdiensteGmbHDE VELIANET-ASvelianetInternetdiensteGmbHDE

Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24
Source: unknown	TCP traffic detected without corresponding DNS query: 185.136.169.24

Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 7lQnHeq3XF.exe, 00000000.00000002.296094481.0000000002521000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.395084402.0000000002B41000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com%
Source: 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 7lQnHeq3XF.exe, 00000000.00000003.211078227.0000000005496000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 7lQnHeq3XF.exe, 00000000.00000003.211024388.0000000005496000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmld
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: 7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFA%
Source: 7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comTTF
Source: 7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: 7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsd
Source: 7lQnHeq3XF.exe, 00000000.00000002.301189868.0000000005450000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcom~%g
Source: 7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: 7lQnHeq3XF.exe, 00000000.00000003.210312273.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comld%
Source: 7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtuede%B
Source: 7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comue6%
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 7lQnHeq3XF.exe, 00000000.00000003.212456637.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 7lQnHeq3XF.exe, 00000000.00000003.212456637.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/e%B
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 7lQnHeq3XF.exe, 00000000.00000003.207513572.0000000005456000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/%
Source: 7lQnHeq3XF.exe, 00000000.00000003.208508628.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//%
Source: 7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6%
Source: 7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: 7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H%
Source: 7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: 7lQnHeq3XF.exe, 00000000.00000003.207513572.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Z%K
Source: 7lQnHeq3XF.exe, 00000000.00000003.208508628.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/e%B
Source: 7lQnHeq3XF.exe, 00000000.00000003.207513572.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ge
Source: 7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z%K
Source: 7lQnHeq3XF.exe, 00000000.00000003.208508628.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/~%g
Source: 7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/l%y
Source: 7lQnHeq3XF.exe, 00000000.00000003.207513572.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/lts
Source: 7lQnHeq3XF.exe, 00000000.00000003.208508628.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vno
Source: 7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/wa
Source: 7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~%g
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: 7lQnHeq3XF.exe, 00000000.00000002.295749634.0000000000A10000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: 7lQnHeq3XF.exe, 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476199801.0000000003261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.410520702.0000000002CB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 576, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 3088, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 5360, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 784, type: MEMORY
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d04c35.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b4c35.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d0060c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.7lQnHeq3XF.exe.3c0d568.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b90000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7lQnHeq3XF.exe.35ed568.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d0060c.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.483484770.0000000005930000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.410520702.0000000002CB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 576, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 576, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 3088, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 3088, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 5360, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 5360, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 784, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 784, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.7lQnHeq3XF.exe.5b90000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.7lQnHeq3XF.exe.3d04c35.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.7lQnHeq3XF.exe.42b4c35.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.7lQnHeq3XF.exe.5930000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.7lQnHeq3XF.exe.3d0060c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.7lQnHeq3XF.exe.5b94629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.7lQnHeq3XF.exe.42b060c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.7lQnHeq3XF.exe.3c0d568.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.7lQnHeq3XF.exe.3c0d568.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.7lQnHeq3XF.exe.5b90000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.7lQnHeq3XF.exe.328ca84.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.7lQnHeq3XF.exe.35ed568.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.7lQnHeq3XF.exe.35ed568.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.7lQnHeq3XF.exe.42b060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.7lQnHeq3XF.exe.2d19530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.7lQnHeq3XF.exe.3d0060c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

.NET source code contains very large strings

Show sources

Source: 7lQnHeq3XF.exe, GraphicsUtility/Form1.cs	Long String: Length: 11840
Source: CLJgKpOuw.exe.0.dr, GraphicsUtility/Form1.cs	Long String: Length: 11840
Source: 0.2.7lQnHeq3XF.exe.230000.0.unpack, GraphicsUtility/Form1.cs	Long String: Length: 11840
Source: 0.0.7lQnHeq3XF.exe.230000.0.unpack, GraphicsUtility/Form1.cs	Long String: Length: 11840
Source: 12.0.7lQnHeq3XF.exe.ec0000.2.unpack, GraphicsUtility/Form1.cs	Long String: Length: 11840
Source: 12.0.7lQnHeq3XF.exe.ec0000.4.unpack, GraphicsUtility/Form1.cs	Long String: Length: 11840
Source: 12.0.7lQnHeq3XF.exe.ec0000.0.unpack, GraphicsUtility/Form1.cs	Long String: Length: 11840
Source: 12.2.7lQnHeq3XF.exe.ec0000.1.unpack, GraphicsUtility/Form1.cs	Long String: Length: 11840

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_00237194	0_2_00237194
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_045215D0	0_2_045215D0
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_0452365F	0_2_0452365F
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_04520040	0_2_04520040
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_04521302	0_2_04521302
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_045215C8	0_2_045215C8
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_04521018	0_2_04521018
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_04520006	0_2_04520006
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF7618	0_2_06DF7618
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF67E0	0_2_06DF67E0
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF5F50	0_2_06DF5F50
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFCCB8	0_2_06DFCCB8
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF4528	0_2_06DF4528
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFAD28	0_2_06DFAD28
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF3A0B	0_2_06DF3A0B
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF5361	0_2_06DF5361
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFB850	0_2_06DFB850
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFA6C0	0_2_06DFA6C0
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFD6E0	0_2_06DFD6E0
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF5E9F	0_2_06DF5E9F
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFA6B2	0_2_06DFA6B2
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF0E58	0_2_06DF0E58
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFBE35	0_2_06DFBE35
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFB76F	0_2_06DFB76F
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFB7B0	0_2_06DFB7B0
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF5F15	0_2_06DF5F15
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF6C71	0_2_06DF6C71
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF9410	0_2_06DF9410
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF9402	0_2_06DF9402
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFBD48	0_2_06DFBD48
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFAB70	0_2_06DFAB70
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFAB62	0_2_06DFAB62
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFA018	0_2_06DFA018
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFA008	0_2_06DFA008
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFD1E8	0_2_06DFD1E8
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFA918	0_2_06DFA918
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DFA90A	0_2_06DFA90A
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_00EC7194	12_2_00EC7194
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_0312E471	12_2_0312E471
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_0312E480	12_2_0312E480
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_0312BBD4	12_2_0312BBD4
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_057BF5F8	12_2_057BF5F8
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_057B9788	12_2_057B9788
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_057BA5D0	12_2_057BA5D0
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_057BA610	12_2_057BA610
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_06C20040	12_2_06C20040
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_00787194	16_2_00787194
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0291C124	16_2_0291C124
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0291E570	16_2_0291E570
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0291E560	16_2_0291E560
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_02A41268	16_2_02A41268
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_02A433C7	16_2_02A433C7
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_02A4125A	16_2_02A4125A
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_02A45CA8	16_2_02A45CA8
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_02A40CB0	16_2_02A40CB0
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557FCD8	16_2_0557FCD8
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557BD58	16_2_0557BD58
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557AD32	16_2_0557AD32
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05574528	16_2_05574528
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05576C71	16_2_05576C71
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05579410	16_2_05579410
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05579402	16_2_05579402
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557ACE8	16_2_0557ACE8
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05575F50	16_2_05575F50
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05575F15	16_2_05575F15
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_055767E0	16_2_055767E0
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05577618	16_2_05577618
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557A6C0	16_2_0557A6C0
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05575E9F	16_2_05575E9F
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557A6BA	16_2_0557A6BA
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557E958	16_2_0557E958
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557A918	16_2_0557A918
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557A90A	16_2_0557A90A
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557D1E8	16_2_0557D1E8
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557B850	16_2_0557B850
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557A018	16_2_0557A018
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557A008	16_2_0557A008
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557AB70	16_2_0557AB70
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05575361	16_2_05575361
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_0557AB60	16_2_0557AB60
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05570A70	16_2_05570A70
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 23_2_00307194	23_2_00307194
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 24_2_008A7194	24_2_008A7194
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 24_2_02A9E480	24_2_02A9E480
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 24_2_02A9E471	24_2_02A9E471
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 24_2_02A9BBD4	24_2_02A9BBD4

Source: 7lQnHeq3XF.exe, 00000000.00000000.201215221.00000000002B0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamek8qTx2Z.exeB vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000000.00000002.309170872.0000000006C00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000000.00000002.309329357.0000000006F30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000000.00000002.295749634.0000000000A10000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000000.00000002.309836654.000000000DF90000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000000.00000002.296094481.0000000002521000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 0000000C.00000002.476199801.0000000003261000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 0000000C.00000000.293132273.0000000000F40000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamek8qTx2Z.exeB vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 0000000C.00000002.484062512.0000000006780000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 0000000C.00000002.483251040.00000000058A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 0000000C.00000002.485001636.0000000007370000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000010.00000002.402371702.0000000006C80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000010.00000002.393428416.0000000000800000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamek8qTx2Z.exeB vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000010.00000002.402963532.00000000070F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000010.00000002.395084402.0000000002B41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000010.00000002.403083685.0000000007140000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000010.00000002.403083685.0000000007140000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000017.00000002.389689688.0000000000380000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamek8qTx2Z.exeB vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000018.00000000.391969474.0000000000920000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamek8qTx2Z.exeB vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe, 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 7lQnHeq3XF.exe
Source: 7lQnHeq3XF.exe	Binary or memory string: OriginalFilenamek8qTx2Z.exeB vs 7lQnHeq3XF.exe

Source: 7lQnHeq3XF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.483484770.0000000005930000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.483484770.0000000005930000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000002.410520702.0000000002CB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 576, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 576, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 3088, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 3088, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 5360, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 5360, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 784, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 7lQnHeq3XF.exe PID: 784, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.7lQnHeq3XF.exe.5b90000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.7lQnHeq3XF.exe.5b90000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.7lQnHeq3XF.exe.3d04c35.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.7lQnHeq3XF.exe.3d04c35.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.7lQnHeq3XF.exe.42b4c35.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.7lQnHeq3XF.exe.42b4c35.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.7lQnHeq3XF.exe.5930000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.7lQnHeq3XF.exe.5930000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.7lQnHeq3XF.exe.3d0060c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.7lQnHeq3XF.exe.3d0060c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.7lQnHeq3XF.exe.5b94629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.7lQnHeq3XF.exe.5b94629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.7lQnHeq3XF.exe.42b060c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.7lQnHeq3XF.exe.42b060c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.7lQnHeq3XF.exe.3c0d568.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.7lQnHeq3XF.exe.3c0d568.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.7lQnHeq3XF.exe.3c0d568.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.7lQnHeq3XF.exe.5b90000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.7lQnHeq3XF.exe.5b90000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.7lQnHeq3XF.exe.328ca84.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.7lQnHeq3XF.exe.328ca84.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.7lQnHeq3XF.exe.35ed568.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.7lQnHeq3XF.exe.35ed568.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.7lQnHeq3XF.exe.35ed568.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.7lQnHeq3XF.exe.42b060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.7lQnHeq3XF.exe.42b060c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.7lQnHeq3XF.exe.2d19530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.7lQnHeq3XF.exe.2d19530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.7lQnHeq3XF.exe.3d0060c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.7lQnHeq3XF.exe.3d0060c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: 7lQnHeq3XF.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CLJgKpOuw.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 7lQnHeq3XF.exe, GraphicsUtility/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: CLJgKpOuw.exe.0.dr, GraphicsUtility/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.7lQnHeq3XF.exe.230000.0.unpack, GraphicsUtility/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.7lQnHeq3XF.exe.230000.0.unpack, GraphicsUtility/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.7lQnHeq3XF.exe.ec0000.2.unpack, GraphicsUtility/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 7lQnHeq3XF.exe, GraphicsUtility/Form1.cs	Base64 encoded string: 'sHFvx0q4/K8lnT8Bgj7Honj9FeoJx3m09qQQKpOks/cvHlhu13IwlA6Q9a/gNBVJ5cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPSgzApG55hJQOLjnxIL0qsdY2TttP6jIcpFBK26FGQz1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFEVYbuP2vRCSCNnl0QunusjLYUjrpmh8VErpWAY1/V7I16y0VjoyjJuT69eJwLLel386l6eu5zOdayzYn9f1bz4+PeJ6zc9S6VznOgoJxyU4RtV6leF5RLtVRK4K2xwzlGl4S/N590FaRLlGOPlfKNdzdFir8QflxeOZEpnUP3XowpETISlDpZLKzGPxa3hdz4DwbjDcc2srJss/5AE3iTTPVpMvnT3lxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ26fR4EqClUekMyy8JYlF4mhzAzkwjl6MfyoOTTcd8YLKV4iIa2nFdRG/0tmBA5F17vQoxVBC+VMpaHf+LDY9uoLgbS3OvTHjB4z6ATcexiD+BGzDIGF8i8sdwK37YiT7hl2F/q17ITRu8puCI03h0vYgApWSMzrOwpk1K8poGk58pKbf/rDJ+Wmlx4VqSr3FRbB7ROoZSwuv5jck6gq1ANSOE4p1mBTW7tUEDC5OhN4Ggam4cNlgQPNZ62TSQI34+XF45kSmdQ/dejCkRMhKUMAdKkhCtKfMz72Xjl6d28qckd98yNwUw5Jb9wIFTEt8TieERMI4DOIsS7yxqvr31bRPtv1MS1ywR0uaoqLv9f75cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPlxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ3JwJ4VzyMJKtZ3YcJWTlL1clHy1870fxampdBuvXNfvXwX7ebWYAujUkI1p06DWcIZ8aHDFwhmiitL/Z1hUUqlC/YiLHRV1qM0Ll9ezSZkxPwNbLhOZlLUe/qnjd0S4srlMRiwjDI21yIvWuk0esyBaS0wKotzmnw+UPbxQ5oHRUzXVbObKzD0HYpY3LE0kj7vF2HHOxw7idghcbgZamDooLKOhWujPGki/K6udtE1TRzc3msEKOIDkm9an8y1c0lSbFcXCtXPfe+gEgfc4/Es1gdQDYVZyGFP5P6uPJer6VhZj2Pk5thDheeSeNf8at+JIhQW8+c2F3C0JdrjYlnGrg97WhyPWGXXWJz9NSLQsYWZ83S8PhP5fzdwAORrh+mujd8hECfApbxrnj97/XWwtexHAGJa5LTDn0knJM4vJILf0bomdgsHjBAes05UlQxfqroKkXn6+YdOxoCL2Z6Y9DRBZzyY/sKu76eKC9+QAKHc9bPxQCRg5appJa+94hx68xx7oNt6xlWPTS/H3yYTor61TowoNqfGq69zZtWQnfE2KWV3G+DyORVz/X0qNuVC0tZwyby9jJVStPIWiduwIJzj5hQJVVPlCuJJAlU9KO0GpE3Pk59BWHZEJcwMQaE5t6u45WGtl6tdxsbQaZxG3heJIFBwAjqKpnFYYblJi5wwGBxx2ix6ow7XJecOYCOgLqIivQNTGkQFnUpfm2NoVB68a/KLB9rgxkzBA0KyIGIu8vWxN33/smlvn2FcM+voO9S1+iJcxPpzA6iWTClylgNYhU2deMt99dplwvgYxN+ysgyP9UpF148LvLDtmsRBD8RAiZUBJYmzeI6GlaQbVhQVeKy0obtUOIgi9VAhg/7HvGTgA//jxDckjRpMO/LtX6P9FxTgsDZFxDPJPxcJL25Sumzgn1QAifuMVx4iTlxqoDuLNdzpEynqMIUKTpXkJ4fwSu5mS3k+ZbyMdoG3melEL+LJeMjnHoM0w8fkxzi8Oz8Jv+6EczfzayCr4/7viN3yE3hFBzobrU5FUhq1GDkXNjPrHV2ygHDx82I/UHt7RLrUJYTCso4SckUnNO8asAAI7bTPhbFjpOVd8gQglG5XDU0bwaez21nmMNhmcqz8V/AZ4s0uXzfqZV/clH8CXqIIqaPB9MCDoiGFb8YSnBqn7z9wRwcRH3NRaRBvx85UJyZ974GGVrIETpQLvKdReZG480v+U5KmJtAjgU6yJLs70uQBYaKBwpYwidctnM2C4Kqveg6wHnBorkE2qLHr0tmAZCfxWEXGMuZ6f9yPLMJL/CDVNsG6yYbUiVB9THoEmJPpQWN3d1aAUZI1MSPWsyiNhJU6UShO1cvwLwlqokE21dRKBvnPbpGvi3z5mSHeWgInyGH9L3uxmeo7R6iKc+nLbk2hzVEjkldvnSGiklzXG7fyLXAuUP6mxdfKDDVIcMbvqpc7CsVZIQRqZ4tdVvd82TGNPT+wYn4O+a0dqgX34iiVqcKmaYBgFJbRNQlH4TQXZxsxSkXJQ1TzJhZVVxmaW+vyji22X+MT+YrbJbFeLQUqDL60KNkvo0KJJdRwZAChES3/HzHKFpnaKPTipU/wmbW26CYKcML7LHBopROI3mEAisXywtDv61Yc7DU2gTBnDlWI//8d/jR9U7Unw3ASITKWtkhfsDA+tWTAACf08NxNpYE6xmLy1OexrC5+0AVkV8cwvjbqyjC55/pp2org1XfCn7xMQsinwRnoQBSrAzDZpcxCH9W08ar1At5PUkL0buheToyR8jGmIiVXLiZFNHzDaAl08fFpMy1JYyhl0u0JzfDWhgAtwTP1wwOULIViwAVSREGtlGe0hzhguuGfxuHklTDCpd4nPrvPehQm8qOIsnnp3n5JDm5qWyATGEh+V2NPPvUwXawdHozBktdV27qaUl+HNM7fOT37sLLawcxkQcca
Source: CLJgKpOuw.exe.0.dr, GraphicsUtility/Form1.cs	Base64 encoded string: 'sHFvx0q4/K8lnT8Bgj7Honj9FeoJx3m09qQQKpOks/cvHlhu13IwlA6Q9a/gNBVJ5cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPSgzApG55hJQOLjnxIL0qsdY2TttP6jIcpFBK26FGQz1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFEVYbuP2vRCSCNnl0QunusjLYUjrpmh8VErpWAY1/V7I16y0VjoyjJuT69eJwLLel386l6eu5zOdayzYn9f1bz4+PeJ6zc9S6VznOgoJxyU4RtV6leF5RLtVRK4K2xwzlGl4S/N590FaRLlGOPlfKNdzdFir8QflxeOZEpnUP3XowpETISlDpZLKzGPxa3hdz4DwbjDcc2srJss/5AE3iTTPVpMvnT3lxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ26fR4EqClUekMyy8JYlF4mhzAzkwjl6MfyoOTTcd8YLKV4iIa2nFdRG/0tmBA5F17vQoxVBC+VMpaHf+LDY9uoLgbS3OvTHjB4z6ATcexiD+BGzDIGF8i8sdwK37YiT7hl2F/q17ITRu8puCI03h0vYgApWSMzrOwpk1K8poGk58pKbf/rDJ+Wmlx4VqSr3FRbB7ROoZSwuv5jck6gq1ANSOE4p1mBTW7tUEDC5OhN4Ggam4cNlgQPNZ62TSQI34+XF45kSmdQ/dejCkRMhKUMAdKkhCtKfMz72Xjl6d28qckd98yNwUw5Jb9wIFTEt8TieERMI4DOIsS7yxqvr31bRPtv1MS1ywR0uaoqLv9f75cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPlxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ3JwJ4VzyMJKtZ3YcJWTlL1clHy1870fxampdBuvXNfvXwX7ebWYAujUkI1p06DWcIZ8aHDFwhmiitL/Z1hUUqlC/YiLHRV1qM0Ll9ezSZkxPwNbLhOZlLUe/qnjd0S4srlMRiwjDI21yIvWuk0esyBaS0wKotzmnw+UPbxQ5oHRUzXVbObKzD0HYpY3LE0kj7vF2HHOxw7idghcbgZamDooLKOhWujPGki/K6udtE1TRzc3msEKOIDkm9an8y1c0lSbFcXCtXPfe+gEgfc4/Es1gdQDYVZyGFP5P6uPJer6VhZj2Pk5thDheeSeNf8at+JIhQW8+c2F3C0JdrjYlnGrg97WhyPWGXXWJz9NSLQsYWZ83S8PhP5fzdwAORrh+mujd8hECfApbxrnj97/XWwtexHAGJa5LTDn0knJM4vJILf0bomdgsHjBAes05UlQxfqroKkXn6+YdOxoCL2Z6Y9DRBZzyY/sKu76eKC9+QAKHc9bPxQCRg5appJa+94hx68xx7oNt6xlWPTS/H3yYTor61TowoNqfGq69zZtWQnfE2KWV3G+DyORVz/X0qNuVC0tZwyby9jJVStPIWiduwIJzj5hQJVVPlCuJJAlU9KO0GpE3Pk59BWHZEJcwMQaE5t6u45WGtl6tdxsbQaZxG3heJIFBwAjqKpnFYYblJi5wwGBxx2ix6ow7XJecOYCOgLqIivQNTGkQFnUpfm2NoVB68a/KLB9rgxkzBA0KyIGIu8vWxN33/smlvn2FcM+voO9S1+iJcxPpzA6iWTClylgNYhU2deMt99dplwvgYxN+ysgyP9UpF148LvLDtmsRBD8RAiZUBJYmzeI6GlaQbVhQVeKy0obtUOIgi9VAhg/7HvGTgA//jxDckjRpMO/LtX6P9FxTgsDZFxDPJPxcJL25Sumzgn1QAifuMVx4iTlxqoDuLNdzpEynqMIUKTpXkJ4fwSu5mS3k+ZbyMdoG3melEL+LJeMjnHoM0w8fkxzi8Oz8Jv+6EczfzayCr4/7viN3yE3hFBzobrU5FUhq1GDkXNjPrHV2ygHDx82I/UHt7RLrUJYTCso4SckUnNO8asAAI7bTPhbFjpOVd8gQglG5XDU0bwaez21nmMNhmcqz8V/AZ4s0uXzfqZV/clH8CXqIIqaPB9MCDoiGFb8YSnBqn7z9wRwcRH3NRaRBvx85UJyZ974GGVrIETpQLvKdReZG480v+U5KmJtAjgU6yJLs70uQBYaKBwpYwidctnM2C4Kqveg6wHnBorkE2qLHr0tmAZCfxWEXGMuZ6f9yPLMJL/CDVNsG6yYbUiVB9THoEmJPpQWN3d1aAUZI1MSPWsyiNhJU6UShO1cvwLwlqokE21dRKBvnPbpGvi3z5mSHeWgInyGH9L3uxmeo7R6iKc+nLbk2hzVEjkldvnSGiklzXG7fyLXAuUP6mxdfKDDVIcMbvqpc7CsVZIQRqZ4tdVvd82TGNPT+wYn4O+a0dqgX34iiVqcKmaYBgFJbRNQlH4TQXZxsxSkXJQ1TzJhZVVxmaW+vyji22X+MT+YrbJbFeLQUqDL60KNkvo0KJJdRwZAChES3/HzHKFpnaKPTipU/wmbW26CYKcML7LHBopROI3mEAisXywtDv61Yc7DU2gTBnDlWI//8d/jR9U7Unw3ASITKWtkhfsDA+tWTAACf08NxNpYE6xmLy1OexrC5+0AVkV8cwvjbqyjC55/pp2org1XfCn7xMQsinwRnoQBSrAzDZpcxCH9W08ar1At5PUkL0buheToyR8jGmIiVXLiZFNHzDaAl08fFpMy1JYyhl0u0JzfDWhgAtwTP1wwOULIViwAVSREGtlGe0hzhguuGfxuHklTDCpd4nPrvPehQm8qOIsnnp3n5JDm5qWyATGEh+V2NPPvUwXawdHozBktdV27qaUl+HNM7fOT37sLLawcxkQcca
Source: 0.2.7lQnHeq3XF.exe.230000.0.unpack, GraphicsUtility/Form1.cs	Base64 encoded string: 'sHFvx0q4/K8lnT8Bgj7Honj9FeoJx3m09qQQKpOks/cvHlhu13IwlA6Q9a/gNBVJ5cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPSgzApG55hJQOLjnxIL0qsdY2TttP6jIcpFBK26FGQz1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFEVYbuP2vRCSCNnl0QunusjLYUjrpmh8VErpWAY1/V7I16y0VjoyjJuT69eJwLLel386l6eu5zOdayzYn9f1bz4+PeJ6zc9S6VznOgoJxyU4RtV6leF5RLtVRK4K2xwzlGl4S/N590FaRLlGOPlfKNdzdFir8QflxeOZEpnUP3XowpETISlDpZLKzGPxa3hdz4DwbjDcc2srJss/5AE3iTTPVpMvnT3lxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ26fR4EqClUekMyy8JYlF4mhzAzkwjl6MfyoOTTcd8YLKV4iIa2nFdRG/0tmBA5F17vQoxVBC+VMpaHf+LDY9uoLgbS3OvTHjB4z6ATcexiD+BGzDIGF8i8sdwK37YiT7hl2F/q17ITRu8puCI03h0vYgApWSMzrOwpk1K8poGk58pKbf/rDJ+Wmlx4VqSr3FRbB7ROoZSwuv5jck6gq1ANSOE4p1mBTW7tUEDC5OhN4Ggam4cNlgQPNZ62TSQI34+XF45kSmdQ/dejCkRMhKUMAdKkhCtKfMz72Xjl6d28qckd98yNwUw5Jb9wIFTEt8TieERMI4DOIsS7yxqvr31bRPtv1MS1ywR0uaoqLv9f75cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPlxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ3JwJ4VzyMJKtZ3YcJWTlL1clHy1870fxampdBuvXNfvXwX7ebWYAujUkI1p06DWcIZ8aHDFwhmiitL/Z1hUUqlC/YiLHRV1qM0Ll9ezSZkxPwNbLhOZlLUe/qnjd0S4srlMRiwjDI21yIvWuk0esyBaS0wKotzmnw+UPbxQ5oHRUzXVbObKzD0HYpY3LE0kj7vF2HHOxw7idghcbgZamDooLKOhWujPGki/K6udtE1TRzc3msEKOIDkm9an8y1c0lSbFcXCtXPfe+gEgfc4/Es1gdQDYVZyGFP5P6uPJer6VhZj2Pk5thDheeSeNf8at+JIhQW8+c2F3C0JdrjYlnGrg97WhyPWGXXWJz9NSLQsYWZ83S8PhP5fzdwAORrh+mujd8hECfApbxrnj97/XWwtexHAGJa5LTDn0knJM4vJILf0bomdgsHjBAes05UlQxfqroKkXn6+YdOxoCL2Z6Y9DRBZzyY/sKu76eKC9+QAKHc9bPxQCRg5appJa+94hx68xx7oNt6xlWPTS/H3yYTor61TowoNqfGq69zZtWQnfE2KWV3G+DyORVz/X0qNuVC0tZwyby9jJVStPIWiduwIJzj5hQJVVPlCuJJAlU9KO0GpE3Pk59BWHZEJcwMQaE5t6u45WGtl6tdxsbQaZxG3heJIFBwAjqKpnFYYblJi5wwGBxx2ix6ow7XJecOYCOgLqIivQNTGkQFnUpfm2NoVB68a/KLB9rgxkzBA0KyIGIu8vWxN33/smlvn2FcM+voO9S1+iJcxPpzA6iWTClylgNYhU2deMt99dplwvgYxN+ysgyP9UpF148LvLDtmsRBD8RAiZUBJYmzeI6GlaQbVhQVeKy0obtUOIgi9VAhg/7HvGTgA//jxDckjRpMO/LtX6P9FxTgsDZFxDPJPxcJL25Sumzgn1QAifuMVx4iTlxqoDuLNdzpEynqMIUKTpXkJ4fwSu5mS3k+ZbyMdoG3melEL+LJeMjnHoM0w8fkxzi8Oz8Jv+6EczfzayCr4/7viN3yE3hFBzobrU5FUhq1GDkXNjPrHV2ygHDx82I/UHt7RLrUJYTCso4SckUnNO8asAAI7bTPhbFjpOVd8gQglG5XDU0bwaez21nmMNhmcqz8V/AZ4s0uXzfqZV/clH8CXqIIqaPB9MCDoiGFb8YSnBqn7z9wRwcRH3NRaRBvx85UJyZ974GGVrIETpQLvKdReZG480v+U5KmJtAjgU6yJLs70uQBYaKBwpYwidctnM2C4Kqveg6wHnBorkE2qLHr0tmAZCfxWEXGMuZ6f9yPLMJL/CDVNsG6yYbUiVB9THoEmJPpQWN3d1aAUZI1MSPWsyiNhJU6UShO1cvwLwlqokE21dRKBvnPbpGvi3z5mSHeWgInyGH9L3uxmeo7R6iKc+nLbk2hzVEjkldvnSGiklzXG7fyLXAuUP6mxdfKDDVIcMbvqpc7CsVZIQRqZ4tdVvd82TGNPT+wYn4O+a0dqgX34iiVqcKmaYBgFJbRNQlH4TQXZxsxSkXJQ1TzJhZVVxmaW+vyji22X+MT+YrbJbFeLQUqDL60KNkvo0KJJdRwZAChES3/HzHKFpnaKPTipU/wmbW26CYKcML7LHBopROI3mEAisXywtDv61Yc7DU2gTBnDlWI//8d/jR9U7Unw3ASITKWtkhfsDA+tWTAACf08NxNpYE6xmLy1OexrC5+0AVkV8cwvjbqyjC55/pp2org1XfCn7xMQsinwRnoQBSrAzDZpcxCH9W08ar1At5PUkL0buheToyR8jGmIiVXLiZFNHzDaAl08fFpMy1JYyhl0u0JzfDWhgAtwTP1wwOULIViwAVSREGtlGe0hzhguuGfxuHklTDCpd4nPrvPehQm8qOIsnnp3n5JDm5qWyATGEh+V2NPPvUwXawdHozBktdV27qaUl+HNM7fOT37sLLawcxkQcca
Source: 0.0.7lQnHeq3XF.exe.230000.0.unpack, GraphicsUtility/Form1.cs	Base64 encoded string: 'sHFvx0q4/K8lnT8Bgj7Honj9FeoJx3m09qQQKpOks/cvHlhu13IwlA6Q9a/gNBVJ5cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPSgzApG55hJQOLjnxIL0qsdY2TttP6jIcpFBK26FGQz1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFEVYbuP2vRCSCNnl0QunusjLYUjrpmh8VErpWAY1/V7I16y0VjoyjJuT69eJwLLel386l6eu5zOdayzYn9f1bz4+PeJ6zc9S6VznOgoJxyU4RtV6leF5RLtVRK4K2xwzlGl4S/N590FaRLlGOPlfKNdzdFir8QflxeOZEpnUP3XowpETISlDpZLKzGPxa3hdz4DwbjDcc2srJss/5AE3iTTPVpMvnT3lxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ26fR4EqClUekMyy8JYlF4mhzAzkwjl6MfyoOTTcd8YLKV4iIa2nFdRG/0tmBA5F17vQoxVBC+VMpaHf+LDY9uoLgbS3OvTHjB4z6ATcexiD+BGzDIGF8i8sdwK37YiT7hl2F/q17ITRu8puCI03h0vYgApWSMzrOwpk1K8poGk58pKbf/rDJ+Wmlx4VqSr3FRbB7ROoZSwuv5jck6gq1ANSOE4p1mBTW7tUEDC5OhN4Ggam4cNlgQPNZ62TSQI34+XF45kSmdQ/dejCkRMhKUMAdKkhCtKfMz72Xjl6d28qckd98yNwUw5Jb9wIFTEt8TieERMI4DOIsS7yxqvr31bRPtv1MS1ywR0uaoqLv9f75cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPlxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ3JwJ4VzyMJKtZ3YcJWTlL1clHy1870fxampdBuvXNfvXwX7ebWYAujUkI1p06DWcIZ8aHDFwhmiitL/Z1hUUqlC/YiLHRV1qM0Ll9ezSZkxPwNbLhOZlLUe/qnjd0S4srlMRiwjDI21yIvWuk0esyBaS0wKotzmnw+UPbxQ5oHRUzXVbObKzD0HYpY3LE0kj7vF2HHOxw7idghcbgZamDooLKOhWujPGki/K6udtE1TRzc3msEKOIDkm9an8y1c0lSbFcXCtXPfe+gEgfc4/Es1gdQDYVZyGFP5P6uPJer6VhZj2Pk5thDheeSeNf8at+JIhQW8+c2F3C0JdrjYlnGrg97WhyPWGXXWJz9NSLQsYWZ83S8PhP5fzdwAORrh+mujd8hECfApbxrnj97/XWwtexHAGJa5LTDn0knJM4vJILf0bomdgsHjBAes05UlQxfqroKkXn6+YdOxoCL2Z6Y9DRBZzyY/sKu76eKC9+QAKHc9bPxQCRg5appJa+94hx68xx7oNt6xlWPTS/H3yYTor61TowoNqfGq69zZtWQnfE2KWV3G+DyORVz/X0qNuVC0tZwyby9jJVStPIWiduwIJzj5hQJVVPlCuJJAlU9KO0GpE3Pk59BWHZEJcwMQaE5t6u45WGtl6tdxsbQaZxG3heJIFBwAjqKpnFYYblJi5wwGBxx2ix6ow7XJecOYCOgLqIivQNTGkQFnUpfm2NoVB68a/KLB9rgxkzBA0KyIGIu8vWxN33/smlvn2FcM+voO9S1+iJcxPpzA6iWTClylgNYhU2deMt99dplwvgYxN+ysgyP9UpF148LvLDtmsRBD8RAiZUBJYmzeI6GlaQbVhQVeKy0obtUOIgi9VAhg/7HvGTgA//jxDckjRpMO/LtX6P9FxTgsDZFxDPJPxcJL25Sumzgn1QAifuMVx4iTlxqoDuLNdzpEynqMIUKTpXkJ4fwSu5mS3k+ZbyMdoG3melEL+LJeMjnHoM0w8fkxzi8Oz8Jv+6EczfzayCr4/7viN3yE3hFBzobrU5FUhq1GDkXNjPrHV2ygHDx82I/UHt7RLrUJYTCso4SckUnNO8asAAI7bTPhbFjpOVd8gQglG5XDU0bwaez21nmMNhmcqz8V/AZ4s0uXzfqZV/clH8CXqIIqaPB9MCDoiGFb8YSnBqn7z9wRwcRH3NRaRBvx85UJyZ974GGVrIETpQLvKdReZG480v+U5KmJtAjgU6yJLs70uQBYaKBwpYwidctnM2C4Kqveg6wHnBorkE2qLHr0tmAZCfxWEXGMuZ6f9yPLMJL/CDVNsG6yYbUiVB9THoEmJPpQWN3d1aAUZI1MSPWsyiNhJU6UShO1cvwLwlqokE21dRKBvnPbpGvi3z5mSHeWgInyGH9L3uxmeo7R6iKc+nLbk2hzVEjkldvnSGiklzXG7fyLXAuUP6mxdfKDDVIcMbvqpc7CsVZIQRqZ4tdVvd82TGNPT+wYn4O+a0dqgX34iiVqcKmaYBgFJbRNQlH4TQXZxsxSkXJQ1TzJhZVVxmaW+vyji22X+MT+YrbJbFeLQUqDL60KNkvo0KJJdRwZAChES3/HzHKFpnaKPTipU/wmbW26CYKcML7LHBopROI3mEAisXywtDv61Yc7DU2gTBnDlWI//8d/jR9U7Unw3ASITKWtkhfsDA+tWTAACf08NxNpYE6xmLy1OexrC5+0AVkV8cwvjbqyjC55/pp2org1XfCn7xMQsinwRnoQBSrAzDZpcxCH9W08ar1At5PUkL0buheToyR8jGmIiVXLiZFNHzDaAl08fFpMy1JYyhl0u0JzfDWhgAtwTP1wwOULIViwAVSREGtlGe0hzhguuGfxuHklTDCpd4nPrvPehQm8qOIsnnp3n5JDm5qWyATGEh+V2NPPvUwXawdHozBktdV27qaUl+HNM7fOT37sLLawcxkQcca
Source: 12.0.7lQnHeq3XF.exe.ec0000.2.unpack, GraphicsUtility/Form1.cs	Base64 encoded string: 'sHFvx0q4/K8lnT8Bgj7Honj9FeoJx3m09qQQKpOks/cvHlhu13IwlA6Q9a/gNBVJ5cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPSgzApG55hJQOLjnxIL0qsdY2TttP6jIcpFBK26FGQz1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFEVYbuP2vRCSCNnl0QunusjLYUjrpmh8VErpWAY1/V7I16y0VjoyjJuT69eJwLLel386l6eu5zOdayzYn9f1bz4+PeJ6zc9S6VznOgoJxyU4RtV6leF5RLtVRK4K2xwzlGl4S/N590FaRLlGOPlfKNdzdFir8QflxeOZEpnUP3XowpETISlDpZLKzGPxa3hdz4DwbjDcc2srJss/5AE3iTTPVpMvnT3lxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ26fR4EqClUekMyy8JYlF4mhzAzkwjl6MfyoOTTcd8YLKV4iIa2nFdRG/0tmBA5F17vQoxVBC+VMpaHf+LDY9uoLgbS3OvTHjB4z6ATcexiD+BGzDIGF8i8sdwK37YiT7hl2F/q17ITRu8puCI03h0vYgApWSMzrOwpk1K8poGk58pKbf/rDJ+Wmlx4VqSr3FRbB7ROoZSwuv5jck6gq1ANSOE4p1mBTW7tUEDC5OhN4Ggam4cNlgQPNZ62TSQI34+XF45kSmdQ/dejCkRMhKUMAdKkhCtKfMz72Xjl6d28qckd98yNwUw5Jb9wIFTEt8TieERMI4DOIsS7yxqvr31bRPtv1MS1ywR0uaoqLv9f75cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPlxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ3JwJ4VzyMJKtZ3YcJWTlL1clHy1870fxampdBuvXNfvXwX7ebWYAujUkI1p06DWcIZ8aHDFwhmiitL/Z1hUUqlC/YiLHRV1qM0Ll9ezSZkxPwNbLhOZlLUe/qnjd0S4srlMRiwjDI21yIvWuk0esyBaS0wKotzmnw+UPbxQ5oHRUzXVbObKzD0HYpY3LE0kj7vF2HHOxw7idghcbgZamDooLKOhWujPGki/K6udtE1TRzc3msEKOIDkm9an8y1c0lSbFcXCtXPfe+gEgfc4/Es1gdQDYVZyGFP5P6uPJer6VhZj2Pk5thDheeSeNf8at+JIhQW8+c2F3C0JdrjYlnGrg97WhyPWGXXWJz9NSLQsYWZ83S8PhP5fzdwAORrh+mujd8hECfApbxrnj97/XWwtexHAGJa5LTDn0knJM4vJILf0bomdgsHjBAes05UlQxfqroKkXn6+YdOxoCL2Z6Y9DRBZzyY/sKu76eKC9+QAKHc9bPxQCRg5appJa+94hx68xx7oNt6xlWPTS/H3yYTor61TowoNqfGq69zZtWQnfE2KWV3G+DyORVz/X0qNuVC0tZwyby9jJVStPIWiduwIJzj5hQJVVPlCuJJAlU9KO0GpE3Pk59BWHZEJcwMQaE5t6u45WGtl6tdxsbQaZxG3heJIFBwAjqKpnFYYblJi5wwGBxx2ix6ow7XJecOYCOgLqIivQNTGkQFnUpfm2NoVB68a/KLB9rgxkzBA0KyIGIu8vWxN33/smlvn2FcM+voO9S1+iJcxPpzA6iWTClylgNYhU2deMt99dplwvgYxN+ysgyP9UpF148LvLDtmsRBD8RAiZUBJYmzeI6GlaQbVhQVeKy0obtUOIgi9VAhg/7HvGTgA//jxDckjRpMO/LtX6P9FxTgsDZFxDPJPxcJL25Sumzgn1QAifuMVx4iTlxqoDuLNdzpEynqMIUKTpXkJ4fwSu5mS3k+ZbyMdoG3melEL+LJeMjnHoM0w8fkxzi8Oz8Jv+6EczfzayCr4/7viN3yE3hFBzobrU5FUhq1GDkXNjPrHV2ygHDx82I/UHt7RLrUJYTCso4SckUnNO8asAAI7bTPhbFjpOVd8gQglG5XDU0bwaez21nmMNhmcqz8V/AZ4s0uXzfqZV/clH8CXqIIqaPB9MCDoiGFb8YSnBqn7z9wRwcRH3NRaRBvx85UJyZ974GGVrIETpQLvKdReZG480v+U5KmJtAjgU6yJLs70uQBYaKBwpYwidctnM2C4Kqveg6wHnBorkE2qLHr0tmAZCfxWEXGMuZ6f9yPLMJL/CDVNsG6yYbUiVB9THoEmJPpQWN3d1aAUZI1MSPWsyiNhJU6UShO1cvwLwlqokE21dRKBvnPbpGvi3z5mSHeWgInyGH9L3uxmeo7R6iKc+nLbk2hzVEjkldvnSGiklzXG7fyLXAuUP6mxdfKDDVIcMbvqpc7CsVZIQRqZ4tdVvd82TGNPT+wYn4O+a0dqgX34iiVqcKmaYBgFJbRNQlH4TQXZxsxSkXJQ1TzJhZVVxmaW+vyji22X+MT+YrbJbFeLQUqDL60KNkvo0KJJdRwZAChES3/HzHKFpnaKPTipU/wmbW26CYKcML7LHBopROI3mEAisXywtDv61Yc7DU2gTBnDlWI//8d/jR9U7Unw3ASITKWtkhfsDA+tWTAACf08NxNpYE6xmLy1OexrC5+0AVkV8cwvjbqyjC55/pp2org1XfCn7xMQsinwRnoQBSrAzDZpcxCH9W08ar1At5PUkL0buheToyR8jGmIiVXLiZFNHzDaAl08fFpMy1JYyhl0u0JzfDWhgAtwTP1wwOULIViwAVSREGtlGe0hzhguuGfxuHklTDCpd4nPrvPehQm8qOIsnnp3n5JDm5qWyATGEh+V2NPPvUwXawdHozBktdV27qaUl+HNM7fOT37sLLawcxkQcca
Source: 12.0.7lQnHeq3XF.exe.ec0000.4.unpack, GraphicsUtility/Form1.cs	Base64 encoded string: 'sHFvx0q4/K8lnT8Bgj7Honj9FeoJx3m09qQQKpOks/cvHlhu13IwlA6Q9a/gNBVJ5cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPSgzApG55hJQOLjnxIL0qsdY2TttP6jIcpFBK26FGQz1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFEVYbuP2vRCSCNnl0QunusjLYUjrpmh8VErpWAY1/V7I16y0VjoyjJuT69eJwLLel386l6eu5zOdayzYn9f1bz4+PeJ6zc9S6VznOgoJxyU4RtV6leF5RLtVRK4K2xwzlGl4S/N590FaRLlGOPlfKNdzdFir8QflxeOZEpnUP3XowpETISlDpZLKzGPxa3hdz4DwbjDcc2srJss/5AE3iTTPVpMvnT3lxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ26fR4EqClUekMyy8JYlF4mhzAzkwjl6MfyoOTTcd8YLKV4iIa2nFdRG/0tmBA5F17vQoxVBC+VMpaHf+LDY9uoLgbS3OvTHjB4z6ATcexiD+BGzDIGF8i8sdwK37YiT7hl2F/q17ITRu8puCI03h0vYgApWSMzrOwpk1K8poGk58pKbf/rDJ+Wmlx4VqSr3FRbB7ROoZSwuv5jck6gq1ANSOE4p1mBTW7tUEDC5OhN4Ggam4cNlgQPNZ62TSQI34+XF45kSmdQ/dejCkRMhKUMAdKkhCtKfMz72Xjl6d28qckd98yNwUw5Jb9wIFTEt8TieERMI4DOIsS7yxqvr31bRPtv1MS1ywR0uaoqLv9f75cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPlxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ3JwJ4VzyMJKtZ3YcJWTlL1clHy1870fxampdBuvXNfvXwX7ebWYAujUkI1p06DWcIZ8aHDFwhmiitL/Z1hUUqlC/YiLHRV1qM0Ll9ezSZkxPwNbLhOZlLUe/qnjd0S4srlMRiwjDI21yIvWuk0esyBaS0wKotzmnw+UPbxQ5oHRUzXVbObKzD0HYpY3LE0kj7vF2HHOxw7idghcbgZamDooLKOhWujPGki/K6udtE1TRzc3msEKOIDkm9an8y1c0lSbFcXCtXPfe+gEgfc4/Es1gdQDYVZyGFP5P6uPJer6VhZj2Pk5thDheeSeNf8at+JIhQW8+c2F3C0JdrjYlnGrg97WhyPWGXXWJz9NSLQsYWZ83S8PhP5fzdwAORrh+mujd8hECfApbxrnj97/XWwtexHAGJa5LTDn0knJM4vJILf0bomdgsHjBAes05UlQxfqroKkXn6+YdOxoCL2Z6Y9DRBZzyY/sKu76eKC9+QAKHc9bPxQCRg5appJa+94hx68xx7oNt6xlWPTS/H3yYTor61TowoNqfGq69zZtWQnfE2KWV3G+DyORVz/X0qNuVC0tZwyby9jJVStPIWiduwIJzj5hQJVVPlCuJJAlU9KO0GpE3Pk59BWHZEJcwMQaE5t6u45WGtl6tdxsbQaZxG3heJIFBwAjqKpnFYYblJi5wwGBxx2ix6ow7XJecOYCOgLqIivQNTGkQFnUpfm2NoVB68a/KLB9rgxkzBA0KyIGIu8vWxN33/smlvn2FcM+voO9S1+iJcxPpzA6iWTClylgNYhU2deMt99dplwvgYxN+ysgyP9UpF148LvLDtmsRBD8RAiZUBJYmzeI6GlaQbVhQVeKy0obtUOIgi9VAhg/7HvGTgA//jxDckjRpMO/LtX6P9FxTgsDZFxDPJPxcJL25Sumzgn1QAifuMVx4iTlxqoDuLNdzpEynqMIUKTpXkJ4fwSu5mS3k+ZbyMdoG3melEL+LJeMjnHoM0w8fkxzi8Oz8Jv+6EczfzayCr4/7viN3yE3hFBzobrU5FUhq1GDkXNjPrHV2ygHDx82I/UHt7RLrUJYTCso4SckUnNO8asAAI7bTPhbFjpOVd8gQglG5XDU0bwaez21nmMNhmcqz8V/AZ4s0uXzfqZV/clH8CXqIIqaPB9MCDoiGFb8YSnBqn7z9wRwcRH3NRaRBvx85UJyZ974GGVrIETpQLvKdReZG480v+U5KmJtAjgU6yJLs70uQBYaKBwpYwidctnM2C4Kqveg6wHnBorkE2qLHr0tmAZCfxWEXGMuZ6f9yPLMJL/CDVNsG6yYbUiVB9THoEmJPpQWN3d1aAUZI1MSPWsyiNhJU6UShO1cvwLwlqokE21dRKBvnPbpGvi3z5mSHeWgInyGH9L3uxmeo7R6iKc+nLbk2hzVEjkldvnSGiklzXG7fyLXAuUP6mxdfKDDVIcMbvqpc7CsVZIQRqZ4tdVvd82TGNPT+wYn4O+a0dqgX34iiVqcKmaYBgFJbRNQlH4TQXZxsxSkXJQ1TzJhZVVxmaW+vyji22X+MT+YrbJbFeLQUqDL60KNkvo0KJJdRwZAChES3/HzHKFpnaKPTipU/wmbW26CYKcML7LHBopROI3mEAisXywtDv61Yc7DU2gTBnDlWI//8d/jR9U7Unw3ASITKWtkhfsDA+tWTAACf08NxNpYE6xmLy1OexrC5+0AVkV8cwvjbqyjC55/pp2org1XfCn7xMQsinwRnoQBSrAzDZpcxCH9W08ar1At5PUkL0buheToyR8jGmIiVXLiZFNHzDaAl08fFpMy1JYyhl0u0JzfDWhgAtwTP1wwOULIViwAVSREGtlGe0hzhguuGfxuHklTDCpd4nPrvPehQm8qOIsnnp3n5JDm5qWyATGEh+V2NPPvUwXawdHozBktdV27qaUl+HNM7fOT37sLLawcxkQcca
Source: 12.0.7lQnHeq3XF.exe.ec0000.0.unpack, GraphicsUtility/Form1.cs	Base64 encoded string: 'sHFvx0q4/K8lnT8Bgj7Honj9FeoJx3m09qQQKpOks/cvHlhu13IwlA6Q9a/gNBVJ5cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPSgzApG55hJQOLjnxIL0qsdY2TttP6jIcpFBK26FGQz1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFEVYbuP2vRCSCNnl0QunusjLYUjrpmh8VErpWAY1/V7I16y0VjoyjJuT69eJwLLel386l6eu5zOdayzYn9f1bz4+PeJ6zc9S6VznOgoJxyU4RtV6leF5RLtVRK4K2xwzlGl4S/N590FaRLlGOPlfKNdzdFir8QflxeOZEpnUP3XowpETISlDpZLKzGPxa3hdz4DwbjDcc2srJss/5AE3iTTPVpMvnT3lxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ26fR4EqClUekMyy8JYlF4mhzAzkwjl6MfyoOTTcd8YLKV4iIa2nFdRG/0tmBA5F17vQoxVBC+VMpaHf+LDY9uoLgbS3OvTHjB4z6ATcexiD+BGzDIGF8i8sdwK37YiT7hl2F/q17ITRu8puCI03h0vYgApWSMzrOwpk1K8poGk58pKbf/rDJ+Wmlx4VqSr3FRbB7ROoZSwuv5jck6gq1ANSOE4p1mBTW7tUEDC5OhN4Ggam4cNlgQPNZ62TSQI34+XF45kSmdQ/dejCkRMhKUMAdKkhCtKfMz72Xjl6d28qckd98yNwUw5Jb9wIFTEt8TieERMI4DOIsS7yxqvr31bRPtv1MS1ywR0uaoqLv9f75cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPlxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ3JwJ4VzyMJKtZ3YcJWTlL1clHy1870fxampdBuvXNfvXwX7ebWYAujUkI1p06DWcIZ8aHDFwhmiitL/Z1hUUqlC/YiLHRV1qM0Ll9ezSZkxPwNbLhOZlLUe/qnjd0S4srlMRiwjDI21yIvWuk0esyBaS0wKotzmnw+UPbxQ5oHRUzXVbObKzD0HYpY3LE0kj7vF2HHOxw7idghcbgZamDooLKOhWujPGki/K6udtE1TRzc3msEKOIDkm9an8y1c0lSbFcXCtXPfe+gEgfc4/Es1gdQDYVZyGFP5P6uPJer6VhZj2Pk5thDheeSeNf8at+JIhQW8+c2F3C0JdrjYlnGrg97WhyPWGXXWJz9NSLQsYWZ83S8PhP5fzdwAORrh+mujd8hECfApbxrnj97/XWwtexHAGJa5LTDn0knJM4vJILf0bomdgsHjBAes05UlQxfqroKkXn6+YdOxoCL2Z6Y9DRBZzyY/sKu76eKC9+QAKHc9bPxQCRg5appJa+94hx68xx7oNt6xlWPTS/H3yYTor61TowoNqfGq69zZtWQnfE2KWV3G+DyORVz/X0qNuVC0tZwyby9jJVStPIWiduwIJzj5hQJVVPlCuJJAlU9KO0GpE3Pk59BWHZEJcwMQaE5t6u45WGtl6tdxsbQaZxG3heJIFBwAjqKpnFYYblJi5wwGBxx2ix6ow7XJecOYCOgLqIivQNTGkQFnUpfm2NoVB68a/KLB9rgxkzBA0KyIGIu8vWxN33/smlvn2FcM+voO9S1+iJcxPpzA6iWTClylgNYhU2deMt99dplwvgYxN+ysgyP9UpF148LvLDtmsRBD8RAiZUBJYmzeI6GlaQbVhQVeKy0obtUOIgi9VAhg/7HvGTgA//jxDckjRpMO/LtX6P9FxTgsDZFxDPJPxcJL25Sumzgn1QAifuMVx4iTlxqoDuLNdzpEynqMIUKTpXkJ4fwSu5mS3k+ZbyMdoG3melEL+LJeMjnHoM0w8fkxzi8Oz8Jv+6EczfzayCr4/7viN3yE3hFBzobrU5FUhq1GDkXNjPrHV2ygHDx82I/UHt7RLrUJYTCso4SckUnNO8asAAI7bTPhbFjpOVd8gQglG5XDU0bwaez21nmMNhmcqz8V/AZ4s0uXzfqZV/clH8CXqIIqaPB9MCDoiGFb8YSnBqn7z9wRwcRH3NRaRBvx85UJyZ974GGVrIETpQLvKdReZG480v+U5KmJtAjgU6yJLs70uQBYaKBwpYwidctnM2C4Kqveg6wHnBorkE2qLHr0tmAZCfxWEXGMuZ6f9yPLMJL/CDVNsG6yYbUiVB9THoEmJPpQWN3d1aAUZI1MSPWsyiNhJU6UShO1cvwLwlqokE21dRKBvnPbpGvi3z5mSHeWgInyGH9L3uxmeo7R6iKc+nLbk2hzVEjkldvnSGiklzXG7fyLXAuUP6mxdfKDDVIcMbvqpc7CsVZIQRqZ4tdVvd82TGNPT+wYn4O+a0dqgX34iiVqcKmaYBgFJbRNQlH4TQXZxsxSkXJQ1TzJhZVVxmaW+vyji22X+MT+YrbJbFeLQUqDL60KNkvo0KJJdRwZAChES3/HzHKFpnaKPTipU/wmbW26CYKcML7LHBopROI3mEAisXywtDv61Yc7DU2gTBnDlWI//8d/jR9U7Unw3ASITKWtkhfsDA+tWTAACf08NxNpYE6xmLy1OexrC5+0AVkV8cwvjbqyjC55/pp2org1XfCn7xMQsinwRnoQBSrAzDZpcxCH9W08ar1At5PUkL0buheToyR8jGmIiVXLiZFNHzDaAl08fFpMy1JYyhl0u0JzfDWhgAtwTP1wwOULIViwAVSREGtlGe0hzhguuGfxuHklTDCpd4nPrvPehQm8qOIsnnp3n5JDm5qWyATGEh+V2NPPvUwXawdHozBktdV27qaUl+HNM7fOT37sLLawcxkQcca
Source: 12.2.7lQnHeq3XF.exe.ec0000.1.unpack, GraphicsUtility/Form1.cs	Base64 encoded string: 'sHFvx0q4/K8lnT8Bgj7Honj9FeoJx3m09qQQKpOks/cvHlhu13IwlA6Q9a/gNBVJ5cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPSgzApG55hJQOLjnxIL0qsdY2TttP6jIcpFBK26FGQz1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFEVYbuP2vRCSCNnl0QunusjLYUjrpmh8VErpWAY1/V7I16y0VjoyjJuT69eJwLLel386l6eu5zOdayzYn9f1bz4+PeJ6zc9S6VznOgoJxyU4RtV6leF5RLtVRK4K2xwzlGl4S/N590FaRLlGOPlfKNdzdFir8QflxeOZEpnUP3XowpETISlDpZLKzGPxa3hdz4DwbjDcc2srJss/5AE3iTTPVpMvnT3lxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ26fR4EqClUekMyy8JYlF4mhzAzkwjl6MfyoOTTcd8YLKV4iIa2nFdRG/0tmBA5F17vQoxVBC+VMpaHf+LDY9uoLgbS3OvTHjB4z6ATcexiD+BGzDIGF8i8sdwK37YiT7hl2F/q17ITRu8puCI03h0vYgApWSMzrOwpk1K8poGk58pKbf/rDJ+Wmlx4VqSr3FRbB7ROoZSwuv5jck6gq1ANSOE4p1mBTW7tUEDC5OhN4Ggam4cNlgQPNZ62TSQI34+XF45kSmdQ/dejCkRMhKUMAdKkhCtKfMz72Xjl6d28qckd98yNwUw5Jb9wIFTEt8TieERMI4DOIsS7yxqvr31bRPtv1MS1ywR0uaoqLv9f75cXjmRKZ1D916MKREyEpQ+XF45kSmdQ/dejCkRMhKUPlxeOZEpnUP3XowpETISlD5cXjmRKZ1D916MKREyEpQ3JwJ4VzyMJKtZ3YcJWTlL1clHy1870fxampdBuvXNfvXwX7ebWYAujUkI1p06DWcIZ8aHDFwhmiitL/Z1hUUqlC/YiLHRV1qM0Ll9ezSZkxPwNbLhOZlLUe/qnjd0S4srlMRiwjDI21yIvWuk0esyBaS0wKotzmnw+UPbxQ5oHRUzXVbObKzD0HYpY3LE0kj7vF2HHOxw7idghcbgZamDooLKOhWujPGki/K6udtE1TRzc3msEKOIDkm9an8y1c0lSbFcXCtXPfe+gEgfc4/Es1gdQDYVZyGFP5P6uPJer6VhZj2Pk5thDheeSeNf8at+JIhQW8+c2F3C0JdrjYlnGrg97WhyPWGXXWJz9NSLQsYWZ83S8PhP5fzdwAORrh+mujd8hECfApbxrnj97/XWwtexHAGJa5LTDn0knJM4vJILf0bomdgsHjBAes05UlQxfqroKkXn6+YdOxoCL2Z6Y9DRBZzyY/sKu76eKC9+QAKHc9bPxQCRg5appJa+94hx68xx7oNt6xlWPTS/H3yYTor61TowoNqfGq69zZtWQnfE2KWV3G+DyORVz/X0qNuVC0tZwyby9jJVStPIWiduwIJzj5hQJVVPlCuJJAlU9KO0GpE3Pk59BWHZEJcwMQaE5t6u45WGtl6tdxsbQaZxG3heJIFBwAjqKpnFYYblJi5wwGBxx2ix6ow7XJecOYCOgLqIivQNTGkQFnUpfm2NoVB68a/KLB9rgxkzBA0KyIGIu8vWxN33/smlvn2FcM+voO9S1+iJcxPpzA6iWTClylgNYhU2deMt99dplwvgYxN+ysgyP9UpF148LvLDtmsRBD8RAiZUBJYmzeI6GlaQbVhQVeKy0obtUOIgi9VAhg/7HvGTgA//jxDckjRpMO/LtX6P9FxTgsDZFxDPJPxcJL25Sumzgn1QAifuMVx4iTlxqoDuLNdzpEynqMIUKTpXkJ4fwSu5mS3k+ZbyMdoG3melEL+LJeMjnHoM0w8fkxzi8Oz8Jv+6EczfzayCr4/7viN3yE3hFBzobrU5FUhq1GDkXNjPrHV2ygHDx82I/UHt7RLrUJYTCso4SckUnNO8asAAI7bTPhbFjpOVd8gQglG5XDU0bwaez21nmMNhmcqz8V/AZ4s0uXzfqZV/clH8CXqIIqaPB9MCDoiGFb8YSnBqn7z9wRwcRH3NRaRBvx85UJyZ974GGVrIETpQLvKdReZG480v+U5KmJtAjgU6yJLs70uQBYaKBwpYwidctnM2C4Kqveg6wHnBorkE2qLHr0tmAZCfxWEXGMuZ6f9yPLMJL/CDVNsG6yYbUiVB9THoEmJPpQWN3d1aAUZI1MSPWsyiNhJU6UShO1cvwLwlqokE21dRKBvnPbpGvi3z5mSHeWgInyGH9L3uxmeo7R6iKc+nLbk2hzVEjkldvnSGiklzXG7fyLXAuUP6mxdfKDDVIcMbvqpc7CsVZIQRqZ4tdVvd82TGNPT+wYn4O+a0dqgX34iiVqcKmaYBgFJbRNQlH4TQXZxsxSkXJQ1TzJhZVVxmaW+vyji22X+MT+YrbJbFeLQUqDL60KNkvo0KJJdRwZAChES3/HzHKFpnaKPTipU/wmbW26CYKcML7LHBopROI3mEAisXywtDv61Yc7DU2gTBnDlWI//8d/jR9U7Unw3ASITKWtkhfsDA+tWTAACf08NxNpYE6xmLy1OexrC5+0AVkV8cwvjbqyjC55/pp2org1XfCn7xMQsinwRnoQBSrAzDZpcxCH9W08ar1At5PUkL0buheToyR8jGmIiVXLiZFNHzDaAl08fFpMy1JYyhl0u0JzfDWhgAtwTP1wwOULIViwAVSREGtlGe0hzhguuGfxuHklTDCpd4nPrvPehQm8qOIsnnp3n5JDm5qWyATGEh+V2NPPvUwXawdHozBktdV27qaUl+HNM7fOT37sLLawcxkQcca

Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/7@0/2

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

File created: C:\Users\user\AppData\Roaming\CLJgKpOuw.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4128:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_01
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{6ceec185-c99e-4d5c-8685-49487283603e}
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Mutant created: \Sessions\1\BaseNamedObjects\FoBYiFa

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6F2E.tmp

Jump to behavior

Source: 7lQnHeq3XF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7lQnHeq3XF.exe	Virustotal: Detection: 74%
Source: 7lQnHeq3XF.exe	Metadefender: Detection: 28%
Source: 7lQnHeq3XF.exe	ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

File read: C:\Users\user\Desktop\7lQnHeq3XF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe 'C:\Users\user\Desktop\7lQnHeq3XF.exe'
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp6F2E.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe {path}
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8362.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe C:\Users\user\Desktop\7lQnHeq3XF.exe 0
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1E69.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe {path}
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe {path}
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp6F2E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8362.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1E69.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 7lQnHeq3XF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7lQnHeq3XF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 7lQnHeq3XF.exe, GraphicsUtility/Form1.cs	.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: CLJgKpOuw.exe.0.dr, GraphicsUtility/Form1.cs	.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.7lQnHeq3XF.exe.230000.0.unpack, GraphicsUtility/Form1.cs	.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.7lQnHeq3XF.exe.230000.0.unpack, GraphicsUtility/Form1.cs	.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.7lQnHeq3XF.exe.ec0000.2.unpack, GraphicsUtility/Form1.cs	.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.7lQnHeq3XF.exe.ec0000.4.unpack, GraphicsUtility/Form1.cs	.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.7lQnHeq3XF.exe.ec0000.0.unpack, GraphicsUtility/Form1.cs	.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.7lQnHeq3XF.exe.ec0000.1.unpack, GraphicsUtility/Form1.cs	.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_045223B2 push ebx; retf	0_2_045223B4
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 0_2_06DF7087 pushfd ; iretd	0_2_06DF7091
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_057B69FB push esp; retf	12_2_057B6A01
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 12_2_057B69F8 pushad ; retf	12_2_057B69F9
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_02A45A6C push cs; iretd	16_2_02A45C9A
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_02A4204A push ebx; retf	16_2_02A4204C
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Code function: 16_2_05577087 pushfd ; iretd	16_2_05577091

Source: initial sample	Static PE information: section name: .text entropy: 7.70438467215
Source: initial sample	Static PE information: section name: .text entropy: 7.70438467215

Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

File created: C:\Users\user\AppData\Roaming\CLJgKpOuw.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp6F2E.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

File opened: C:\Users\user\Desktop\7lQnHeq3XF.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 3088, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 5360, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 7lQnHeq3XF.exe, 00000000.00000002.296180901.000000000256C000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 7lQnHeq3XF.exe, 00000000.00000002.296180901.000000000256C000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Window / User API: threadDelayed 5332	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Window / User API: threadDelayed 4039	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Window / User API: foregroundWindowGot 655	Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe TID: 5344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe TID: 2996	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe TID: 4760	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe TID: 5236	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: 7lQnHeq3XF.exe, 0000000C.00000002.485001636.0000000007370000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 7lQnHeq3XF.exe, 00000000.00000002.295927491.0000000000ADF000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 7lQnHeq3XF.exe, 0000000C.00000002.485001636.0000000007370000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 7lQnHeq3XF.exe, 0000000C.00000002.485001636.0000000007370000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 7lQnHeq3XF.exe, 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 7lQnHeq3XF.exe, 0000000C.00000002.485001636.0000000007370000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Memory written: C:\Users\user\Desktop\7lQnHeq3XF.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Memory written: C:\Users\user\Desktop\7lQnHeq3XF.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp6F2E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8362.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1E69.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Process created: C:\Users\user\Desktop\7lQnHeq3XF.exe {path}	Jump to behavior

Source: 7lQnHeq3XF.exe, 0000000C.00000002.481443074.0000000003722000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: 7lQnHeq3XF.exe, 0000000C.00000002.475220912.0000000001C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 7lQnHeq3XF.exe, 0000000C.00000002.475220912.0000000001C70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 7lQnHeq3XF.exe, 0000000C.00000002.475220912.0000000001C70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Users\user\Desktop\7lQnHeq3XF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Users\user\Desktop\7lQnHeq3XF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Users\user\Desktop\7lQnHeq3XF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Users\user\Desktop\7lQnHeq3XF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7lQnHeq3XF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\7lQnHeq3XF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476199801.0000000003261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.410520702.0000000002CB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 576, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 3088, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 5360, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 784, type: MEMORY
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d04c35.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b4c35.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d0060c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.7lQnHeq3XF.exe.3c0d568.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b90000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7lQnHeq3XF.exe.35ed568.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d0060c.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: 7lQnHeq3XF.exe, 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 7lQnHeq3XF.exe, 0000000C.00000002.476199801.0000000003261000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 7lQnHeq3XF.exe, 0000000C.00000002.476199801.0000000003261000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 7lQnHeq3XF.exe, 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 7lQnHeq3XF.exe, 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 7lQnHeq3XF.exe, 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476199801.0000000003261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.410520702.0000000002CB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 576, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 3088, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 5360, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7lQnHeq3XF.exe PID: 784, type: MEMORY
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3cfb7d6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d04c35.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42ab7d6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b4c35.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.7lQnHeq3XF.exe.3c0d568.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.7lQnHeq3XF.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7lQnHeq3XF.exe.35ed568.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.7lQnHeq3XF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d0060c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b060c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.7lQnHeq3XF.exe.3c0d568.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.5b90000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7lQnHeq3XF.exe.35ed568.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.7lQnHeq3XF.exe.42b060c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.7lQnHeq3XF.exe.3d0060c.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection112	Masquerading1	Input Capture21	Security Software Discovery211	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information21	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7lQnHeq3XF.exe	74%	Virustotal		Browse
7lQnHeq3XF.exe	34%	Metadefender		Browse
7lQnHeq3XF.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
7lQnHeq3XF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\CLJgKpOuw.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\CLJgKpOuw.exe	34%	Metadefender		Browse
C:\Users\user\AppData\Roaming\CLJgKpOuw.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
24.0.7lQnHeq3XF.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
24.0.7lQnHeq3XF.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.0.7lQnHeq3XF.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.7lQnHeq3XF.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
24.2.7lQnHeq3XF.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.0.7lQnHeq3XF.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.7lQnHeq3XF.exe.5b90000.10.unpack	100%	Avira	TR/NanoCore.fadte	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/lts	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/e%B	0%	Avira URL Cloud	safe
http://www.fontbureau.comue6%	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/e%B	0%	Avira URL Cloud	safe
http://www.fontbureau.comFA%	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/Z%K	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/l%y	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/~%g	0%	Avira URL Cloud	safe
http://www.fontbureau.comTTF	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.fontbureau.com%	0%	Avira URL Cloud	safe
185.136.169.24	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
127.0.0.1	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsd	0%	URL Reputation	safe
http://www.fontbureau.comalsd	0%	URL Reputation	safe
http://www.fontbureau.comalsd	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/wa	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/vno	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Z%K	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp//%	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/~%g	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H%	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/ge	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comcom~%g	0%	Avira URL Cloud	safe
http://www.fontbureau.comtuede%B	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/6%	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.fontbureau.comld%	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.136.169.24	true	Avira URL Cloud: safe	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/lts	7lQnHeq3XF.exe, 00000000.00000003.207513572.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/e%B	7lQnHeq3XF.exe, 00000000.00000003.212456637.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comue6%	7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/e%B	7lQnHeq3XF.exe, 00000000.00000003.208508628.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comFA%	7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/jp/Z%K	7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/l%y	7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/~%g	7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comTTF	7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/8	7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com%	7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.galapagosdesign.com/DPlease	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/%	7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.kr	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	7lQnHeq3XF.exe, 00000000.00000002.296094481.0000000002521000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.395084402.0000000002B41000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comalsd	7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/	7lQnHeq3XF.exe, 00000000.00000003.212456637.0000000005456000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comF	7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/wa	7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/vno	7lQnHeq3XF.exe, 00000000.00000003.208508628.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Z%K	7lQnHeq3XF.exe, 00000000.00000003.207513572.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp//%	7lQnHeq3XF.exe, 00000000.00000003.208508628.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/~%g	7lQnHeq3XF.exe, 00000000.00000003.208508628.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comd	7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/H%	7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmld	7lQnHeq3XF.exe, 00000000.00000003.211024388.0000000005496000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/ge	7lQnHeq3XF.exe, 00000000.00000003.207513572.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comcom~%g	7lQnHeq3XF.exe, 00000000.00000002.301189868.0000000005450000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/cabarga.htmlN	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comtuede%B	7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cn	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	7lQnHeq3XF.exe, 00000000.00000003.211078227.0000000005496000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/6%	7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0/	7lQnHeq3XF.exe, 00000000.00000003.208065677.0000000005456000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	7lQnHeq3XF.exe, 00000000.00000003.207513572.0000000005456000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	7lQnHeq3XF.exe, 00000000.00000002.308503618.00000000066E2000.00000004.00000001.sdmp, 7lQnHeq3XF.exe, 00000010.00000002.400664137.0000000005B80000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comals	7lQnHeq3XF.exe, 00000000.00000003.211489943.0000000005456000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comld%	7lQnHeq3XF.exe, 00000000.00000003.210312273.0000000005456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.136.169.24	unknown	United Kingdom		29066	VELIANET-ASvelianetInternetdiensteGmbHDE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432802
Start date:	10.06.2021
Start time:	19:03:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	7lQnHeq3XF (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/7@0/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0% (good quality ratio 0%) Quality average: 80% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 97% Number of executed functions: 156 Number of non-executed functions: 18
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:04:41	API Interceptor	684x Sleep call for process: 7lQnHeq3XF.exe modified
19:04:42	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\7lQnHeq3XF.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.136.169.24	41d0d4f9999b50bd9636508b7a247b04e6b919b8ed32d.exe	Get hash	malicious	Browse
	cd933deed6ad151dbc88561ea55dc128b464843b481a4.exe	Get hash	malicious	Browse
	Letter of Demand.doc	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VELIANET-ASvelianetInternetdiensteGmbHDE	pivaa.apk	Get hash	malicious	Browse	92.204.221.12
	Doc2000120201.xls	Get hash	malicious	Browse	185.136.169.163
	220bb2b7deba41f53a8d86d677691aff283314a29c27c.exe	Get hash	malicious	Browse	185.136.169.163
	Scan003.doc	Get hash	malicious	Browse	185.136.169.109
	cce53a67bb01a8f71b21fbdbf1b8a32345d81bbec12df.exe	Get hash	malicious	Browse	185.136.169.109
	RFQ#20053491.xlsx	Get hash	malicious	Browse	92.204.160.45
	no.IV640381 refer PO 4500260781.xlsx	Get hash	malicious	Browse	92.204.160.45
	Ultimate-File(1).docm	Get hash	malicious	Browse	134.119.181.142
	Ultimate-File(1).docm	Get hash	malicious	Browse	134.119.181.142
	AnyDesk (Sample).exe	Get hash	malicious	Browse	78.138.106.22
	41d0d4f9999b50bd9636508b7a247b04e6b919b8ed32d.exe	Get hash	malicious	Browse	185.136.169.24
	cd933deed6ad151dbc88561ea55dc128b464843b481a4.exe	Get hash	malicious	Browse	185.136.169.24
	Letter of Demand.doc	Get hash	malicious	Browse	185.136.169.24
	2bb0000.exe	Get hash	malicious	Browse	193.42.156.106
	RE New order.exe	Get hash	malicious	Browse	92.204.163.146
	AnyDeskCKS.exe	Get hash	malicious	Browse	185.136.157.77
	intercom.exe	Get hash	malicious	Browse	134.119.186.216
	gJvdHdeawX.exe	Get hash	malicious	Browse	134.119.186.216
	qbUoyUZWnC.exe	Get hash	malicious	Browse	185.136.169.155
	SecuriteInfo.com.Ransom.Stop.P6.19307.exe	Get hash	malicious	Browse	134.119.186.216

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7lQnHeq3XF.exe.log Download File
Process:	C:\Users\user\Desktop\7lQnHeq3XF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp1E69.tmp Download File
Process:	C:\Users\user\Desktop\7lQnHeq3XF.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.19196486799254
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBrtn:cbh47TlNQ//rydbz9I3YODOLNdq3v
MD5:	51C03E6FFF88EF349C81FF84C2F8F94B
SHA1:	34AE6BEAB2F34E7F754973D6FC23E4AD60A3EB64
SHA-256:	E37FD145922750F95C158B07866A9D73FD9D1B2DA67B9C9A478D7A4E35EF1089
SHA-512:	997EAF31A006EDBA09D98781F96482DA716CC5805BB5125965AB9525E22D10BE1C43B438AB5EF1B277CECE23B29CFA366EF70D02669C7A6518F10CF2C94FC7AF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp6F2E.tmp Download File
Process:	C:\Users\user\Desktop\7lQnHeq3XF.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.19196486799254
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBrtn:cbh47TlNQ//rydbz9I3YODOLNdq3v
MD5:	51C03E6FFF88EF349C81FF84C2F8F94B
SHA1:	34AE6BEAB2F34E7F754973D6FC23E4AD60A3EB64
SHA-256:	E37FD145922750F95C158B07866A9D73FD9D1B2DA67B9C9A478D7A4E35EF1089
SHA-512:	997EAF31A006EDBA09D98781F96482DA716CC5805BB5125965AB9525E22D10BE1C43B438AB5EF1B277CECE23B29CFA366EF70D02669C7A6518F10CF2C94FC7AF
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp8362.tmp Download File
Process:	C:\Users\user\Desktop\7lQnHeq3XF.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	5.123957763857257
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0TXxtn:cbk4oL600QydbQxIYODOLedq3IXj
MD5:	9EDDF2EE551487EBE6C93C2F40EA7CAB
SHA1:	43689EB449EECAC751976B4969F5BEF0585C7057
SHA-256:	25F651D7FD2035C121EF8893AA407FEA84BF95233436AE20900418733046F26F
SHA-512:	5F293900A6A0AED425CBC384111A6A8848B0124E127E06F592502B256AC5791BB13603642A6402BF756DE0949612DF60BB33A467C1ABD9E477C1DE6C8F30337B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\CLJgKpOuw.exe Download File
Process:	C:\Users\user\Desktop\7lQnHeq3XF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	511488
Entropy (8bit):	7.692170481145156
Encrypted:	false
SSDEEP:	12288:qhBSAd7kDsfDQMZUVCfdtZqJq2QJoWr0p/zsq5X6NGmBx:qhBSo7kDsWiCKouEB6N
MD5:	9750DEE05B47F072E5975895DCF61AE5
SHA1:	95F456AE508245B4C6891AD1C847227D0C012D90
SHA-256:	EEA0F064AF6E7B61E19FF9ADE76EEAD562F5D3933D52C5CC7F2F5721D81B8C3D
SHA-512:	8C52E2F45A47D5FEE4F58C93478105E48D18D7BC9AA5FF9B3F5EA1477FB687C29037200125B38349E604CD841DCAF20D6B7B6542C57DBDC72488F9177BF7BA3B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 34%, Browse Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3.`..............0.................. ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......H...(.......J...p...P...........................................".(.....".(.....^.(........}......}.......0............{.....+...0............{.....+..B...}......}........0..2.........o.....o....Y..o.....o....Y...Z..ZXl(....k...+.....0..O........".......+0........., .......o.........,........o........X....i......-....+...^.(........}......}......0............{.....+...0............{.....+..B...}......}........0..2.........o.....o....Y..o.....o....Y...Z..ZX

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\7lQnHeq3XF.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:u:u
MD5:	56FDE996BE3F8E26310C687C0CB102EB
SHA1:	7F6DA9DA4A1AD6C4B328B4A5B89F9CA439C4D012
SHA-256:	91B9404A440B92457001305F07E97746FE279BE58DF58A2AE09D365F5084EBC0
SHA-512:	9BBA08475C6AAD7AE79041A514B793C93C04B608A70D4E212E3D2BFF4AB863F41826C86C4E5D0CD348E475ADBD2B26C8E7242F794236D0124D81369E46B78C28
Malicious:	true
Preview:	..E},.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\7lQnHeq3XF.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.496898555450565
Encrypted:	false
SSDEEP:	3:oNWXp5vSJcnCn:oNWXpFSJ/n
MD5:	E393A7661EB5342CB1854E7658086172
SHA1:	ABB9A18EB2C16D0EBD6AAFA86D7898B34C5BF479
SHA-256:	73DD810932A854CB4143C58082C6F21F8138223A499B68C26BAB51DF00C4DF8B
SHA-512:	E7358C03D19D88A4B9B782DC26B98B2C4A601C6CBF6B2342A62C3C73D1AFA24D4DDA157779D98ED1616D9D060DEF81292C8DAC83B7BA9BA8FB9722E6B196B346
Malicious:	false
Preview:	C:\Users\user\Desktop\7lQnHeq3XF.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.692170481145156
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	7lQnHeq3XF.exe
File size:	511488
MD5:	9750dee05b47f072e5975895dcf61ae5
SHA1:	95f456ae508245b4c6891ad1c847227d0c012d90
SHA256:	eea0f064af6e7b61e19ff9ade76eead562f5d3933d52c5cc7f2f5721d81b8c3d
SHA512:	8c52e2f45a47d5fee4f58c93478105e48d18d7bc9aa5ff9b3f5ea1477fb687c29037200125b38349e604cd841dcaf20d6b7b6542c57dbdc72488f9177bf7ba3b
SSDEEP:	12288:qhBSAd7kDsfDQMZUVCfdtZqJq2QJoWr0p/zsq5X6NGmBx:qhBSo7kDsWiCKouEB6N
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3.`..............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x47e312
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60A2331A [Mon May 17 09:10:50 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
aas
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
aas
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
aas
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
aas
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7e2c0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7c398	0x7c400	False	0.84128010249	data	7.70438467215	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x5a4	0x600	False	0.416666666667	data	4.06990605525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x80090	0x314	data
RT_MANIFEST	0x803b4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	1.0.0.0
InternalName	k8qTx2Z.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Graphics Utility
ProductVersion	1.0.0.0
FileDescription	Graphics Utility
OriginalFilename	k8qTx2Z.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 19:04:43.513456106 CEST	49732	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:04:46.515486956 CEST	49732	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:04:52.531589985 CEST	49732	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:05:02.174238920 CEST	49742	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:05:05.188992023 CEST	49742	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:05:11.205147982 CEST	49742	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:05:19.087956905 CEST	49743	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:05:22.096630096 CEST	49743	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:05:28.112893105 CEST	49743	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:05:51.741662979 CEST	49754	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:05:54.755695105 CEST	49754	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:06:00.756123066 CEST	49754	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:06:08.352464914 CEST	49755	54984	192.168.2.3	185.136.169.24
Jun 10, 2021 19:06:11.366318941 CEST	49755	54984	192.168.2.3	185.136.169.24

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 7lQnHeq3XF.exe PID: 5360 Parent PID: 5840

General

Start time:	19:03:54
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\7lQnHeq3XF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\7lQnHeq3XF.exe'
Imagebase:	0x230000
File size:	511488 bytes
MD5 hash:	9750DEE05B47F072E5975895DCF61AE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.298237654.00000000036C6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.297181399.0000000003529000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3688 Parent PID: 5360

General

Start time:	19:04:35
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp6F2E.tmp'
Imagebase:	0x370000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4128 Parent PID: 3688

General

Start time:	19:04:36
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 7lQnHeq3XF.exe PID: 784 Parent PID: 5360

General

Start time:	19:04:37
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\7lQnHeq3XF.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xec0000
File size:	511488 bytes
MD5 hash:	9750DEE05B47F072E5975895DCF61AE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.476199801.0000000003261000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.293449778.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.292982404.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.481846262.00000000042A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.483716211.0000000005B90000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.470249000.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.483484770.0000000005930000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.483484770.0000000005930000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3032 Parent PID: 784

General

Start time:	19:04:40
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8362.tmp'
Imagebase:	0x370000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4280 Parent PID: 3032

General

Start time:	19:04:40
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 7lQnHeq3XF.exe PID: 3088 Parent PID: 528

General

Start time:	19:04:42
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\7lQnHeq3XF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\7lQnHeq3XF.exe 0
Imagebase:	0x780000
File size:	511488 bytes
MD5 hash:	9750DEE05B47F072E5975895DCF61AE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.396832392.0000000003CE6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.395146878.0000000002B8C000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.395816202.0000000003B49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5336 Parent PID: 3088

General

Start time:	19:05:21
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CLJgKpOuw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1E69.tmp'
Imagebase:	0xfb0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5568 Parent PID: 5336

General

Start time:	19:05:21
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 7lQnHeq3XF.exe PID: 3508 Parent PID: 3088

General

Start time:	19:05:22
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\7lQnHeq3XF.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x300000
File size:	511488 bytes
MD5 hash:	9750DEE05B47F072E5975895DCF61AE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 7lQnHeq3XF.exe PID: 576 Parent PID: 3088

General

Start time:	19:05:22
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\7lQnHeq3XF.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x8a0000
File size:	511488 bytes
MD5 hash:	9750DEE05B47F072E5975895DCF61AE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.410604962.0000000003CB9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000000.391573162.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.409379306.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000000.390895301.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.410520702.0000000002CB1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.410520702.0000000002CB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 7lQnHeq3XF.exe PID: 5360 Parent PID: 5840 7lQnHeq3XF.exeCOMMON

Executed Functions

Function 06DFB7B0, Relevance: 1.6, Strings: 1, Instructions: 370COMMON

Download Yara Rule

Strings

'?], xrefs: 06DFBA70

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: '?]
API String ID: 0-3296522457
Opcode ID: 0941e37f40ff7550c46ee4fe8b7c33e282dacd1f9bab3a83052af05c0c74fb0b
Instruction ID: bbea9391ccac1b3a037fc3e7ba5a0957a4547ffe13c9101e94a310a7a49fd0f2
Opcode Fuzzy Hash: 0941e37f40ff7550c46ee4fe8b7c33e282dacd1f9bab3a83052af05c0c74fb0b
Instruction Fuzzy Hash: D5F19C7490630ADFCB60DFA9D8849CDBBF2FB49310B15C466D605EB228D7309A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06DFB76F, Relevance: 1.6, Strings: 1, Instructions: 370COMMON

Download Yara Rule

Strings

'?], xrefs: 06DFBA70

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: '?]
API String ID: 0-3296522457
Opcode ID: f7064f0475a30cc7a65b29e5f9595a83294ac821bd4b6fe5a57bfb6d0bfcc77d
Instruction ID: 8682b0b87e4beeffc9e7cb257a00cca87726a9f7e41036c89ad3419219f5f156
Opcode Fuzzy Hash: f7064f0475a30cc7a65b29e5f9595a83294ac821bd4b6fe5a57bfb6d0bfcc77d
Instruction Fuzzy Hash: 05F19B7490630ADFCB60DFA9D8849CDBBF2FB49310B15846AD605EB228D7309A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06DFB850, Relevance: 1.6, Strings: 1, Instructions: 300COMMON

Download Yara Rule

Strings

'?], xrefs: 06DFBA70

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: '?]
API String ID: 0-3296522457
Opcode ID: 48415cfccc516c9ab75a80442d0689c6df0f06f0c3214fe472deea5159ed971b
Instruction ID: 2f0b50664a60bd2246135672fd2bda6feb5f88b3f8d82363e34810e46dcb833c
Opcode Fuzzy Hash: 48415cfccc516c9ab75a80442d0689c6df0f06f0c3214fe472deea5159ed971b
Instruction Fuzzy Hash: 31D17A74A1230ADFCB54EFA9D58498DBBF2FF49301B19D466D609DB228DB309A42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06DF5E9F, Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

A4d, xrefs: 06DF601F

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: A4d
API String ID: 0-2060319707
Opcode ID: 0cd96f9524a04afce31c1e48d0d0ad788bccc8c7ad60e6fbc9180e8b92026460
Instruction ID: d841a1ca35a5288d3f5cdaf742541c1f6593950638ee1aeaaf8ca0df437f254b
Opcode Fuzzy Hash: 0cd96f9524a04afce31c1e48d0d0ad788bccc8c7ad60e6fbc9180e8b92026460
Instruction Fuzzy Hash: 6EB14A74E05209DFCB64CFAAD8906DEFBF2FF89300F24846AD955AB214D7309945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06DFCCB8, Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

>b*c, xrefs: 06DFCDE5

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: >b*c
API String ID: 0-3241390858
Opcode ID: ec3b750521d3bf8f312ba3501c4236fd230bdc8120356e7762faf3600da6ec33
Instruction ID: b9e52960c4613801f7fc8bf55e9d5a9f519a4cf4cb16d55a5d78d3d99d10289d
Opcode Fuzzy Hash: ec3b750521d3bf8f312ba3501c4236fd230bdc8120356e7762faf3600da6ec33
Instruction Fuzzy Hash: E2B15770E2521D8FDB44CFE9C9816DEFBF2BF88310F158566C505AB214D7349902CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DF5F15, Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

A4d, xrefs: 06DF601F

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: A4d
API String ID: 0-2060319707
Opcode ID: 1e141f5d02c835098e01d2c93c3ab52b702cb45de967cca2527b32aa1ff9baa2
Instruction ID: 18050eaf6b6662f12ddee39e79fb48fa1a5d2a0a3ca1b4082a11449fec82c188
Opcode Fuzzy Hash: 1e141f5d02c835098e01d2c93c3ab52b702cb45de967cca2527b32aa1ff9baa2
Instruction Fuzzy Hash: F8A12674E15249CFDB58CFE9C880ADEFBB2EF89300F24806AD516AB265D7349905CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06DF5F50, Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

A4d, xrefs: 06DF601F

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: A4d
API String ID: 0-2060319707
Opcode ID: dabf7c1636a16b8f62f952da655e0ea145e5bad996b3213b8749ccc04db0ab72
Instruction ID: 2a88e0385f3500b5182a545d39668004174b5486dfbfdb4f6417ed92dee1425e
Opcode Fuzzy Hash: dabf7c1636a16b8f62f952da655e0ea145e5bad996b3213b8749ccc04db0ab72
Instruction Fuzzy Hash: A691D474E102198FDB48CFA9C980ADEBBB2EF89300F24902AD519BB354D7349946CF55

Uniqueness

Uniqueness Score: -1.00%

Function 06DF3A0B, Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b383e30d295694995e226fc09e1aca3de76908abc681e4a5024606bed01e6313
Instruction ID: 978538f2986dca1c735d29a9df9108b02111915a4055a9b8689adecd8bab4d08
Opcode Fuzzy Hash: b383e30d295694995e226fc09e1aca3de76908abc681e4a5024606bed01e6313
Instruction Fuzzy Hash: 4D52C974A012189FDB64DF64C894AADB7B2FF89304F1181D9D50EA73A5CB34AE81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06DF4528, Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82807f92667177658243b4d2cde0cd5cdb4a2c5796459638b7c919189d5b509d
Instruction ID: 398dd499f35f06bdca4ecba48ec9d159badcd0cb09df11d5cdc8bebe447ca46f
Opcode Fuzzy Hash: 82807f92667177658243b4d2cde0cd5cdb4a2c5796459638b7c919189d5b509d
Instruction Fuzzy Hash: CEF1D235F102548FCB58CFA9D480AAEBBF2AF85304F168469D5169B362CB30EC42CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0452365F, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07177dda827a6d0a14d3e3d8ecb7685df9f3a76dcf3ee60308c5ecc05a5394e
Instruction ID: bf0562f877f91c5348488c04965fb6e21d10c9e303619c015140a708db98af81
Opcode Fuzzy Hash: e07177dda827a6d0a14d3e3d8ecb7685df9f3a76dcf3ee60308c5ecc05a5394e
Instruction Fuzzy Hash: F58140B4E19219CFCB14CFA5D6805DDFBB6FB4A310F24942AD405AB394E338A945DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04520006, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2315b4048d2f8370ab9dd1d841f2c832fe7861a883a4e0717cf629a18e0278
Instruction ID: 0d434748b52c753c621b65d7733a48ec903c2460b5919665b1cdedca5fc8d7d3
Opcode Fuzzy Hash: 1f2315b4048d2f8370ab9dd1d841f2c832fe7861a883a4e0717cf629a18e0278
Instruction Fuzzy Hash: 0C811374E063599FCB14DFA5D89459EBBB3FF8A300F10802AD616AB3A5DB345A02CF51

Uniqueness

Uniqueness Score: -1.00%

Function 045215D0, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65da1697b094740f60ae3175114469ffa376cad155ae39349a1e664a37386986
Instruction ID: b66c5431ca2864ac622e1331c8e60af3ebf50e94d0a21f015edab2c449e691e8
Opcode Fuzzy Hash: 65da1697b094740f60ae3175114469ffa376cad155ae39349a1e664a37386986
Instruction Fuzzy Hash: 47814971E0062A8BCB64CF65CD447D9B7B2FF89300F1081EAD609A7690EB706A85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04521302, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3812483beb7a28d1cca4fa807c8812c02e56d2b97c09379990a81d248474c0
Instruction ID: d4feb345a964ba6ffc6c6182cf5672acb0c5146bde55513a0db6437bb2114785
Opcode Fuzzy Hash: da3812483beb7a28d1cca4fa807c8812c02e56d2b97c09379990a81d248474c0
Instruction Fuzzy Hash: FB616F74E06619DBCB04CFA5E6806DFFBB2FF9A300F24942AE046B7294E33459459F54

Uniqueness

Uniqueness Score: -1.00%

Function 04520040, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5157b505eb159b3aa457749e68b747049d34b6e67974df3113e5afcee33eacf5
Instruction ID: a36111148324301e561dcb8b97a00497804ca3f5e9049579b280ac98e63fe41f
Opcode Fuzzy Hash: 5157b505eb159b3aa457749e68b747049d34b6e67974df3113e5afcee33eacf5
Instruction Fuzzy Hash: AE71C274E012199FCB54DFE6D9445AEBBB3FF89310F20842ADA16AB394DB345A02CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06DF67E0, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9c44717b5f344d8c12ce9c5b678ce965815e7f0ac0409315f45ff26c774ab2
Instruction ID: 7b3f0428df133d105134adc3a664f5659997395ff750e943ce88fc8921429fea
Opcode Fuzzy Hash: 8a9c44717b5f344d8c12ce9c5b678ce965815e7f0ac0409315f45ff26c774ab2
Instruction Fuzzy Hash: 83515874E152498FDB48CFAAD4406EEFBF2EF89301F14D06AD519A7254D7348A41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 045215C8, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07907e389d7a3f1bc0ad28e1344ad97e771785e64dcb576fab1af03e8910de3a
Instruction ID: 6533a9f3e7493888be19dc26822a32b7019fa4d85f9ecc6b148548a3731c2ad6
Opcode Fuzzy Hash: 07907e389d7a3f1bc0ad28e1344ad97e771785e64dcb576fab1af03e8910de3a
Instruction Fuzzy Hash: 01515D70E1062A8BDB28CF66CD447DAB7B2FF89300F1482E6D509A7690EB705AC5DF40

Uniqueness

Uniqueness Score: -1.00%

Function 06DF5361, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc8d618faca18cade272cdcd9759c01486f5c919b1c160df1845186f46894dd
Instruction ID: 2579423abd736b2f038b7d91432a42efc02677baa2ad9d6aaafb77951fd2de95
Opcode Fuzzy Hash: 8fc8d618faca18cade272cdcd9759c01486f5c919b1c160df1845186f46894dd
Instruction Fuzzy Hash: 33312771E016189BEB58DF6BDC44A9EBBF3AFC9200F05C1AAD508A7264DB305A45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06DFAD28, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438721ef1ccee7d2e467785cbde4b32d572e804246d1f422d3c6c19a7372ac12
Instruction ID: 0945b50b7d59ca74a09f2c09f0fb90a96736706b19c44cf895797befc976d72e
Opcode Fuzzy Hash: 438721ef1ccee7d2e467785cbde4b32d572e804246d1f422d3c6c19a7372ac12
Instruction Fuzzy Hash: 6B310A71E056189BEB58CFABD840ADEBBF3AFC9200F14C4BAD508A7254DB305A468F51

Uniqueness

Uniqueness Score: -1.00%

Function 06DF7618, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193b8f1979fdbaf1dc40f3e033dcd07c22e41dc668143dd0e39d892221970903
Instruction ID: 68065ac0c60b9c74603cbb4427d51c2d3d52b86834cd387f144cff204359434a
Opcode Fuzzy Hash: 193b8f1979fdbaf1dc40f3e033dcd07c22e41dc668143dd0e39d892221970903
Instruction Fuzzy Hash: 1D312875E016188BDB58CFABD8446DEBBF7AFC8310F14C06AD509AB254DB344A46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04522C04, Relevance: 1.6, APIs: 1, Instructions: 147processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04522D63

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a730abf714fc25c31a253d00ffb8c651ec426b1fee1bb8c3cbf6f29f31b3750e
Instruction ID: 937a705dec37fa3b9bde6628f5eca09ea4cef9877ac7351619af335e7cfd6e4a
Opcode Fuzzy Hash: a730abf714fc25c31a253d00ffb8c651ec426b1fee1bb8c3cbf6f29f31b3750e
Instruction Fuzzy Hash: 02511371D003299FDB61CF95C980BDDBBB2BF49314F1581AAE408B7250DB35AA89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04522C10, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04522D63

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4a14a12edb212f19d6b9b3c360020ce941c5ac414b1f73d7b063e1456af933f0
Instruction ID: 5763ee35d7c0b81943a5d18ee288d4a26425f19b7f821a897afb282a2532d5f0
Opcode Fuzzy Hash: 4a14a12edb212f19d6b9b3c360020ce941c5ac414b1f73d7b063e1456af933f0
Instruction Fuzzy Hash: 5E5114759003299FDB60CF95C980BDDBBB2BB49304F15809AE908B7250DB35AA89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 045231B0, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04523245

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 25d45e1cde7e5d36cf33bfe4ae53dad555180e54ba8187e750d7a9944b54891f
Instruction ID: 6dff0e962d0cf92fc8990417ab51f932357f19899a1f5ea6859bc9d07bea78c6
Opcode Fuzzy Hash: 25d45e1cde7e5d36cf33bfe4ae53dad555180e54ba8187e750d7a9944b54891f
Instruction Fuzzy Hash: 842114B1900259DFCB10CFAAD985BDEBBF5FF48314F10842AE919A3240D778A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 045231B8, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04523245

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 500820f81f02a3a6df040aed8baeea8e37445af866e495b0a46e407aa1657ebb
Instruction ID: 92f8c41f15cf5f5099a44f56c6e2e3a29fb63fd76da7aaf001488136d66743ce
Opcode Fuzzy Hash: 500820f81f02a3a6df040aed8baeea8e37445af866e495b0a46e407aa1657ebb
Instruction Fuzzy Hash: FE21E4B19002599FCB10CFAAD985BDEBBF4FF49314F10842AE959A3240D778A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04523038, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 045230BF

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 38bc3a2b6be454d1a7f9399370a45fd95b6f1c61106def88494dba28a1d80650
Instruction ID: af9ad188ac571255dcd5a2c27b15c8a50d715650e49a7573f025611bf241b8f2
Opcode Fuzzy Hash: 38bc3a2b6be454d1a7f9399370a45fd95b6f1c61106def88494dba28a1d80650
Instruction Fuzzy Hash: 2A21F5B1D002599FCB10CFAAD984BDEBBF5FB48320F10842AE919A3250D378A545DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04522F79, Relevance: 1.6, APIs: 1, Instructions: 61threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 04522FF7

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 520917c044968179ad09c338ac4bddda44259aa94c76280341c1e250e0a2e7eb
Instruction ID: 9b64e43a627b2752a77155d40a6b231b929e1065fd5b3c29f4172dea0a7c939b
Opcode Fuzzy Hash: 520917c044968179ad09c338ac4bddda44259aa94c76280341c1e250e0a2e7eb
Instruction Fuzzy Hash: 7D2158B1D0021A9FCB10CF9AD9857EEFBF4BB49320F50816AE418B3240D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04523040, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 045230BF

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: be983a0f6fbcc112aa87e0695fff7aa7c1ff7b68dde25bda5ffb941ac5c4c160
Instruction ID: 56e9b920c3ba7d69b482fa2e990f280899a1daa3984e492afddaa7e3ddbe8cc3
Opcode Fuzzy Hash: be983a0f6fbcc112aa87e0695fff7aa7c1ff7b68dde25bda5ffb941ac5c4c160
Instruction Fuzzy Hash: 1621E4B59002599FCB10CF9AD984BDEFBF4FB48320F10842AE959A3250D378A544DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04522F80, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 04522FF7

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 0c88dc438667876f05d58f25e1f99dd0ff23113901b4aa4bcaf0f51c68bf59f8
Instruction ID: 3591a58d3e0c1c55e87dece52d66ac0c2edb360303851b95953bf45510c4eae5
Opcode Fuzzy Hash: 0c88dc438667876f05d58f25e1f99dd0ff23113901b4aa4bcaf0f51c68bf59f8
Instruction Fuzzy Hash: EE2106B1D006199FCB10CF9AD985BEEFBF4BB49324F54816AE418A3240D778A9448FA5

Uniqueness

Uniqueness Score: -1.00%

Function 04523108, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0452317B

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bc688d46d168790d03d9871f9c1545c7f6765b685ced988813e367a7cf9a9bd5
Instruction ID: 730e39f0d9568e04dd7987a42b00c4fb067b9ddba5332beeaa40209721345cdf
Opcode Fuzzy Hash: bc688d46d168790d03d9871f9c1545c7f6765b685ced988813e367a7cf9a9bd5
Instruction Fuzzy Hash: 7D1146B18006499FCB20CF9AD884BDEBFF4FB48320F10842AE969A7250D335A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04523C20, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04523C85

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d197c58e196d08205d7adb18cddca537671c9925b488e71bebb10f7d2cf92e0c
Instruction ID: d516fa33efb67f8fbd43bacd10e537dcb961eec508b8bc25430f76c38919edf9
Opcode Fuzzy Hash: d197c58e196d08205d7adb18cddca537671c9925b488e71bebb10f7d2cf92e0c
Instruction Fuzzy Hash: 2C1106B58003499FDB20DF9AD985BDEFBF8FB48324F10841AE455A3200D374A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04523110, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0452317B

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 236e2cc20b4909bda03d57cf57c4f1175cd724cd7598372d78f8a8f1b4c629df
Instruction ID: ceb46c6b3bd9ff974d531b53cdb3f072caacfc3e7bc1c926d4fbbce70c92eea9
Opcode Fuzzy Hash: 236e2cc20b4909bda03d57cf57c4f1175cd724cd7598372d78f8a8f1b4c629df
Instruction Fuzzy Hash: 261125B19002499FCB20CF9AD884BDEBFF4FB48324F24841AE529A7250C335A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04523368, Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 045233CF

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0ea17d149e5598b5d6fd6131f4c7a2a01e2d5587937abaa68f54db79a446642d
Instruction ID: d2490052f9c3825bd92078c768caf48fe56c7b55c0c85d1d680e99f0c4db1695
Opcode Fuzzy Hash: 0ea17d149e5598b5d6fd6131f4c7a2a01e2d5587937abaa68f54db79a446642d
Instruction Fuzzy Hash: D91118B1D002098FCB20DF9AD585BDFFBF8EB49324F20845AD919A3240D775A544CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 04523C28, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04523C85

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4d3d023b460e7f7a724dc94b7f77caaae3e963612fbf28c898bceb74ac5d53df
Instruction ID: 381899759eb46ecd3cbff6d66e0dc3e24133375cc29a7e81d4dc02097304a1b4
Opcode Fuzzy Hash: 4d3d023b460e7f7a724dc94b7f77caaae3e963612fbf28c898bceb74ac5d53df
Instruction Fuzzy Hash: 231115B58003499FDB20CF9AD984BDEFBF8FB48324F10841AE855A3200D374A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04523370, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 045233CF

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d2e993d3a67685608660273b4a6a7263cc1be9e50532c1e671e4f0440ac2586a
Instruction ID: 879272e2ac9788b3da88e3cfc034a3aa6fe14054caaabb9e1d88df122bf176a7
Opcode Fuzzy Hash: d2e993d3a67685608660273b4a6a7263cc1be9e50532c1e671e4f0440ac2586a
Instruction Fuzzy Hash: 261112B1C002098FCB20DF9AD984BDEFBF8EB49324F20845AD519A3240C779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DFC9E3, Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

E*9, xrefs: 06DFCA73

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: E*9
API String ID: 0-1835010685
Opcode ID: db50f791be21d9e39a5556f1271d76c4fcdec65b60f4079374ad7c4a433fc657
Instruction ID: 1393e4bd7cd40aa2284a5518a4b32a9bf9d6615f62f3d9e654acff4c7fad16c2
Opcode Fuzzy Hash: db50f791be21d9e39a5556f1271d76c4fcdec65b60f4079374ad7c4a433fc657
Instruction Fuzzy Hash: 22316971E1925A8FCB04CFAAC8419EFBBF2AF89200F10C46AC515A7355E7349A15CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DF69D8, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

'|p#, xrefs: 06DF6A30

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: '|p#
API String ID: 0-3423785259
Opcode ID: 5d8100eb7ab15eff7e2a253b17fde4d07405d3eee13b598c4c47794662a0fce4
Instruction ID: 962ee3da40f44456fb75c60ae33c0547bdcab9a7429174cfa8e214e3b9537d1a
Opcode Fuzzy Hash: 5d8100eb7ab15eff7e2a253b17fde4d07405d3eee13b598c4c47794662a0fce4
Instruction Fuzzy Hash: 673114B4E1521ADFCB84CFA9C5809AEBBF2FB88300F11C4AAD515A7750E7349A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06DF69E8, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

'|p#, xrefs: 06DF6A30

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: '|p#
API String ID: 0-3423785259
Opcode ID: ba05cc6248df696a831b12d9944584f3612c1d20b2debf32533b3a107149feb4
Instruction ID: 4ce36698e6abe39614e56263a010f2f44405fd72cfcf83275828c391310a4c52
Opcode Fuzzy Hash: ba05cc6248df696a831b12d9944584f3612c1d20b2debf32533b3a107149feb4
Instruction Fuzzy Hash: 6D310774E1421ADFCB84CFA9C5809AEBBF2BB88300F11D46AC515A7754E7749A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06DF7CDA, Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

M)_, xrefs: 06DF7D2A

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: M)_
API String ID: 0-611615159
Opcode ID: 1b40d1bc11f7c8b41b4f65f3375eb501800acd7f8afa679566df74ff82098765
Instruction ID: e84a71a78bcb6c5cafbc61644d02177f38b163e68282321b0bc652c030f52192
Opcode Fuzzy Hash: 1b40d1bc11f7c8b41b4f65f3375eb501800acd7f8afa679566df74ff82098765
Instruction Fuzzy Hash: BAF05F74902269CFCB61CF55D984AD9BBB1FB49311F1040D5A959A7350DB319A81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06DF4D60, Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3ffe6763d6a634a08144435e8edadc5f18129694fd61b21a135af2d2bc5f74
Instruction ID: 0df2c4b62927538078ce7b6ea1a10366c218b7c0df72007fb78973d0b36a19ff
Opcode Fuzzy Hash: 6c3ffe6763d6a634a08144435e8edadc5f18129694fd61b21a135af2d2bc5f74
Instruction Fuzzy Hash: 47C13B34B101189FDB54DF68D954AAE7BF6FF88204F168029E606DB3A1DB34DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06DF0A70, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1ae8638348bf0763b8fcced2b45da04f5b11b86afb044a34a4df677e834742
Instruction ID: 3cbc869cc1e9510ff1fb2fc4dbe636a9b0a6d13f159499c0322185e2371f996d
Opcode Fuzzy Hash: 0d1ae8638348bf0763b8fcced2b45da04f5b11b86afb044a34a4df677e834742
Instruction Fuzzy Hash: 55A1A034B101199FCB54EF64D864AAE77A7FF88304F068429E9069B395CF34DD42CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06DF0870, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305fa7cbea331a92178f927c3e95f7c457b027393bd097bc9740ad302a6f542b
Instruction ID: 36353fd21cccbdf6660b84e24cf492bb0833a62393684e289d6f5fa4ad35f14a
Opcode Fuzzy Hash: 305fa7cbea331a92178f927c3e95f7c457b027393bd097bc9740ad302a6f542b
Instruction Fuzzy Hash: 0751C531B1420A9FDB54DFB8C89496EBBF2AF85214B0B8469D605D7262EF30DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DF0448, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66f43f281d1888e76209be7b794d74d1be66dd650547dc2fa17a70bd8c5091c
Instruction ID: e6722573b18d240a29e2ecea632d2108b2142bcf4cc302deb3de70967b2ac3f4
Opcode Fuzzy Hash: a66f43f281d1888e76209be7b794d74d1be66dd650547dc2fa17a70bd8c5091c
Instruction Fuzzy Hash: 97618D35F10118CFCB54EF68D464AAD7BB2EF88310F164469EA06AB3A1CB70DC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DF5210, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a91a5491b5c65de5cd6269cf6f3152a9c9abfa5bff53dc610a2831cfb98354
Instruction ID: 93c350d5a35788e02c00124bf1b6739f64f4c844f32095c8ce330f98caddde87
Opcode Fuzzy Hash: b2a91a5491b5c65de5cd6269cf6f3152a9c9abfa5bff53dc610a2831cfb98354
Instruction Fuzzy Hash: 9C41CD30E10216DFCB64CFA8D8489AEBBF1BB59304F024665D501E7261D732E841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DF0BAF, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9357e0650834e43a65546e6c12629e12565242fb234f879252f7ec8ffb3db30
Instruction ID: d8be68197c9e60bcdbe9de48d337bd87d006d1dbaa8999fb2ea9c9417022e1c9
Opcode Fuzzy Hash: a9357e0650834e43a65546e6c12629e12565242fb234f879252f7ec8ffb3db30
Instruction Fuzzy Hash: AB416934A101199FCF24AF24D854AAEB7A6FFC8304F058429F906976A4CB34DD52CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06DF4919, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9aaa649a636c0b2b869e89ae0f7fd6f405fd5917d60932fb3ca7c294d7ee7d
Instruction ID: 35952433e923a76e4297e86c631df7f2b434a1647d160dc96c4c55c0e62da56a
Opcode Fuzzy Hash: 5d9aaa649a636c0b2b869e89ae0f7fd6f405fd5917d60932fb3ca7c294d7ee7d
Instruction Fuzzy Hash: 5C41E574E002189FDB18CFA5D890A9EBBF2BF89300F24912AE505BB364DB309946CF45

Uniqueness

Uniqueness Score: -1.00%

Function 06DF6B10, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164057f68ebc42bf13680fdd6c92efcbc4326656d2e11a1d4a3da4dd4f6ba881
Instruction ID: 09113b9a4334cc6b7a78e5c7f99f5bd3bd514ee38bbf4b903abc25b452d2b7e3
Opcode Fuzzy Hash: 164057f68ebc42bf13680fdd6c92efcbc4326656d2e11a1d4a3da4dd4f6ba881
Instruction Fuzzy Hash: 01312BB0E15649AFCB44CFA9C58199EBBF2FF89300F11C8A6E518E7615E730DA018F91

Uniqueness

Uniqueness Score: -1.00%

Function 06DF8B52, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd2ac4e3966caf6cd647f520f86a54fd51c5386d143c4b2939cca1f07bc0754
Instruction ID: 897a6179c245c785af25844338bc20b4f93e0823519d7133199e362a964ee66d
Opcode Fuzzy Hash: 1cd2ac4e3966caf6cd647f520f86a54fd51c5386d143c4b2939cca1f07bc0754
Instruction Fuzzy Hash: E63141B0E15209EFDB44DFA5C9405AEFBF2AF89300F15C8AAC544A7254D7308B419F52

Uniqueness

Uniqueness Score: -1.00%

Function 06DF0438, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25597d48e4f2c3f15d9836bd9ba178778a6340a30af07ce1eac4e98e6fdae59c
Instruction ID: dd1d9951c64704974ca91546a62c3bd95215162575d83d3ffcb85c66c838d1ca
Opcode Fuzzy Hash: 25597d48e4f2c3f15d9836bd9ba178778a6340a30af07ce1eac4e98e6fdae59c
Instruction Fuzzy Hash: C5218976E00108DFCF04EFA4D855ADDBBB2EB48350F108469EA02B72A1DB319D45DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DF8C60, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcc8be64f1c29f6396196bc6eb1473b9cd810c1e46ce90f122d8a5ff844611f
Instruction ID: b28abd8b6c60b03410f848b06be3be4814f2dcf4d1b4e4aa286e6d5c53c3267d
Opcode Fuzzy Hash: 3bcc8be64f1c29f6396196bc6eb1473b9cd810c1e46ce90f122d8a5ff844611f
Instruction Fuzzy Hash: E2215974E11208AFDB44CFA9C944A9EFBF2EF88300F15C5AADA189B355DB309A01DB41

Uniqueness

Uniqueness Score: -1.00%

Function 06DFDD90, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93088c0295d60d57786e7102647d26cae4f70853256ebe45518e75a4ee2a766b
Instruction ID: 314bada1fded6961409a7d2569b9c213455b98ffca0e73c95f59f148eb6b227b
Opcode Fuzzy Hash: 93088c0295d60d57786e7102647d26cae4f70853256ebe45518e75a4ee2a766b
Instruction Fuzzy Hash: 3011A734F202149FDBA49B7988106BFB6A7EFC4754F068529EA46C7385DB74CD0187E2

Uniqueness

Uniqueness Score: -1.00%

Function 06DFFA28, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45416944ad0edb4b1babfd809a44209ed04a9fada2768ab99f26b6f7d14d523c
Instruction ID: 0cb312cb35e852a41eff21667b5636b48d57ec5f6eba75652f830fc87107843f
Opcode Fuzzy Hash: 45416944ad0edb4b1babfd809a44209ed04a9fada2768ab99f26b6f7d14d523c
Instruction Fuzzy Hash: A6118E75E252188BDB44CFA6D8049EEFBFBAB8D310F04903AC605B3354D7349801CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DF8C70, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05689c4754c348d431c44e80b091c909b901dc8fbbfe30b2a0e14086997545a7
Instruction ID: 2e034f86d0debe542eed3a736b0cfee33b33c2affbb85a48eca91eea666f0dac
Opcode Fuzzy Hash: 05689c4754c348d431c44e80b091c909b901dc8fbbfe30b2a0e14086997545a7
Instruction Fuzzy Hash: 8911F674E11208EFDB44CFA9C944A9DFBF2EF88300F15C5AADA18AB355D7709A41DB41

Uniqueness

Uniqueness Score: -1.00%

Function 06DF4C90, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893d0f0c9f7db6156763229b8f247f69fa116c95c8c66abb8d48c4737d0fecf3
Instruction ID: b3a911c37d0003b2b070a5abc024c0bcfc26b69602ee62a47ca79a892f90a5bb
Opcode Fuzzy Hash: 893d0f0c9f7db6156763229b8f247f69fa116c95c8c66abb8d48c4737d0fecf3
Instruction Fuzzy Hash: 3C118630A14108EFCB10FFA4E455ADDBFB1FF45308F1188A9E5088B276D7319A1ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 06DF085F, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8444e8ab178d5fe1a424b79a8b660a79c73e3d1cac8cc3647f0bc8de9fee8d3c
Instruction ID: ae77943f4fbf0d5923d87bcae795677ebeaf8212098d2d6302dc07ee7074a38a
Opcode Fuzzy Hash: 8444e8ab178d5fe1a424b79a8b660a79c73e3d1cac8cc3647f0bc8de9fee8d3c
Instruction Fuzzy Hash: 2FE02236F25209AFDB013BA0EC992CB7FB4EB00390F008472EA01C3013EE20851BC6E1

Uniqueness

Uniqueness Score: -1.00%

Function 06DF5925, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9eb931def9bedd5e48d484fb91e6c56d03776936a331c3cffb60e7e96dd7a05
Instruction ID: a1ed3a2e5b3079e3968da09321b6fd9073b53534240000e89303e9521f3e751c
Opcode Fuzzy Hash: d9eb931def9bedd5e48d484fb91e6c56d03776936a331c3cffb60e7e96dd7a05
Instruction Fuzzy Hash: 0CF0E1749042298FDB64DFA8D84079DB7B2FF89300F10D4AAD11DAB255DB304E859F62

Uniqueness

Uniqueness Score: -1.00%

Function 06DFD190, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d379412e35ff929b4ec75ff5c178a4820e5b4c973025545776ab5da195f6783f
Instruction ID: 5ea7a838d7d016f7d6f70110e16e57cd7b613efc425534a09f5a135928ed561e
Opcode Fuzzy Hash: d379412e35ff929b4ec75ff5c178a4820e5b4c973025545776ab5da195f6783f
Instruction Fuzzy Hash: DCF039B4D55309AFDB50EFE8E8566AEBFB5FB06304F1085AAC454A3341E3710A02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06DF5328, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876d36bf77a98cdbf57b994168589987e1b25cf6609d4cbd358184a913ae39f4
Instruction ID: 654da7fae6532ea69b9461c6c57902bf74965e5f6e9a871218f45f99e5704f4e
Opcode Fuzzy Hash: 876d36bf77a98cdbf57b994168589987e1b25cf6609d4cbd358184a913ae39f4
Instruction Fuzzy Hash: 25E0C2B184B345AFC3219FB6F80A6CA3FAAE702241F0500A1D645C3052DE310609C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06DFD1D8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cad6cade4a5ab334a3070204efef55c0f27ea3da2aa16828ccf5b975348eefe
Instruction ID: 0fe4c9f56186f7a44b3e469992892fd955ec41ae8ecbac08463515abb78ec390
Opcode Fuzzy Hash: 8cad6cade4a5ab334a3070204efef55c0f27ea3da2aa16828ccf5b975348eefe
Instruction Fuzzy Hash: 2DE08C749443048FD7419BA0E8646AE7B32FB06204F128696C40593291D7304802CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DF77AD, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701060b040d2ef97953cd373dfd5803395aca702b14ac11ac3a9ffbc853e6cc2
Instruction ID: 87c5643a3b5deffe74bfba6fcb7633652cf626f129d38bdecfbc17299648041e
Opcode Fuzzy Hash: 701060b040d2ef97953cd373dfd5803395aca702b14ac11ac3a9ffbc853e6cc2
Instruction Fuzzy Hash: D6E03934920215CFCB90CF59C5848DDB7B2FB48700F128094D50EAB218CA30EA80CB40

Uniqueness

Uniqueness Score: -1.00%

Function 06DFD1A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c369f1dc2ec58c55f07ff148cac88ded44513965bea80ff29df74685e1c51c
Instruction ID: 4cfb77297c1f8eb9a073286ca5319ea15fe1c2733c5428902a29a88677fad60b
Opcode Fuzzy Hash: c9c369f1dc2ec58c55f07ff148cac88ded44513965bea80ff29df74685e1c51c
Instruction Fuzzy Hash: E1E01A74D003199FCB40EFE8D8046AEBBF5FB08300F1085AAC818A3340E7701A01CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06DFFBB0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de01a6343c1ff5590e5b650485b10331765ba4921ea9d3ce12b90e65769407e
Instruction ID: a5f86c92ec326412fb8f3e3e3dd338a7bb2c5f6075e45b3edbfaf7cffaf0d2d2
Opcode Fuzzy Hash: 3de01a6343c1ff5590e5b650485b10331765ba4921ea9d3ce12b90e65769407e
Instruction Fuzzy Hash: B7E0EC70D51208AFCB90EFE9D51579DBBF5AB04304F1084EA8818D3340E7345A05CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06DFFD20, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995a1a31400fb64a95776ff8471eecbbc8b654fa79e3fe5040bd8406abcb8530
Instruction ID: d728de17e2172d74f890647970a3a950589b3f0bb971b3ac3e31644d969da405
Opcode Fuzzy Hash: 995a1a31400fb64a95776ff8471eecbbc8b654fa79e3fe5040bd8406abcb8530
Instruction Fuzzy Hash: 80D01270D4520CABC754DFF9E40469EBBB5AB44304F1085A9851853240D7301941CF85

Uniqueness

Uniqueness Score: -1.00%

Function 06DF7A71, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3c8870be750933ad1986cb4c26b540810546dd46aa245446f6d524932884be
Instruction ID: 35d21994a58ca2716734a55c81becc9e7b3a9ad8795c118a2a11dbb57d673ae1
Opcode Fuzzy Hash: fb3c8870be750933ad1986cb4c26b540810546dd46aa245446f6d524932884be
Instruction Fuzzy Hash: B5D0C970520795DF9785AF68A140899BBB3AB4E343B524429D28E9A225D732C540CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06DF7A9A, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4cba5ddf6ec6332c60a87e43b4440834ffb23a0ec722488fd8881c16c3caca
Instruction ID: f5a50c8affd3460b1a08c1d1d56370e0d72e66b746cc5d3215ef949664b9112d
Opcode Fuzzy Hash: 4c4cba5ddf6ec6332c60a87e43b4440834ffb23a0ec722488fd8881c16c3caca
Instruction Fuzzy Hash: B6D06C74602324CFC7A49F24E284898BBB3BF0A312F520098E60A5B321CB36DAC4CF40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00237194, Relevance: 4.9, Instructions: 4946
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E00237194(signed int __eax, signed int __ebx, signed int __ecx, intOrPtr* __edx, signed int __edi, signed int* __esi) {
				signed int _t768;
				signed char _t770;
				signed int _t773;
				signed char _t775;
				intOrPtr* _t776;
				signed char _t777;
				signed int _t779;
				signed int _t781;
				signed int _t785;
				signed int _t790;
				signed int _t794;
				signed int _t799;
				signed int _t804;
				signed int _t809;
				signed int _t814;
				signed int _t821;
				intOrPtr* _t824;
				signed char _t826;
				signed int* _t827;
				signed int _t829;
				signed int _t830;
				signed int _t836;
				signed char _t839;
				intOrPtr* _t843;
				intOrPtr* _t848;
				signed char _t850;
				signed int* _t851;
				signed char _t857;
				intOrPtr* _t859;
				signed int _t861;
				signed int _t862;
				signed int _t864;
				signed char _t866;
				signed char _t867;
				signed int _t870;
				signed int _t871;
				signed int _t874;
				signed char _t877;
				signed int _t878;
				signed char _t879;
				intOrPtr* _t882;
				signed int _t884;
				intOrPtr* _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				intOrPtr* _t889;
				intOrPtr* _t890;
				signed int _t892;
				intOrPtr* _t893;
				intOrPtr* _t894;
				intOrPtr* _t895;
				signed int _t896;
				signed int _t897;
				signed int _t899;
				intOrPtr* _t900;
				intOrPtr* _t904;
				signed char _t906;
				intOrPtr* _t908;
				intOrPtr* _t909;
				signed char _t910;
				intOrPtr* _t911;
				intOrPtr* _t912;
				signed int _t914;
				signed char _t915;
				intOrPtr* _t916;
				signed char _t918;
				signed int _t920;
				intOrPtr* _t922;
				intOrPtr* _t923;
				intOrPtr* _t924;
				signed int _t925;
				signed int _t926;
				intOrPtr* _t1420;
				signed int _t1421;
				intOrPtr* _t1422;
				intOrPtr* _t1423;
				intOrPtr* _t1424;
				intOrPtr* _t1426;
				intOrPtr* _t1427;
				signed int _t1428;
				intOrPtr* _t1429;
				intOrPtr* _t1430;
				intOrPtr* _t1431;
				intOrPtr* _t1432;
				intOrPtr* _t1433;
				intOrPtr* _t1434;
				intOrPtr* _t1435;
				intOrPtr* _t1436;
				intOrPtr* _t1437;
				signed int _t1439;
				intOrPtr* _t1440;
				intOrPtr* _t1443;
				intOrPtr* _t1445;
				intOrPtr* _t1447;
				intOrPtr* _t1449;
				intOrPtr* _t1451;
				intOrPtr* _t1453;
				intOrPtr* _t1454;
				intOrPtr* _t1455;
				intOrPtr* _t1456;
				intOrPtr* _t1458;
				intOrPtr* _t1459;
				intOrPtr* _t1460;
				signed char _t1464;
				intOrPtr* _t1465;
				intOrPtr* _t1466;
				intOrPtr* _t1467;
				intOrPtr* _t1468;
				intOrPtr* _t1469;
				intOrPtr* _t1470;
				signed int _t1471;
				signed int _t1475;
				signed char _t1478;
				intOrPtr* _t1479;
				intOrPtr* _t1481;
				intOrPtr* _t1487;
				signed int _t1488;
				intOrPtr* _t1489;
				intOrPtr* _t1490;
				signed int _t1492;
				signed int* _t1497;
				signed int* _t1498;
				intOrPtr* _t1499;
				intOrPtr* _t1500;
				intOrPtr* _t1503;
				intOrPtr* _t1504;
				intOrPtr* _t1506;
				signed char _t1508;
				signed char _t1509;
				signed char _t1510;
				signed int _t1511;
				signed int* _t1512;
				signed int _t1513;
				void* _t1514;
				signed int* _t1515;
				void* _t1519;
				void* _t1596;
				void* _t1598;
				signed int* _t1599;
				void* _t1600;
				signed char _t1604;
				signed char _t1615;
				signed char _t1616;
				signed char _t1617;
				signed char _t1618;
				signed char _t1619;
				signed char _t1620;
				signed char _t1621;
				signed char _t1622;
				signed char _t1624;
				void* _t1735;
				signed int* _t1738;
				void* _t1742;
				void* _t1749;
				signed int* _t1753;
				signed int* _t1755;
				signed int _t1823;
				intOrPtr* _t1824;
				signed int* _t1826;
				void* _t1859;
				signed int* _t1861;
				signed int _t1886;
				signed int _t1890;
				void* _t1929;
				signed char _t1952;
				signed int _t1970;
				signed int _t1987;
				void* _t1992;
				void* _t2004;
				signed int _t2006;
				intOrPtr _t2013;
				signed int _t2014;
				signed int _t2015;
				signed int _t2016;
				signed char _t2029;
				signed char _t2032;
				intOrPtr* _t2033;
				signed int _t2072;
				intOrPtr* _t2073;
				intOrPtr _t2077;
				signed int _t2078;
				intOrPtr _t2079;
				signed int _t2088;
				signed char _t2089;
				signed int _t2108;

				_t1861 = __esi;
				_t1823 = __edi;
				_t1511 = __ebx;
				asm("adc esi, [eax]");
				_t768 = __eax;
				_push(_t768);
				 *_t768 =  *_t768 + _t768;
				 *((intOrPtr*)(_t768 + _t768)) =  *((intOrPtr*)(_t768 + _t768)) + __ebx;
				 *__ecx =  *__ecx + __edx;
				 *__esi =  *__esi + __edx;
				_t1604 = __ecx |  *__ebx;
				 *[ss:ebx] =  *[ss:ebx] + _t768;
				asm("outsd");
				asm("cmpsb");
				 *_t768 =  *_t768 + _t768;
				_push(es);
				_push(es);
				asm("outsd");
				 *_t768 = _t768;
				 *__edx =  *__edx + _t1604;
				_push(es);
				_t770 = (_t768 |  *__edi) + 5;
				asm("outsd");
				asm("movsd");
				 *_t770 =  *_t770 + _t770;
				_push(es);
				 *__edi =  *__edi + _t770;
				if( *__edi == 0) {
					 *_t770 =  *_t770 + _t770;
					asm("adc al, 0xfe");
					_t1604 = _t1604 +  *((intOrPtr*)(_t770 + _t1604)) +  *0x20a2c09;
					 *(_t770 + 0xde28) =  *(_t770 + 0xde28) | _t770;
					 *_t770 =  *_t770 + _t770;
					ss = es;
					_t1509 = es;
					_t1510 = _t1509 |  *__esi;
					_t1886 = _t1886 +  *((intOrPtr*)(__edi - 0x5a));
					 *_t1510 =  *_t1510 + _t1510;
					_push(es);
					asm("outsd");
					_t770 =  *_t1510;
					 *__edx =  *__edx + _t1604;
					 *((char*)(__ebx + __edx)) =  *((char*)(__ebx + __edx)) + 1;
				}
				_t1738 = 0x2a;
				asm("adc esi, [eax]");
				_t773 = _t770 + 0x3e +  *((intOrPtr*)(_t770 + 0x3e));
				 *_t773 =  *_t773 - _t773;
				 *_t773 =  *_t773 + _t773;
				 *_t773 =  *_t773 | _t773;
				 *_t1604 = 0x2a +  *_t1604;
				 *0x2a =  *0x2a + _t773;
				if( *0x2a != 0) {
					L6:
					_t1511 = _t1511 +  *((intOrPtr*)(_t1511 + 0x39));
					 *_t773 =  *_t773 + _t773;
					_t775 = 0x0000002a + _t773 &  *_t1738;
					goto L7;
				} else {
					 *_t773 =  *_t773 + _t773;
					_t775 = _t773 + 0xa +  *0x2a;
					if(_t775 != 0) {
						L7:
						_t776 = _t775 +  *_t1511;
						if(_t776 < 0) {
							 *_t776 =  *_t776 + _t776;
							_t1497 = _t776 + 0x2a -  *_t1738;
							_t1886 = _t1886 +  *_t1497;
							_t1498 = _t1861;
							_t1861 = _t1497;
							 *_t1498 = _t1498 +  *_t1498;
							_push(es);
							 *_t1498 = _t1498 +  *_t1498;
							_t1604 = _t1604 -  *_t1738;
							goto L9;
						}
					} else {
						 *_t775 =  *_t775 + _t775;
						_t1503 = _t775 + 0x7d;
						asm("aaa");
						 *_t1503 =  *_t1503 + _t1503;
						_t1504 = _t1503 + 2;
						_t1511 = _t1511 +  *((intOrPtr*)(_t1511 + 0x36));
						 *_t1504 =  *_t1504 + _t1504;
						_pop(_t1498);
						if(_t1504 + 0x17 >= 0) {
							L9:
							_t1499 = _t1498 -  *_t1738;
							_t1500 = _t1499;
							 *_t1500 =  *_t1500 + _t1500;
							_push(es);
							 *_t1500 =  *_t1500 + _t1500;
							_t1735 = _t1604 -  *_t1738;
							 *((intOrPtr*)(_t1823 + 0x60000)) =  *((intOrPtr*)(_t1823 + 0x60000)) - _t1738;
							 *_t1738 =  *_t1738 + _t1735;
							_t776 = _t1500 +  *_t1511 -  *_t1738;
							_t1886 = _t1886 +  *_t1499 +  *_t776;
							asm("cdq");
							 *_t776 =  *_t776 + _t776;
							_push(es);
							 *_t776 =  *_t776 + _t776;
							_t1604 = _t1735 -  *_t1738;
							_t1511 = _t1511 +  *_t1823;
							asm("adc [ebp+0x100005c], cl");
						} else {
							 *_t1498 = _t1498 +  *_t1498;
							_t1506 =  &(_t1498[1]);
							_t1886 = _t1886 |  *_t1511;
							 *_t1823 =  *_t1823 + _t1506;
							_t1511 = _t1511 -  *_t1861 + (_t1511 -  *_t1861)[0xe];
							 *_t1506 =  *_t1506 + _t1506;
							_t1508 = _t1506 + 0x0000002a &  *0x2a;
							_t1823 = _t1823 +  *((intOrPtr*)(_t1886 + 0x38));
							 *_t1508 =  *_t1508 + _t1508;
							_t773 = 0x2a + _t1508;
							_push(ds);
							goto L6;
						}
					}
				}
				 *0x7dd0 =  *0x7dd0 + _t1929;
				_t777 = _t776 + 0x28;
				if (_t777 != 0) goto L11;
				 *_t1738 =  *_t1738 + _t1604;
				if( *_t1738 >= 0) {
					L15:
					_push(es);
					if(_t1952 >= 0) {
						goto L13;
					} else {
						 *_t777 =  *_t777 + _t777;
						_push(es);
						_t1886 = _t1886 |  *_t1511;
						 *_t1823 =  *_t1823 + _t777;
						_t1738 = _t1738 -  *_t1511;
						 *_t1861 =  *_t1861 ^ _t777;
						_t777 = _t777 + _t1511;
						 *_t777 =  *_t777 + _t777;
					}
				} else {
					 *_t777 =  *_t777 + _t777;
					_t777 = 0x2a + _t777;
					 *_t777 =  *_t777 + _t777;
					 *_t1511 = _t1738 +  *_t1511;
					 *_t1604 =  *_t1604 ^ _t777;
					 *_t777 =  *_t777 + _t1511;
					L13:
					asm("sbb [eax], al");
					 *_t777 =  *_t777 + _t777;
					_t1604 = _t1604 +  *_t777;
					 *_t1861 =  *_t1861 + _t777;
					if( *_t1861 != 0) {
						 *_t777 =  *_t777 + _t777;
						_t1604 = _t1604 +  *_t1738;
						_t1952 = _t1604;
						goto L15;
					}
				}
				 *_t1861 =  *_t1861 + _t1511;
				 *_t777 =  *_t777 + _t777;
				asm("adc [eax], eax");
				 *_t1738 =  *_t1738 + _t1604;
				_t779 =  *_t777 |  *_t1511;
				 *((intOrPtr*)(_t779 + _t779 + 0x1f0b0a00)) =  *((intOrPtr*)(_t779 + _t779 + 0x1f0b0a00)) - _t1604;
				asm("adc [ebp+0x100005c], cl");
				_t781 = _t779 & 0x5a040416 &  *(_t779 & 0x5a040416);
				 *_t781 =  *_t781 + _t781;
				 *_t781 =  *_t781 + _t781;
				asm("aas");
				_push(es);
				_push(es);
				_t785 =  *0x5041725 &  *( *0x5041725);
				 *_t785 =  *_t785 + _t785;
				 *_t785 =  *_t785 + _t785;
				asm("aas");
				_push(es);
				_t1742 = cs;
				_t790 =  *0xe041825 + 0x0000005a &  *( *0xe041825 + 0x5a);
				 *_t790 =  *_t790 + _t790;
				 *_t790 =  *_t790 + _t790;
				asm("aas");
				_push(es);
				_t794 = _t790 + _t1742 + 0xa1585a07 & 0x5a05041a &  *(_t790 + _t1742 + 0xa1585a07 & 0x5a05041a);
				 *_t794 =  *_t794 + _t794;
				 *_t794 =  *_t794 + _t794;
				asm("aas");
				_push(es);
				_push(cs);
				_t799 =  *0x5051b25 &  *( *0x5051b25);
				 *_t799 =  *_t799 + _t799;
				 *_t799 =  *_t799 + _t799;
				asm("aas");
				_push(es);
				_push(es);
				_t804 =  *0xe051c25 + 0x0000005a &  *( *0xe051c25 + 0x5a);
				 *_t804 =  *_t804 + _t804;
				 *_t804 =  *_t804 + _t804;
				asm("aas");
				_t1749 = es;
				_t809 =  *0xe041e25 + 0x0000005a &  *( *0xe041e25 + 0x5a);
				 *_t809 =  *_t809 + _t809;
				 *_t809 =  *_t809 + _t809;
				asm("aas");
				_push(es);
				_t814 = (_t809 + _t1749 + 0xa1595a07 & 0x0e05091f) + 0x0000005a &  *((_t809 + _t1749 + 0xa1595a07 & 0x0e05091f) + 0x5a);
				 *_t814 =  *_t814 + _t814;
				 *_t814 =  *_t814 + _t814;
				asm("aas");
				_t821 =  *0xe0a1f25 + 0x68 &  *( *0xe0a1f25 + 0x68);
				 *_t821 =  *_t821 + _t821;
				 *_t821 =  *_t821 + _t821;
				asm("aas");
				_t1615 = es;
				_t1753 = es;
				_push(es);
				_t824 =  *0x230f1f25;
				 *_t824 =  *_t824 + _t824;
				 *_t824 =  *_t824 + _t824;
				 *_t824 =  *_t824 + _t824;
				asm("lock aas");
				_push(es);
				_t826 =  *0x9873 | 0x00000002;
				 *_t826 =  *_t826 | _t1615;
				asm("movsb");
				 *_t826 =  *_t826 + _t826;
				_push(es);
				 *_t1753 =  *_t1753 + _t1615;
				asm("adc esi, [eax]");
				_t827 = _t826 + 0x5500;
				 *_t1861 =  *_t1861 + _t1511;
				 *_t827 = _t827 +  *_t827;
				asm("adc [eax], eax");
				 *_t1753 =  *_t1753 + _t1615;
				_t829 =  *_t827 |  *_t1511;
				 *((intOrPtr*)(_t829 + _t829 + 0x1f0b0a00)) =  *((intOrPtr*)(_t829 + _t829 + 0x1f0b0a00)) - _t1615;
				asm("adc [ebp+0x100005c], cl");
				_t830 = _t829 & 0x00002316;
				 *_t830 =  *_t830 + _t830;
				 *_t830 =  *_t830 + _t830;
				asm("lock aas");
				_t1616 = es;
				_push(es);
				_t836 =  *0xa1061b25 & 0x1c;
				 *_t836 =  *_t836 + _t836;
				 *_t836 =  *_t836 + _t836;
				asm("aas");
				_push(es);
				_t839 =  *0x9873 | 0x00000002;
				 *_t839 =  *_t839 | _t1616;
				asm("movsb");
				 *_t839 =  *_t839 + _t839;
				_push(es);
				 *_t1753 =  *_t1753 + _t1616;
				 *_t839 =  *_t839 + _t839;
				 *_t1511 = _t1753 +  *_t1511;
				 *0x5400 =  *0x5400 ^ _t839;
				 *_t1861 =  *_t1861 + _t1511;
				 *_t839 =  *_t839 + _t839;
				asm("adc [eax], eax");
				 *_t1753 =  *_t1753 + _t1616;
				 *((intOrPtr*)(( *_t839 |  *_t1511) + ( *_t839 |  *_t1511) + 0x1f0b0a00)) =  *((intOrPtr*)(( *_t839 |  *_t1511) + ( *_t839 |  *_t1511) + 0x1f0b0a00)) - _t1616;
				asm("adc [ebp+0x100005c], cl");
				asm("sbb [edi], al");
				_t843 =  *0x231b25;
				 *_t843 =  *_t843 + _t843;
				 *_t843 =  *_t843 + _t843;
				asm("aas");
				_t1617 = es;
				_t848 =  *0x230f1f25;
				 *_t848 =  *_t848 + _t848;
				 *_t848 =  *_t848 + _t848;
				 *_t848 =  *_t848 + _t848;
				asm("lock aas");
				_t850 =  *0x9873 | 0x00000002;
				 *_t850 =  *_t850 | _t1617;
				asm("movsb");
				 *_t850 =  *_t850 + _t850;
				 *_t1753 =  *_t1753 + _t1617;
				asm("adc esi, [eax]");
				_t851 = 0x5400 + _t850;
				 *_t1861 =  *_t1861 + _t1511;
				 *_t851 = _t851 +  *_t851;
				asm("adc [eax], eax");
				_t1890 = _t1886 +  *_t777 +  *_t827 +  *_t839 +  *_t851;
				 *_t1753 =  *_t1753 + _t1617;
				 *((intOrPtr*)(( *_t851 |  *_t1511) + ( *_t851 |  *_t1511) + 0x1f0b0a00)) =  *((intOrPtr*)(( *_t851 |  *_t1511) + ( *_t851 |  *_t1511) + 0x1f0b0a00)) - _t1617;
				asm("adc [ebp+0x100005c], cl");
				ss = es;
				es = es;
				ds = es;
				_t857 =  *[gs:0xa1071a25] & 0x25a1061b |  *_t1511;
				 *_t857 =  *_t857 + _t857;
				 *_t857 =  *_t857 + _t857;
				 *_t857 =  *_t857 + _t857;
				asm("lock aas");
				_t1618 = es;
				_push(es);
				_t859 =  *0x230f1f25;
				 *_t859 =  *_t859 + _t859;
				 *_t859 =  *_t859 + _t859;
				 *_t859 =  *_t859 + _t859;
				asm("lock aas");
				_push(es);
				_t861 =  *0x9873 | 0x00000002;
				 *_t861 =  *_t861 | _t1618;
				asm("movsb");
				 *_t861 =  *_t861 + _t861;
				 *_t1753 =  *_t1753 + _t1618;
				asm("adc esi, [eax]");
				_t862 = _t861;
				asm("das");
				 *_t862 =  *_t862 + _t862;
				 *_t1823 =  *_t1823 + _t1511;
				 *_t862 =  *_t862 + _t862;
				asm("adc [eax], eax");
				ds = es;
				asm("adc [ebp+0x100005c], cl");
				_t864 = (_t862 & 0x00007dd0) + 0x28;
				if (_t864 != 0) goto L18;
				 *_t1753 =  *_t1753 + _t1618;
				asm("sbb eax, 0x1f25a104");
				_t866 = _t864 & 0x25a10319 |  *0x9873a1;
				 *_t1861 =  *_t1861 + _t866;
				_t867 = _t866 |  *_t1753;
				_push(es);
				 *((intOrPtr*)(_t867 + _t867 + 0x2a000600)) =  *((intOrPtr*)(_t867 + _t867 + 0x2a000600)) - _t867;
				_t870 = (_t867 ^  *_t867) +  *_t1511 +  *_t1511;
				_t1619 = _t1618 - _t1753;
				 *_t870 =  *_t870 + _t870;
				 *_t1753 =  *_t1753 + _t1619;
				asm("adc esi, [eax]");
				_t871 = _t870;
				 *_t871 =  *_t871 ^ _t871;
				 *_t871 =  *_t871 + _t871;
				asm("aas");
				 *_t871 =  *_t871 + _t871;
				asm("adc [eax], eax");
				ds = es;
				asm("adc [ebp+0x100005c], cl");
				asm("sbb eax, [ecx]");
				_t874 = _t871 & 0x10216;
				 *_t874 =  *_t874 + _t874;
				 *_t874 =  *_t874 + _t874;
				asm("aas");
				_push(es);
				_t877 =  *0x9873 |  *_t1753;
				_push(es);
				 *((intOrPtr*)(_t877 + _t877 + 0x2a000600)) =  *((intOrPtr*)(_t877 + _t877 + 0x2a000600)) - _t877;
				 *_t877 =  *_t877 + _t877;
				 *_t1511 = _t1753 +  *_t1511;
				 *0x2800 =  *0x2800 ^ _t877;
				 *_t877 =  *_t877 + _t877;
				 *_t877 =  *_t877 + _t877;
				asm("adc [eax], eax");
				_t1620 = _t1619 |  *_t1511;
				asm("sbb [esi+eax], al");
				_t878 = _t877 +  *_t1511;
				 *0x2000021 = _t878;
				 *((intOrPtr*)(_t1620 - 0x5bfa0000)) =  *((intOrPtr*)(_t1620 - 0x5bfa0000)) - _t1620;
				 *_t878 =  *_t878 & _t878;
				 *_t1753 =  *_t1753 + _t878;
				ss = es;
				_t879 = es;
				_t1621 = _t1620 + _t1861[0x2c13f9a];
				es = ss;
				_t882 = (_t879 |  *_t1861) - 0x422ade +  *_t1511;
				if(_t882 >= 0) {
					L24:
					 *_t1753 =  *_t1753 + _t1621;
					_t1621 = _t1621 |  *_t1511;
					 *_t1861 =  *_t1861 + _t882;
					asm("adc esi, [eax]");
					_t884 = _t882 -  *_t882 +  *((intOrPtr*)(_t882 -  *_t882));
					 *_t884 =  *_t884 & _t884;
					 *_t884 =  *_t884 + _t884;
					asm("sbb eax, [eax]");
					 *_t1621 =  *_t1621 + _t1753;
					 *_t1753 =  *_t1753 + _t884;
					if( *_t1753 != 0) {
						goto L32;
					} else {
						 *_t884 =  *_t884 + _t884;
						_t884 = _t884 + 2;
						if(_t884 != 0) {
							goto L33;
						} else {
							 *_t884 =  *_t884 + _t884;
							_t884 = _t884 + 0x5a;
							_t1511 = _t1511 +  *((intOrPtr*)(_t1511 + 0x3b));
							goto L27;
						}
					}
				} else {
					 *_t882 =  *_t882 + _t882;
					_t888 = _t882 + 0x7f;
					 *((intOrPtr*)(_t1753 + _t1890)) =  *((intOrPtr*)(_t1753 + _t1890)) + _t888;
					 *_t888 =  *_t888 + _t888;
					L20:
					 *_t888 =  *_t888 + _t888;
					asm("adc esi, [eax]");
					_t889 = _t888 +  *_t888;
					asm("daa");
					 *_t889 =  *_t889 + _t889;
					 *_t1753 =  *_t1753 + _t1511;
					 *_t889 =  *_t889 + _t889;
					asm("adc [eax], eax");
					_t1511 = _t1511 +  *((intOrPtr*)(_t1511 + 0x3a));
					 *_t889 =  *_t889 + _t889;
					_t884 = _t889 + 2;
					if(_t884 != 0) {
						L27:
						_t54 = _t1753 + _t884;
						 *_t54 =  *((intOrPtr*)(_t1753 + _t884)) + _t884;
						if( *_t54 != 0) {
							goto L36;
						} else {
							 *_t884 =  *_t884 + _t884;
							_pop(_t885);
							_t1621 = _t1621 |  *_t1511;
							goto L29;
						}
					} else {
						 *_t884 =  *_t884 + _t884;
						L22:
						 *((intOrPtr*)(_t1753 + _t1511 * 2)) =  *((intOrPtr*)(_t1753 + _t1511 * 2)) + _t884;
						_t1511 = _t1511 +  *((intOrPtr*)(_t1511 + 0x3b));
						 *_t884 =  *_t884 + _t884;
						_t885 = _t884 + 2;
						if(_t885 != 0) {
							L29:
							 *_t1861 =  *_t1861 + _t885;
							_t886 = _t885 -  *_t885;
							 *_t886 =  *_t886 + _t886;
							asm("adc esi, [eax]");
							_t887 = _t886;
							 *_t887 =  *_t887 ^ _t887;
							 *_t887 =  *_t887 + _t887;
							_t888 = _t887 + 1;
							 *_t888 =  *_t888 + _t888;
							asm("adc [eax], eax");
							if( *_t888 < 0) {
								goto L20;
							} else {
								_pop(_t1823);
								_t56 = _t888 + 2;
								 *_t56 =  *((intOrPtr*)(_t888 + 2)) + _t1753;
								if( *_t56 != 0) {
									L37:
									_t63 = _t1511 + _t888;
									 *_t63 =  *((intOrPtr*)(_t1511 + _t888)) + _t888;
									if( *_t63 != 0) {
										goto L43;
									} else {
										 *_t888 =  *_t888 + _t888;
										_t888 = _t888 + 0x58;
										_t1511 = _t1511 +  *((intOrPtr*)(_t1511 + 0x3b));
										goto L39;
									}
								} else {
									 *_t888 =  *_t888 + _t888;
									_t884 = _t888 + 0xa;
									asm("adc al, [eax]");
									L32:
									 *_t884 =  *_t884 + _t1621;
									 *_t1753 =  *_t1753 + _t1621;
									_t1970 =  *_t1753;
									L33:
									if(_t1970 < 0) {
										goto L22;
									} else {
										_pop(_t1823);
										_t58 = _t884 + 2;
										 *_t58 =  *(_t884 + 2) + _t1753;
										if( *_t58 != 0) {
											L40:
											 *_t888 =  *_t888 + _t888;
											_t888 = _t888 + 0x58;
											if(_t888 >= 0) {
												L39:
												_t66 = _t1511 + _t888;
												 *_t66 =  *((intOrPtr*)(_t1511 + _t888)) + _t888;
												if( *_t66 != 0) {
													goto L46;
												} else {
													goto L40;
												}
											} else {
												 *_t888 =  *_t888 + _t888;
												_push(es);
												_t1621 = _t1621 |  *_t1511;
												 *_t1861 =  *_t1861 + _t888;
												_t1490 = _t888 -  *_t888;
												 *_t1490 =  *_t1490 + _t1490;
												asm("adc esi, [eax]");
												_t1492 = _t1490 +  *_t1490 & 0x33000000;
												 *_t1492 =  *_t1492 + _t1492;
												asm("adc [eax], eax");
												_t1511 = _t1511 +  *((intOrPtr*)(_t1511 + 0x3a));
												 *_t1492 =  *_t1492 + _t1492;
												_t1475 = _t1492 + 3;
												if(_t1475 != 0) {
													L49:
													_pop(_t1753);
													if(_t1987 >= 0) {
														goto L48;
													}
													 *_t1475 =  *_t1475 + _t1475;
													_push(es);
													_t1621 = _t1621 |  *_t1511;
													 *_t1861 =  *_t1861 + _t1475;
													_t888 = _t1475 -  *_t1475;
													asm("adc esi, [eax]");
													goto L51;
												} else {
													 *_t1475 =  *_t1475 + _t1475;
													_t888 = _t1475 + 0x59;
													_t1511 = _t1511 +  *((intOrPtr*)(_t1511 + 0x3b));
													while(1) {
														L43:
														_t70 = _t1511 + _t888;
														 *_t70 =  *((intOrPtr*)(_t1511 + _t888)) + _t888;
														if( *_t70 != 0) {
															break;
														}
														 *_t888 =  *_t888 + _t888;
														_t888 = _t888 + 0x59;
														if(_t888 >= 0) {
															continue;
														} else {
															 *_t888 =  *_t888 + _t888;
															L46:
															 *_t1861 =  *_t1861 + _t888;
															_t1621 = _t1621 |  *_t1511;
															 *_t1861 =  *_t1861 + _t888;
															_t1487 = _t888 -  *_t888;
															 *_t1487 =  *_t1487 + _t1487;
															asm("adc esi, [eax]");
															_t1488 = _t1487 +  *_t1487;
															asm("sbb eax, [eax]");
															 *_t1488 =  *_t1488 + _t1488;
															_t1475 = _t1488 ^  *_t1488;
															 *_t1621 =  *_t1621 + _t1753;
															 *_t1753 =  *_t1753 + _t1475;
															if( *_t1753 == 0) {
																 *_t1475 =  *_t1475 + _t1475;
																L48:
																_t1489 = _t1475 + 3;
																_t1511 = _t1511 +  *((intOrPtr*)(_t1511 + 0x3b));
																 *_t1489 =  *_t1489 + _t1489;
																_t1475 = _t1489 + 3;
																_t1987 = _t1475;
																goto L49;
															}
														}
														goto L89;
													}
													L51:
													_t892 = _t888 +  *_t888;
													 *_t892 =  *_t892 & _t892;
													 *_t892 =  *_t892 + _t892;
													asm("sbb eax, [eax]");
													 *_t1621 =  *_t1621 + _t1753;
													 *_t1753 =  *_t1753 + _t892;
													if( *_t1753 != 0) {
														asm("insb");
														if(_t1992 < 0) {
															 *_t892 =  *_t892 + _t892;
															_push(es);
															goto L58;
														}
														goto L59;
													} else {
														 *_t892 =  *_t892 + _t892;
														_t892 = _t892 + 3;
														if(_t892 != 0) {
															L58:
															_t1621 = _t1621 |  *_t1511;
															 *_t1861 =  *_t1861 + _t892;
															L59:
															_push(es);
															_t1512 = _t1511 -  *_t1861;
															_t893 = _t892 +  *_t1512;
															if(_t893 >= 0) {
																L64:
																_pop(_t894);
																_t1513 = _t1512 + _t1512[0xf];
																 *_t894 =  *_t894 + _t894;
																_t895 = _t894 + 2;
																if(_t895 != 0) {
																	 *_t895 =  *_t895 + _t895;
																	_t896 = _t895 + 2;
																	if(_t896 != 0) {
																		goto L86;
																	} else {
																		 *_t896 =  *_t896 + _t896;
																		_pop(_t900);
																		_t1621 = _t1621 |  *_t1513;
																		 *_t1861 =  *_t1861 + _t900;
																		L78:
																		_push(es);
																		asm("adc esi, [eax]");
																		_t897 = _t900 -  *_t900 + 0x6b00;
																		 *_t897 =  *_t897 + _t897;
																		 *_t1621 =  *_t1621 + _t1753;
																		 *((intOrPtr*)(0x1000048 + _t1621 * 4)) =  *((intOrPtr*)(0x1000048 + _t1621 * 4)) + _t1513;
																		goto L79;
																	}
																} else {
																	 *_t895 =  *_t895 + _t895;
																	_pop(_t897);
																	asm("insb");
																	 *_t897 =  *_t897 - _t1513;
																	 *_t897 =  *_t897 + _t897;
																	_t1621 = _t1621 |  *_t1753;
																	goto L66;
																}
															} else {
																 *_t893 =  *_t893 + _t893;
																_t1475 = _t893 + 2;
																_t1478 = _t1475 +  *((intOrPtr*)(0x400003d + _t1823 * 2)) +  *0x3e7d + 0x2a;
																 *_t1478 =  *_t1478 + _t1478;
																 *_t1512 = _t1753 +  *_t1512;
																 *_t1512 =  *_t1512 ^ _t1478;
																 *0x1a000000 =  *0x1a000000 + _t1753;
																 *_t1478 =  *_t1478 + _t1478;
																asm("adc [eax], eax");
																_t1514 = _t1512 + _t1512[0xf];
																 *_t1478 =  *_t1478 + _t1478;
																_t897 = _t1478 + 2;
																if(_t897 != 0) {
																	L69:
																	if(_t2004 != 0) {
																		L79:
																		 *_t897 =  *_t897 + _t897;
																		 *0x5f8b7216 =  *0x5f8b7216 + _t1929;
																		_t2013 =  *0x5f8b7216;
																		goto L80;
																	} else {
																		 *_t897 =  *_t897 + _t897;
																		_t897 = _t897 + 2;
																		if(_t897 != 0) {
																			L80:
																			_t1513 =  *_t1823;
																			if(_t2013 < 0) {
																				L66:
																				_push(es);
																				_t896 = _t897 -  *_t897 -  *((intOrPtr*)(_t897 -  *_t897));
																				goto L67;
																			} else {
																				_t899 = _t897 & 0x3c7b0217;
																				_t2014 = _t899;
																				if(_t2014 == 0) {
																					 *_t899 =  *_t899 + _t899;
																					_t896 = _t899 + 0xa;
																					_t2015 = _t896;
																					asm("adc al, [eax]");
																					if(_t2015 < 0) {
																						L67:
																						 *_t896 =  *_t896 + _t896;
																						 *_t1513 = _t1753 +  *_t1513;
																						 *_t1513 =  *_t1513 ^ _t896;
																						goto L68;
																					} else {
																						_pop(_t1823);
																						 *((intOrPtr*)(_t896 + 0x28)) =  *((intOrPtr*)(_t896 + 0x28)) + _t1753;
																						_pop( *__eax);
																						 *_t1753 =  *_t1753 + _t1621;
																						_t2016 =  *_t1753;
																						 *0x91721825 = _t896;
																						L86:
																						if(_t2016 < 0) {
																							L68:
																							_t897 = _t896 +  *_t896;
																							asm("das");
																							 *_t897 =  *_t897 + _t897;
																							 *_t1513 =  *_t1513 + _t1513;
																							 *_t897 =  *_t897 + _t897;
																							asm("adc [eax], eax");
																							_t1514 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3c));
																							_t2004 = _t1514;
																							goto L69;
																						} else {
																							_pop(_t1823);
																							 *((intOrPtr*)(_t896 - 0x5e)) =  *((intOrPtr*)(_t896 - 0x5e)) + _t1753;
																							_t1471 = _t896 & 0x3d7b0219;
																							 *_t1471 =  *_t1471 + _t1471;
																							_t899 = _t1471 + 0xa;
																							asm("adc al, [eax]");
																							if(_t899 < 0) {
																								goto L72;
																							} else {
																								 *((intOrPtr*)(_t899 + 0x28)) =  *((intOrPtr*)(_t899 + 0x28)) + _t1753;
																								_pop( *__eax);
																								 *_t1753 =  *_t1753 + _t1621;
																								 *0x9f721a25 = _t899;
																								_pop(_t1823);
																								 *((intOrPtr*)(_t899 - 0x5e)) =  *((intOrPtr*)(_t899 - 0x5e)) + _t1753;
																								_t899 = _t899 & 0x3e7b021b;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			 *_t897 =  *_t897 + _t897;
																			_t899 = _t897 + 0x5a;
																			_t1513 = _t1514 +  *((intOrPtr*)(_t1514 + 0x3d));
																			_t2006 = _t1513;
																			L72:
																			if (_t2006 != 0) goto L82;
																			goto L73;
																		}
																	}
																} else {
																	 *_t897 =  *_t897 + _t897;
																	_t1479 = _t897 + 0x5a;
																	_t1513 = _t1514 +  *((intOrPtr*)(_t1514 + 0x3d));
																	 *_t1479 =  *_t1479 + _t1479;
																	_t899 = _t1479 + 2;
																	if(_t899 == 0) {
																		 *_t899 =  *_t899 + _t899;
																		goto L64;
																	}
																}
															}
														} else {
															 *_t892 =  *_t892 + _t892;
															_t1481 = _t892 + 0x5a;
															_t1512 = _t1511 +  *((intOrPtr*)(_t1511 + 0x3b));
															 *_t1481 =  *_t1481 + _t1481;
															_t1475 = _t1481 + 2;
															if (_t1475 != 0) goto L61;
															goto L54;
														}
													}
												}
											}
										} else {
											 *_t884 =  *_t884 + _t884;
											_t884 = _t884 + 0xa;
											asm("adc al, [eax]");
											L36:
											 *((intOrPtr*)(_t1890 + 0x280a0000)) =  *((intOrPtr*)(_t1890 + 0x280a0000)) - _t1621;
											es =  *_t884;
											 *_t1753 =  *_t1753 + _t1621;
											_t1890 = _t1890 |  *_t1511;
											 *_t1823 =  *_t1823 + _t884;
											_t890 = _t884 -  *_t884;
											 *_t890 =  *_t890 + _t890;
											asm("adc esi, [eax]");
											_t888 = _t890 +  *_t890 & 0x33000000;
											 *_t888 =  *_t888 + _t888;
											asm("adc [eax], eax");
											_t1511 = _t1511 +  *((intOrPtr*)(_t1511 + 0x3a));
											goto L37;
										}
									}
								}
							}
						} else {
							 *_t885 =  *_t885 + _t885;
							_pop(_t882);
							asm("insb");
							 *_t882 =  *_t882 - _t1511;
							 *_t882 =  *_t882 + _t882;
							goto L24;
						}
					}
				}
				L89:
				 *_t899 =  *_t899 + _t899;
				_t900 = _t899 + 0xa;
				asm("adc al, [eax]");
				if(_t900 < 0) {
					goto L78;
				}
				_pop(_t1824);
				 *((intOrPtr*)(_t900 + 0x28)) =  *((intOrPtr*)(_t900 + 0x28)) + _t1753;
				_pop( *__eax);
				 *_t1753 =  *_t1753 + _t1621;
				 *0x7928 = _t900;
				_t1622 = _t1621 |  *_t1513;
				_pop(es);
				asm("adc esi, [eax]");
				_t904 = _t900 -  *_t900 -  *((intOrPtr*)(_t900 -  *_t900)) + 0x5c00;
				 *_t1622 =  *_t1622 + _t904;
				 *_t1622 =  *_t1622 + _t1753;
				 *_t1753 =  *_t1753 + _t904;
				if( *_t1753 != 0) {
					L97:
					 *((intOrPtr*)(_t1753 + _t1513 * 2)) =  *((intOrPtr*)(_t1753 + _t1513 * 2)) + _t904;
					_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3d));
					 *_t904 =  *_t904 + _t904;
					goto L98;
				} else {
					 *_t904 =  *_t904 + _t904;
					_t904 = _t904 + 3;
					if(_t904 != 0) {
						L98:
						_t107 = _t1513 + _t904;
						 *_t107 =  *((intOrPtr*)(_t1513 + _t904)) + _t904;
						if( *_t107 != 0) {
							goto L108;
						} else {
							 *_t904 =  *_t904 + _t904;
							_t1464 = _t904 + 0x5a;
							_t2029 = _t1464;
							do {
								_pop(_t1753);
								_pop(_t1622);
							} while (_t2029 >= 0);
							goto L101;
						}
					} else {
						 *_t904 =  *_t904 + _t904;
						_t1467 = _t904 + 0x5a;
						_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3e));
						 *_t1467 =  *_t1467 + _t1467;
						_t1464 = _t1467 + 3;
						if(_t1464 != 0) {
							L101:
							 *_t1464 =  *_t1464 + _t1464;
							_push(es);
							_t1624 = _t1622 |  *_t1513;
							 *_t1861 =  *_t1861 + _t1464;
							_t1753 = _t1753 -  *_t1513;
							 *(_t1464 + _t1464) =  *(_t1464 + _t1464) ^ _t1464;
							_t906 = _t1464 ^  *_t1464;
							goto L102;
						} else {
							 *_t1464 =  *_t1464 + _t1464;
							_t1468 = _t1464 + 0x5a;
							_pop(_t1624);
							_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3e));
							 *_t1468 =  *_t1468 + _t1468;
							_t906 = _t1468 + 3;
							if(_t906 != 0) {
								L102:
								 *_t906 =  *_t906 + _t906;
								 *_t1624 =  *_t1624 + _t906;
								 *_t1624 =  *_t1624 + _t1753;
								 *_t1753 =  *_t1753 + _t906;
								if( *_t1753 != 0) {
									 *_t1753 =  *_t1753 + _t906;
									if( *_t1753 != 0) {
										 *_t1753 =  *_t1753 + _t906;
										if( *_t1753 != 0) {
											goto L130;
										} else {
											 *_t906 =  *_t906 + _t906;
											goto L124;
										}
									} else {
										 *_t906 =  *_t906 + _t906;
										goto L114;
									}
								} else {
									 *_t906 =  *_t906 + _t906;
									_t906 = _t906 + 3;
									_t2032 = _t906;
									goto L104;
								}
							} else {
								 *_t906 =  *_t906 + _t906;
								_t1469 = _t906 + 0x5a;
								_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3c));
								 *_t1469 =  *_t1469 + _t1469;
								_t906 = _t1469 + 3;
								if(_t906 != 0) {
									L104:
									if(_t2032 != 0) {
										L114:
										_t906 = _t906 + 3;
										if(_t906 != 0) {
											L124:
											_t1454 = _t906 + 3;
											 *_t1454 =  *_t1454 + _t1454;
											_t1455 = _t1454 + 3;
											_pop(_t1753);
											_t1598 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3d)) +  *((intOrPtr*)(_t1513 +  *((intOrPtr*)(_t1513 + 0x3d)) + 0x3e));
											 *_t1455 =  *_t1455 + _t1455;
											_t1456 = _t1455 + 3;
											goto L126;
											 *_t1456 =  *_t1456 + _t1456;
											_push(es);
											_t1624 = _t1624 |  *_t1599;
											 *_t1861 =  *_t1861 + _t1456;
											_push(es);
											asm("adc esi, [eax]");
											_t1458 = _t1456 -  *_t1456 +  *((intOrPtr*)(_t1456 -  *_t1456));
											asm("das");
											 *_t1458 =  *_t1458 + _t1458;
											 *_t1599 = _t1599 +  *_t1599;
											 *_t1458 =  *_t1458 + _t1458;
											asm("adc [eax], eax");
											_t1596 = _t1599 + _t1599[0xf];
											 *_t1458 =  *_t1458 + _t1458;
											_t1453 = _t1458 + 3;
											if(_t1453 != 0) {
												L134:
												_t1513 = _t1596 +  *((intOrPtr*)(_t1596 + 0x3e));
												 *_t1453 =  *_t1453 + _t1453;
												_t908 = _t1453 + 0x6c;
												if(_t908 >= 0) {
													goto L138;
												} else {
													goto L135;
												}
											} else {
												 *_t1453 =  *_t1453 + _t1453;
												_t906 = _t1453 + 0x5a;
												_t1513 = _t1596 +  *((intOrPtr*)(_t1596 + 0x3d));
												L130:
												if(_t906 != 0x3040000) {
													L135:
													 *_t906 =  *_t906 + _t906;
													_push(es);
													_t1624 = _t1624 |  *_t1513;
													 *_t1861 =  *_t1861 + _t906;
													_t908 = _t906 -  *_t1753 +  *_t1513;
													if(_t908 >= 0) {
														goto L145;
													} else {
														 *_t908 =  *_t908 + _t908;
														goto L137;
													}
												} else {
													 *_t906 =  *_t906 + _t906;
													_pop(_t1449);
													_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3e));
													 *_t1449 =  *_t1449 + _t1449;
													_t908 = _t1449 + 3;
													if(_t908 != 0) {
														L137:
														 *((intOrPtr*)(_t1753 + _t908)) =  *((intOrPtr*)(_t1753 + _t908)) + _t908;
														L138:
														_t1447 = _t908 + 0x7e;
														 *_t1447 =  *_t1447 + _t1447;
														_t910 = _t1447 + 0x2a;
														 *_t910 =  *_t910 + _t910;
														 *_t1513 = _t1753 +  *_t1513;
														 *_t1513 =  *_t1513 ^ _t910;
														 *_t1861 =  *_t1861 + _t910;
														 *_t910 =  *_t910 + _t910;
														 *_t1753 =  *_t1753 + _t1513;
														 *_t910 =  *_t910 + _t910;
														asm("adc [eax], eax");
														goto L139;
													} else {
														 *_t908 =  *_t908 + _t908;
														_pop(_t1451);
														_t1624 = _t1624 |  *_t1513;
														 *_t1861 =  *_t1861 + _t1451;
														asm("adc esi, [eax]");
														_t910 = _t1451 -  *_t1451 +  *((intOrPtr*)(_t1451 -  *_t1451));
														 *_t910 =  *_t910 & _t910;
														 *_t910 =  *_t910 + _t910;
														 *_t910 =  *_t910 - _t910;
														 *_t1624 =  *_t1624 + _t1753;
														 *_t1753 =  *_t1753 + _t910;
														if( *_t1753 != 0) {
															L139:
															 *_t1753 =  *_t1753 + _t910;
															if( *_t1753 != 0) {
																L149:
																if(_t2072 != 0) {
																	goto L161;
																} else {
																	 *_t910 =  *_t910 + _t910;
																	_t909 = _t910 + 2;
																	_t2073 = _t909;
																	goto L151;
																}
															} else {
																 *_t910 =  *_t910 + _t910;
																_t909 = _t910 + 2;
																if(_t909 != 0) {
																	L151:
																	if(_t2073 != 0) {
																		goto L162;
																	} else {
																		 *_t909 =  *_t909 + _t909;
																		_pop(_t1445);
																		_t1624 = _t1624 |  *_t1513;
																		 *_t1861 =  *_t1861 + _t1445;
																		_t910 = _t1445 -  *_t1445;
																		 *_t910 =  *_t910 + _t910;
																		goto L153;
																	}
																} else {
																	 *_t909 =  *_t909 + _t909;
																	_t910 = _t909 + 0x5a;
																	L142:
																	_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x40));
																	L143:
																	_t1440 = _t910 + 1;
																	 *_t1440 =  *_t1440 + _t1440;
																	_t910 = _t1440 + 2;
																	if(_t910 != 0) {
																		L153:
																		 *_t1513 = _t1753 +  *_t1513;
																		 *0x3b00 =  *0x3b00 ^ _t910;
																		 *_t1753 =  *_t1753 + _t910;
																		 *_t1624 =  *_t1624 + _t1753;
																		 *((intOrPtr*)(_t1753 - 0x75)) =  *((intOrPtr*)(_t1753 - 0x75)) + _t1753;
																		_pop(_t1824);
																		_t136 = _t910 + 2;
																		 *_t136 =  *(_t910 + 2) + _t1753;
																		if( *_t136 != 0) {
																			goto L166;
																		} else {
																			 *_t910 =  *_t910 + _t910;
																			_t910 = _t910 + 0xa;
																			asm("adc al, [eax]");
																			if(_t910 < 0) {
																				goto L142;
																			} else {
																				_pop(_t1824);
																				_t138 = _t910 + 0x28;
																				 *_t138 =  *((intOrPtr*)(_t910 + 0x28)) + _t1753;
																				_t2077 =  *_t138;
																				goto L156;
																			}
																		}
																	} else {
																		 *_t910 =  *_t910 + _t910;
																		_pop(_t1443);
																		 *_t1443 =  *_t1443 - _t1513;
																		 *_t1443 =  *_t1443 + _t1443;
																		_t1624 = _t1624 |  *_t1753;
																		_t908 = _t1443 -  *_t1443;
																		_push(es);
																		L145:
																		_t909 = _t908 -  *_t908;
																		L146:
																		 *_t909 =  *_t909 + _t909;
																		asm("adc esi, [eax]");
																		_t910 = _t909 +  *_t909;
																		 *_t910 =  *_t910 & _t910;
																		 *_t910 =  *_t910 + _t910;
																		asm("sbb al, [eax]");
																		 *_t1624 =  *_t1624 + _t1753;
																		 *_t1753 =  *_t1753 + _t910;
																		if( *_t1753 != 0) {
																			L156:
																			if(_t2077 < 0) {
																				goto L165;
																			} else {
																				if (_t2077 < 0) goto L158;
																				 *_t1753 =  *_t1753 + _t1624;
																				_t2078 =  *_t1753;
																				goto L159;
																			}
																		} else {
																			 *_t910 =  *_t910 + _t910;
																			_t910 = _t910 + 2;
																			if(_t910 != 0) {
																				L159:
																				if(_t2078 < 0) {
																					goto L143;
																				} else {
																					_pop(_t1824);
																					_t140 = _t910 + 2;
																					 *_t140 =  *(_t910 + 2) + _t1753;
																					_t2079 =  *_t140;
																					if(_t2079 != 0) {
																						L170:
																						_t1436 = _t1430 + 0x58;
																						if(_t1436 < 0) {
																							 *_t1436 =  *_t1436 + _t1436;
																							_push(es);
																							_t1624 = _t1624 |  *_t1513;
																							 *_t1861 =  *_t1861 + _t1436;
																						}
																						_push(es);
																						_t1437 = _t1436 -  *_t1436;
																						 *_t1437 =  *_t1437 + _t1437;
																						asm("adc esi, [eax]");
																						_t1439 = _t1437 +  *_t1437 & 0x1f000000;
																						 *_t1439 =  *_t1439 + _t1439;
																						asm("adc [eax], eax");
																						_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3f));
																						 *_t1439 =  *_t1439 + _t1439;
																						_t1434 = _t1439 + 3;
																						if(_t1434 != 0) {
																							goto L181;
																						} else {
																							 *_t1434 =  *_t1434 + _t1434;
																							_t910 = _t1434 + 0x59;
																							_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x40));
																							_t2088 = _t1513;
																							goto L174;
																						}
																					} else {
																						L161:
																						 *_t910 =  *_t910 + _t910;
																						_t909 = _t910 + 0xa;
																						asm("adc al, [eax]");
																						L162:
																						if(_t2079 < 0) {
																							goto L146;
																						} else {
																							_pop(_t1824);
																							_t142 = _t909 + 0x28;
																							 *_t142 =  *((intOrPtr*)(_t909 + 0x28)) + _t1753;
																							if ( *_t142 < 0) goto L164;
																							 *_t1753 =  *_t1753 + _t1624;
																							_t1861[0x2c28000] = _t1861[0x2c28000] - _t1624;
																							_pop(es);
																							_t910 = _t909 -  *_t909 -  *((intOrPtr*)(_t909 -  *_t909));
																							asm("adc esi, [eax]");
																							L165:
																							 *_t1513 =  *_t1513 ^ _t910;
																							 *0x1f000000 =  *0x1f000000 + _t910;
																							 *_t910 =  *_t910 + _t910;
																							asm("adc [eax], eax");
																							L166:
																							 *_t1753 =  *_t1753 + _t910;
																							if( *_t1753 != 0) {
																								L174:
																								if(_t2088 != 0) {
																									goto L183;
																								} else {
																									 *_t910 =  *_t910 + _t910;
																									_t910 = _t910 + 3;
																									_t2089 = _t910;
																									goto L176;
																								}
																							} else {
																								 *_t910 =  *_t910 + _t910;
																								_t910 = _t910 + 3;
																								if(_t910 != 0) {
																									L176:
																									if(_t2089 == 0) {
																										 *_t910 =  *_t910 + _t910;
																										_t1430 = _t910 + 0x59;
																										if(_t1430 < 0) {
																											 *_t1430 =  *_t1430 + _t1430;
																											_push(es);
																											_t1624 = _t1624 |  *_t1513;
																											 *_t1861 =  *_t1861 + _t1430;
																										}
																										goto L179;
																									}
																								} else {
																									 *_t910 =  *_t910 + _t910;
																									_t1435 = _t910 + 0x58;
																									_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x40));
																									 *_t1435 =  *_t1435 + _t1435;
																									_t1430 = _t1435 + 3;
																									if(_t1430 != 0) {
																										L179:
																										_t1431 = _t1430 -  *_t1430;
																										 *_t1431 =  *_t1431 + _t1431;
																										asm("adc esi, [eax]");
																										_t1432 = _t1431 +  *_t1431;
																										asm("sbb eax, [eax]");
																										 *_t1432 =  *_t1432 + _t1432;
																										ds = es;
																										 *_t1432 =  *_t1432 + _t1432;
																										asm("adc [eax], eax");
																										 *_t1432 =  *_t1432 + _t1432;
																										_t1433 = _t1432 + 3;
																										_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3f)) +  *((intOrPtr*)(_t1513 +  *((intOrPtr*)(_t1513 + 0x3f)) + 0x40));
																										 *_t1433 =  *_t1433 + _t1433;
																										_t1434 = _t1433 + 3;
																										if(_t1434 < 0) {
																											 *_t1434 =  *_t1434 + _t1434;
																											L181:
																											_push(es);
																											_t1624 = _t1624 |  *_t1513;
																											 *_t1861 =  *_t1861 + _t1434;
																										}
																										_push(es);
																										_t910 = _t1434 -  *_t1434;
																										asm("adc esi, [eax]");
																										L183:
																										 *_t1513 =  *_t1513 ^ _t910;
																										 *_t1513 =  *_t1513 + _t1513;
																										 *_t910 =  *_t910 + _t910;
																									} else {
																										 *_t1430 =  *_t1430 + _t1430;
																										goto L170;
																									}
																								}
																							}
																						}
																					}
																				}
																			} else {
																				 *_t910 =  *_t910 + _t910;
																				_t910 = _t910 + 0x5a;
																				_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x40));
																				_t2072 = _t1513;
																				goto L149;
																			}
																		}
																	}
																}
															}
														} else {
															 *_t910 =  *_t910 + _t910;
															_t1453 = _t910 + 0x6c;
															_t1596 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3d));
															goto L134;
														}
													}
												}
											}
											goto L184;
											L126:
											_t1599 = _t1598 + _t1753[0x1c];
											asm("cld");
										} else {
											 *_t906 =  *_t906 + _t906;
											_t1459 = _t906 + 0x59;
											_t1600 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3d));
											 *_t1459 =  *_t1459 + _t1459;
											_t1460 = _t1459 + 3;
											goto L116;
										}
									} else {
										 *_t906 =  *_t906 + _t906;
										_t1465 = _t906 + 0x58;
										_t1600 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3d));
										 *_t1465 =  *_t1465 + _t1465;
										_t1460 = _t1465 + 3;
										_t2033 = _t1460;
										goto L106;
									}
								} else {
									 *_t906 =  *_t906 + _t906;
									_t1470 = _t906 + 0x5a;
									_pop(_t1624);
									_t1600 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3c));
									 *_t1470 =  *_t1470 + _t1470;
									_t1460 = _t1470 + 3;
									if(_t1460 != 0) {
										L106:
										if(_t2033 != 0) {
											L116:
											_t1859 = _t1824 +  *((intOrPtr*)(_t1600 + 0x3d));
										} else {
											 *_t1460 =  *_t1460 + _t1460;
											_t1466 = _t1460 + 0x58;
											_t1513 = _t1600 +  *((intOrPtr*)(_t1600 + 0x3e));
											 *_t1466 =  *_t1466 + _t1466;
											_t904 = _t1466 + 2;
											L108:
											_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x3d));
										}
									} else {
										 *_t1460 =  *_t1460 + _t1460;
										goto L97;
									}
								}
							}
						}
					}
				}
				L184:
				 *_t1824 =  *_t1824 + _t1513;
				 *_t910 =  *_t910 + _t910;
				asm("adc [eax], eax");
				 *_t910 =  *_t910 + _t910;
				_t911 = _t910 + 2;
				_t1826 = _t1824 +  *((intOrPtr*)(_t1513 + 0x3f)) +  *((intOrPtr*)(_t1513 + 0x40));
				 *_t911 =  *_t911 + _t911;
				_t912 = _t911 + 2;
				_pop(_t1755);
				if(_t912 < 0) {
					 *_t912 =  *_t912 + _t912;
					_push(es);
					_t1624 = _t1624 |  *_t1513;
					 *_t1861 =  *_t1861 + _t912;
				}
				_push(es);
				asm("adc esi, [eax]");
				_t914 = _t912 -  *_t912 +  *((intOrPtr*)(_t912 -  *_t912));
				 *_t914 =  *_t914 & _t914;
				 *_t914 =  *_t914 + _t914;
				asm("sbb al, [eax]");
				 *_t1624 =  *_t1624 + _t1755;
				 *_t1755 =  *_t1755 + _t914;
				if( *_t1755 != 0) {
					L192:
					_push(es);
					_t1624 = _t1624 |  *_t1513;
					 *_t1861 =  *_t1861 + _t914;
					_t915 = _t914 -  *_t914;
					goto L193;
				} else {
					 *_t914 =  *_t914 + _t914;
					_t915 = _t914 + 3;
					if(_t915 != 0) {
						L193:
						 *_t915 =  *_t915 + _t915;
						 *_t1513 = _t1755 +  *_t1513;
						 *_t1513 =  *_t1513 ^ _t915;
						 *0x1f000000 =  *0x1f000000 + _t915;
						 *_t915 =  *_t915 + _t915;
						goto L194;
					} else {
						 *_t915 =  *_t915 + _t915;
						_t1424 = _t915 + 0x5a;
						_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x40));
						 *_t1424 =  *_t1424 + _t1424;
						_t915 = _t1424 + 3;
						if(_t915 != 0) {
							L194:
							asm("adc [eax], eax");
							_t1515 = _t1513 +  *((intOrPtr*)(_t1513 + 0x41));
							 *_t915 =  *_t915 + _t915;
							_t916 = _t915 + 2;
							if(_t916 != 0) {
								goto L203;
							} else {
								 *_t916 =  *_t916 + _t916;
								_t1420 = _t916 + 0x5b;
								_t1515 = _t1515 + _t1515[0x10];
								 *_t1420 =  *_t1420 + _t1420;
								_t920 = _t1420 + 2;
								if(_t920 != 0) {
									goto L204;
								} else {
									 *_t920 =  *_t920 + _t920;
									_t1421 = _t920 + 0x5b;
									_t2108 = _t1421;
									goto L197;
								}
							}
						} else {
							 *_t915 =  *_t915 + _t915;
							_pop(_t1426);
							_t1624 = _t1624 |  *_t1513;
							 *_t1861 =  *_t1861 + _t1426;
							_t1427 = _t1426 -  *_t1426;
							 *_t1427 =  *_t1427 + _t1427;
							asm("adc esi, [eax]");
							_t1428 = _t1427 +  *_t1427;
							asm("sbb [eax], eax");
							 *_t1428 =  *_t1428 + _t1428;
							_t1421 = _t1428 ^  *_t1428;
							 *_t1624 =  *_t1624 + _t1755;
							 *_t1755 =  *_t1755 + _t1421;
							if( *_t1755 != 0) {
								L197:
								if(_t2108 < 0) {
									 *_t1421 =  *_t1421 + _t1421;
									_push(es);
									_t1624 = _t1624 |  *_t1515;
									 *_t1861 =  *_t1861 + _t1421;
								}
								_push(es);
								_t1422 = _t1421 -  *_t1421;
								 *_t1422 =  *_t1422 + _t1422;
								asm("adc esi, [eax]");
								_t923 = _t1422 +  *_t1422;
								asm("insb");
								 *_t923 =  *_t923 + _t923;
								 *_t1515 =  *_t1515 + _t923;
								 *_t1624 =  *_t1624 + _t1755;
								 *_t1755 =  *_t1755 + _t923;
								if( *_t1755 != 0) {
									L205:
									 *_t923 =  *_t923 + _t923;
									_t924 = _t923 + 6;
									_pop(_t1519);
									if (_t924 >= 0) goto L208;
									goto L206;
								} else {
									 *_t923 =  *_t923 + _t923;
									_t924 = _t923 + 2;
									if(_t924 != 0) {
										L206:
										_push(es);
									} else {
										 *_t924 =  *_t924 + _t924;
										_t1423 = _t924 + 0x5a;
										_t1519 = _t1515 + _t1515[0x10];
										 *_t1423 =  *_t1423 + _t1423;
										_t925 = _t1423 + 2;
										if(_t925 == 0) {
											 *_t925 =  *_t925 + _t925;
											L203:
											_pop(_t918);
											_t920 = (_t918 |  *_t1861) &  *(_t918 |  *_t1861);
											 *_t920 =  *_t920 + _t920;
											 *_t920 =  *_t920 + _t920;
											 *_t920 =  *_t920 + _t920;
											L204:
											_t1755 = _t1755 + _t1515;
											 *_t1861 = _t1755 +  *_t1861;
											 *_t1624 =  *_t1624 + 1;
											_t922 = (_t920 |  *_t1826) - 0x20;
											 *_t1861 =  *_t1861 + _t922;
											 *_t922 =  *_t922 - _t1515;
											 *_t922 =  *_t922 + _t922;
											_t1624 = _t1624 |  *_t1755;
											 *_t922 =  *_t922 + _t922;
											_t923 = _t922 + 6;
											goto L205;
										}
									}
								}
							} else {
								do {
									 *_t1421 =  *_t1421 + _t1421;
									_t1429 = _t1421 + 0x69;
									_t1513 = _t1513 +  *((intOrPtr*)(_t1513 + 0x40));
									 *_t1429 =  *_t1429 + _t1429;
									_t1421 = _t1429 + 0x69;
								} while (_t1421 >= 0);
								 *_t1421 =  *_t1421 + _t1421;
								goto L192;
							}
						}
					}
				}
				 *_t925 =  *_t925 + _t925;
				_t926 = _t925 &  *_t925;
				 *_t926 =  *_t926 + _t926;
				 *_t926 =  *_t926 + _t926;
				 *_t926 =  *_t926 + _t926;
				 *((intOrPtr*)(_t1519 + 6)) =  *((intOrPtr*)(_t1519 + 6)) + _t1755;
			}

0x00237194
0x00237194
0x00237194
0x00237194
0x00237196
0x00237198
0x00237199
0x0023719b
0x0023719e
0x002371a0
0x002371a2
0x002371a4
0x002371a7
0x002371a8
0x002371a9
0x002371ab
0x002371ac
0x002371ad
0x002371ae
0x002371b0
0x002371b4
0x002371b5
0x002371b7
0x002371b8
0x002371b9
0x002371bb
0x002371bc
0x002371be
0x002371c0
0x002371c5
0x002371c7
0x002371cd
0x002371d5
0x002371d8
0x002371d9
0x002371da
0x002371dc
0x002371df
0x002371e1
0x002371e2
0x002371e3
0x002371e5
0x002371e7
0x002371e7
0x002371ee
0x002371f0
0x002371f2
0x002371f4
0x002371f6
0x002371f8
0x002371fa
0x002371fc
0x002371fe
0x00237236
0x00237236
0x00237239
0x0023723d
0x00000000
0x00237200
0x00237200
0x00237204
0x00237206
0x0023723e
0x0023723e
0x00237240
0x00237242
0x00237246
0x00237248
0x0023724a
0x0023724a
0x0023724b
0x0023724d
0x0023724e
0x00237250
0x00000000
0x00237250
0x00237208
0x00237208
0x0023720a
0x0023720c
0x0023720d
0x0023720f
0x00237211
0x00237214
0x00237218
0x00237219
0x00237251
0x00237251
0x00237255
0x00237256
0x00237258
0x00237259
0x0023725b
0x0023725f
0x00237265
0x00237267
0x00237269
0x0023726b
0x0023726c
0x0023726e
0x0023726f
0x00237271
0x00237274
0x00237276
0x0023721b
0x0023721b
0x0023721d
0x0023721f
0x00237221
0x00237225
0x00237228
0x0023722c
0x0023722e
0x00237231
0x00237233
0x00237235
0x00000000
0x00237235
0x00237219
0x00237206
0x0023727b
0x00237281
0x00237283
0x00237285
0x00237287
0x002372a9
0x002372a9
0x002372aa
0x00000000
0x002372ac
0x002372ac
0x002372ae
0x002372af
0x002372b1
0x002372b3
0x002372b5
0x002372b7
0x002372b9
0x002372b9
0x00237289
0x00237289
0x0023728b
0x0023728d
0x0023728f
0x00237291
0x00237293
0x00237294
0x00237294
0x00237296
0x0023729d
0x002372a1
0x002372a3
0x002372a5
0x002372a7
0x002372a7
0x00000000
0x002372a7
0x002372a3
0x002372bb
0x002372bd
0x002372bf
0x002372c5
0x002372c7
0x002372c9
0x002372d0
0x002372db
0x002372dd
0x002372df
0x002372e3
0x002372e4
0x002372e7
0x002372ef
0x002372f1
0x002372f3
0x002372f7
0x002372f8
0x002372fe
0x00237307
0x00237309
0x0023730b
0x0023730f
0x00237310
0x0023731d
0x0023731f
0x00237321
0x00237325
0x00237326
0x00237329
0x00237334
0x00237336
0x00237338
0x0023733c
0x0023733d
0x00237340
0x00237349
0x0023734b
0x0023734d
0x00237351
0x00237357
0x00237360
0x00237362
0x00237364
0x00237368
0x00237369
0x00237378
0x0023737a
0x0023737c
0x00237380
0x00237391
0x00237393
0x00237395
0x00237399
0x0023739b
0x0023739c
0x0023739d
0x0023739f
0x002373a4
0x002373a6
0x002373a8
0x002373aa
0x002373b1
0x002373b2
0x002373b4
0x002373b6
0x002373b7
0x002373b9
0x002373ba
0x002373bc
0x002373be
0x002373c3
0x002373c5
0x002373c7
0x002373cd
0x002373cf
0x002373d1
0x002373d8
0x002373de
0x002373e3
0x002373e5
0x002373e7
0x002373ea
0x002373eb
0x00237401
0x00237406
0x00237408
0x0023740c
0x00237412
0x00237413
0x00237415
0x00237417
0x00237418
0x0023741a
0x0023741b
0x0023741d
0x0023741f
0x00237421
0x00237427
0x00237429
0x0023742b
0x00237431
0x00237435
0x0023743c
0x00237447
0x00237449
0x0023744e
0x00237450
0x00237454
0x00237456
0x00237463
0x00237468
0x0023746a
0x0023746c
0x0023746e
0x00237476
0x00237478
0x0023747a
0x0023747b
0x0023747e
0x00237480
0x00237482
0x00237487
0x00237489
0x0023748b
0x0023748d
0x00237491
0x00237495
0x0023749c
0x002374a7
0x002374a8
0x002374b4
0x002374b5
0x002374b7
0x002374b9
0x002374bb
0x002374bd
0x002374c0
0x002374c1
0x002374c3
0x002374c8
0x002374ca
0x002374cc
0x002374ce
0x002374d5
0x002374d6
0x002374d8
0x002374da
0x002374db
0x002374de
0x002374e0
0x002374e2
0x002374e4
0x002374e5
0x002374e7
0x002374e9
0x002374eb
0x002374ed
0x002374ee
0x002374f9
0x002374fb
0x002374fd
0x00237504
0x00237509
0x0023750f
0x00237511
0x00237513
0x00237514
0x0023751f
0x00237521
0x00237523
0x00237526
0x00237528
0x0023752a
0x0023752c
0x0023752e
0x00237530
0x00237531
0x00237533
0x00237535
0x00237536
0x00237541
0x00237549
0x0023754e
0x00237550
0x00237554
0x0023755a
0x0023755b
0x0023755d
0x0023755e
0x00237565
0x00237567
0x00237569
0x0023756f
0x00237571
0x00237573
0x00237576
0x00237578
0x0023757b
0x0023757e
0x00237583
0x00237589
0x0023758b
0x0023758e
0x0023758f
0x00237592
0x00237598
0x0023759e
0x002375a0
0x002375dc
0x002375dc
0x002375de
0x002375e0
0x002375e4
0x002375e6
0x002375e8
0x002375ea
0x002375ec
0x002375ee
0x002375f0
0x002375f2
0x00000000
0x002375f4
0x002375f4
0x002375f6
0x002375f8
0x00000000
0x002375fa
0x002375fa
0x002375fc
0x002375fe
0x00000000
0x002375fe
0x002375f8
0x002375a2
0x002375a2
0x002375a6
0x002375aa
0x002375ad
0x002375ae
0x002375ae
0x002375b0
0x002375b2
0x002375b4
0x002375b5
0x002375b7
0x002375b9
0x002375bb
0x002375bd
0x002375c0
0x002375c2
0x002375c4
0x00237600
0x00237602
0x00237602
0x00237605
0x00000000
0x00237607
0x00237607
0x0023760b
0x0023760c
0x00000000
0x0023760c
0x002375c6
0x002375c6
0x002375c7
0x002375c7
0x002375ca
0x002375cd
0x002375cf
0x002375d1
0x0023760e
0x0023760e
0x00237610
0x00237612
0x00237614
0x00237616
0x00237618
0x0023761a
0x0023761c
0x0023761d
0x0023761f
0x00237621
0x00000000
0x00237623
0x00237623
0x00237624
0x00237624
0x00237627
0x00237663
0x00237665
0x00237665
0x00237668
0x00000000
0x0023766a
0x0023766a
0x0023766c
0x0023766e
0x00000000
0x0023766e
0x00237629
0x00237629
0x0023762b
0x0023762d
0x0023762e
0x0023762e
0x00237632
0x00237632
0x00237634
0x00237634
0x00000000
0x00237636
0x00237636
0x00237637
0x00237637
0x0023763a
0x00237677
0x00237677
0x00237679
0x0023767b
0x00237670
0x00237672
0x00237672
0x00237675
0x00000000
0x00000000
0x00000000
0x00000000
0x0023767d
0x0023767d
0x0023767f
0x00237680
0x00237682
0x00237684
0x00237686
0x00237688
0x0023768c
0x00237691
0x00237693
0x00237695
0x00237698
0x0023769a
0x0023769c
0x002376d8
0x002376d8
0x002376d9
0x00000000
0x00000000
0x002376db
0x002376dd
0x002376de
0x002376e0
0x002376e2
0x002376e4
0x00000000
0x0023769e
0x0023769e
0x002376a0
0x002376a2
0x002376a4
0x002376a4
0x002376a6
0x002376a6
0x002376a9
0x00000000
0x00000000
0x002376ab
0x002376ad
0x002376af
0x00000000
0x002376b1
0x002376b1
0x002376b2
0x002376b2
0x002376b4
0x002376b6
0x002376b8
0x002376ba
0x002376bc
0x002376be
0x002376c0
0x002376c2
0x002376c4
0x002376c6
0x002376c8
0x002376ca
0x002376cc
0x002376ce
0x002376ce
0x002376d1
0x002376d4
0x002376d6
0x002376d6
0x00000000
0x002376d6
0x002376ca
0x00000000
0x002376af
0x002376e6
0x002376e6
0x002376e8
0x002376ea
0x002376ec
0x002376ee
0x002376f0
0x002376f2
0x0023772e
0x0023772f
0x00237731
0x00237733
0x00000000
0x00237733
0x00000000
0x002376f4
0x002376f4
0x002376f6
0x002376f8
0x00237734
0x00237734
0x00237736
0x00237737
0x00237737
0x00237738
0x0023773b
0x0023773d
0x0023777b
0x0023777b
0x0023777c
0x0023777f
0x00237781
0x00237783
0x002377c3
0x002377c5
0x002377c7
0x00000000
0x002377c9
0x002377c9
0x002377cd
0x002377ce
0x002377d0
0x002377d1
0x002377d1
0x002377d4
0x002377d6
0x002377db
0x002377de
0x002377e0
0x00000000
0x002377e0
0x00237785
0x00237785
0x00237789
0x0023778a
0x0023778b
0x0023778d
0x0023778f
0x00000000
0x0023778f
0x0023773f
0x0023773f
0x00237741
0x0023774f
0x00237751
0x00237753
0x00237755
0x00237757
0x0023775d
0x0023775f
0x00237761
0x00237764
0x00237766
0x00237768
0x002377a6
0x002377a6
0x002377e4
0x002377e4
0x002377e6
0x002377e6
0x00000000
0x002377a8
0x002377a8
0x002377aa
0x002377ac
0x002377ea
0x002377ea
0x002377ed
0x00237791
0x00237793
0x00237794
0x00000000
0x002377ef
0x002377ef
0x002377ef
0x002377f2
0x002377f4
0x002377f6
0x002377f6
0x002377f8
0x002377fa
0x00237795
0x00237795
0x00237797
0x00237799
0x00000000
0x002377fc
0x002377fc
0x002377fd
0x00237800
0x00237802
0x00237802
0x00237804
0x00237807
0x00237807
0x0023779a
0x0023779a
0x0023779c
0x0023779d
0x0023779f
0x002377a1
0x002377a3
0x002377a5
0x002377a5
0x00000000
0x00237809
0x00237809
0x0023780a
0x0023780d
0x00237812
0x00237814
0x00237816
0x00237818
0x00000000
0x0023781a
0x0023781b
0x0023781e
0x00237820
0x00237822
0x00237827
0x00237828
0x0023782b
0x0023782b
0x00237818
0x00237807
0x002377fa
0x002377f2
0x002377ae
0x002377ae
0x002377b0
0x002377b2
0x002377b2
0x002377b3
0x002377b3
0x00000000
0x002377b3
0x002377ac
0x0023776a
0x0023776a
0x0023776c
0x0023776e
0x00237771
0x00237773
0x00237775
0x00237777
0x00000000
0x00237779
0x00237775
0x00237768
0x002376fa
0x002376fa
0x002376fc
0x002376fe
0x00237701
0x00237703
0x00237705
0x00000000
0x00237705
0x002376f8
0x002376f2
0x0023769c
0x0023763c
0x0023763c
0x0023763e
0x00237640
0x00237642
0x00237642
0x00237648
0x0023764a
0x0023764c
0x0023764e
0x00237650
0x00237652
0x00237654
0x00237658
0x0023765d
0x0023765f
0x00237661
0x00000000
0x00237661
0x0023763a
0x00237634
0x00237627
0x002375d3
0x002375d3
0x002375d7
0x002375d8
0x002375d9
0x002375db
0x00000000
0x002375db
0x002375d1
0x002375c4
0x00237830
0x00237830
0x00237832
0x00237834
0x00237836
0x00000000
0x00000000
0x00237838
0x00237839
0x0023783c
0x0023783e
0x00237840
0x00237845
0x00237849
0x0023784c
0x0023784e
0x00237853
0x00237856
0x00237858
0x0023785a
0x00237899
0x00237899
0x0023789c
0x0023789f
0x00000000
0x0023785c
0x0023785c
0x0023785e
0x00237860
0x002378a0
0x002378a0
0x002378a0
0x002378a3
0x00000000
0x002378a5
0x002378a5
0x002378a7
0x002378a7
0x002378a8
0x002378a8
0x002378a9
0x002378a9
0x00000000
0x002378a8
0x00237862
0x00237862
0x00237864
0x00237866
0x00237869
0x0023786b
0x0023786d
0x002378ac
0x002378ac
0x002378ae
0x002378af
0x002378b1
0x002378b3
0x002378b5
0x002378b8
0x00000000
0x0023786f
0x0023786f
0x00237871
0x00237873
0x00237874
0x00237877
0x00237879
0x0023787b
0x002378b9
0x002378b9
0x002378bb
0x002378be
0x002378c0
0x002378c2
0x00237900
0x00237902
0x00237940
0x00237942
0x00000000
0x00237944
0x00237944
0x00000000
0x00237944
0x00237904
0x00237904
0x00000000
0x00237904
0x002378c4
0x002378c4
0x002378c6
0x002378c6
0x00000000
0x002378c6
0x0023787d
0x0023787d
0x0023787f
0x00237881
0x00237884
0x00237886
0x00237888
0x002378c8
0x002378c8
0x00237906
0x00237906
0x00237908
0x00237946
0x00237946
0x0023794c
0x0023794e
0x00237950
0x00237951
0x00237954
0x00237956
0x00237956
0x0023795b
0x0023795d
0x0023795e
0x00237960
0x00237961
0x00237964
0x00237966
0x00237968
0x00237969
0x0023796b
0x0023796d
0x0023796f
0x00237971
0x00237974
0x00237976
0x00237978
0x002379b6
0x002379bb
0x002379be
0x002379c0
0x002379c2
0x00000000
0x00000000
0x00000000
0x00000000
0x0023797a
0x0023797a
0x0023797c
0x0023797e
0x00237980
0x00237985
0x002379c4
0x002379c4
0x002379c6
0x002379c7
0x002379c9
0x002379ce
0x002379d0
0x00000000
0x002379d2
0x002379d2
0x00000000
0x002379d2
0x00237987
0x00237987
0x0023798b
0x0023798c
0x0023798f
0x00237991
0x00237993
0x002379d3
0x002379d3
0x002379d6
0x002379d8
0x002379d9
0x002379db
0x002379dd
0x002379df
0x002379e1
0x002379e3
0x002379e5
0x002379e7
0x002379e9
0x002379eb
0x00000000
0x00237995
0x00237995
0x00237999
0x0023799a
0x0023799c
0x002379a0
0x002379a2
0x002379a4
0x002379a6
0x002379a8
0x002379aa
0x002379ac
0x002379ae
0x002379ec
0x002379ec
0x002379ee
0x00237a2f
0x00237a2f
0x00000000
0x00237a31
0x00237a31
0x00237a33
0x00237a33
0x00000000
0x00237a33
0x002379f0
0x002379f0
0x002379f2
0x002379f4
0x00237a35
0x00237a35
0x00000000
0x00237a37
0x00237a37
0x00237a3b
0x00237a3c
0x00237a3e
0x00237a40
0x00237a42
0x00000000
0x00237a42
0x002379f6
0x002379f6
0x002379f8
0x002379fa
0x002379fa
0x002379fc
0x002379fc
0x002379fd
0x002379ff
0x00237a01
0x00237a43
0x00237a43
0x00237a45
0x00237a4b
0x00237a4e
0x00237a50
0x00237a53
0x00237a54
0x00237a54
0x00237a57
0x00000000
0x00237a59
0x00237a59
0x00237a5b
0x00237a5d
0x00237a5f
0x00000000
0x00237a61
0x00237a61
0x00237a62
0x00237a62
0x00237a62
0x00000000
0x00237a62
0x00237a5f
0x00237a03
0x00237a03
0x00237a07
0x00237a08
0x00237a0a
0x00237a0c
0x00237a0e
0x00237a10
0x00237a11
0x00237a11
0x00237a12
0x00237a12
0x00237a14
0x00237a16
0x00237a18
0x00237a1a
0x00237a1c
0x00237a1e
0x00237a20
0x00237a22
0x00237a63
0x00237a63
0x00000000
0x00237a65
0x00237a65
0x00237a67
0x00237a67
0x00000000
0x00237a67
0x00237a24
0x00237a24
0x00237a26
0x00237a28
0x00237a69
0x00237a69
0x00000000
0x00237a6b
0x00237a6b
0x00237a6c
0x00237a6c
0x00237a6c
0x00237a6f
0x00237ab1
0x00237ab1
0x00237ab3
0x00237ab5
0x00237ab7
0x00237ab8
0x00237aba
0x00237aba
0x00237abb
0x00237abc
0x00237abe
0x00237ac0
0x00237ac4
0x00237ac9
0x00237acb
0x00237acd
0x00237ad0
0x00237ad2
0x00237ad4
0x00000000
0x00237ad6
0x00237ad6
0x00237ad8
0x00237ada
0x00237ada
0x00000000
0x00237ada
0x00237a71
0x00237a71
0x00237a71
0x00237a73
0x00237a75
0x00237a77
0x00237a77
0x00000000
0x00237a79
0x00237a79
0x00237a7a
0x00237a7a
0x00237a7d
0x00237a7f
0x00237a81
0x00237a89
0x00237a8a
0x00237a8c
0x00237a8d
0x00237a8d
0x00237a8f
0x00237a95
0x00237a97
0x00237a98
0x00237a98
0x00237a9a
0x00237adb
0x00237adb
0x00000000
0x00237add
0x00237add
0x00237adf
0x00237adf
0x00000000
0x00237adf
0x00237a9c
0x00237a9c
0x00237a9e
0x00237aa0
0x00237ae1
0x00237ae1
0x00237ae3
0x00237ae5
0x00237ae7
0x00237ae9
0x00237aeb
0x00237aec
0x00237aee
0x00237aee
0x00000000
0x00237ae7
0x00237aa2
0x00237aa2
0x00237aa4
0x00237aa6
0x00237aa9
0x00237aab
0x00237aad
0x00237aef
0x00237af0
0x00237af2
0x00237af4
0x00237af6
0x00237af8
0x00237afa
0x00237afc
0x00237afd
0x00237aff
0x00237b04
0x00237b06
0x00237b09
0x00237b0c
0x00237b0e
0x00237b11
0x00237b13
0x00237b15
0x00237b15
0x00237b16
0x00237b18
0x00237b18
0x00237b19
0x00237b1a
0x00237b1c
0x00237b1d
0x00237b1d
0x00237b1f
0x00237b21
0x00237aaf
0x00237aaf
0x00000000
0x00237aaf
0x00237aad
0x00237aa0
0x00237a9a
0x00237a77
0x00237a6f
0x00237a2a
0x00237a2a
0x00237a2c
0x00237a2e
0x00237a2e
0x00000000
0x00237a2e
0x00237a28
0x00237a22
0x00237a01
0x002379f4
0x002379b0
0x002379b0
0x002379b2
0x002379b4
0x00000000
0x002379b4
0x002379ae
0x00237993
0x00237985
0x00000000
0x00237957
0x00237957
0x0023795a
0x0023790a
0x0023790a
0x0023790c
0x0023790e
0x00237911
0x00237913
0x00000000
0x00237913
0x002378ca
0x002378ca
0x002378cc
0x002378ce
0x002378d1
0x002378d3
0x002378d3
0x00000000
0x002378d3
0x0023788a
0x0023788a
0x0023788c
0x0023788e
0x0023788f
0x00237892
0x00237894
0x00237896
0x002378d5
0x002378d5
0x00237914
0x00237914
0x002378d7
0x002378d7
0x002378d9
0x002378db
0x002378de
0x002378e0
0x002378e1
0x002378e1
0x002378e1
0x00237898
0x00237898
0x00000000
0x00237898
0x00237896
0x00237888
0x0023787b
0x0023786d
0x00237860
0x00237b23
0x00237b23
0x00237b25
0x00237b27
0x00237b2c
0x00237b2e
0x00237b31
0x00237b34
0x00237b36
0x00237b38
0x00237b39
0x00237b3b
0x00237b3d
0x00237b3e
0x00237b40
0x00237b40
0x00237b41
0x00237b44
0x00237b46
0x00237b48
0x00237b4a
0x00237b4c
0x00237b4e
0x00237b50
0x00237b52
0x00237b93
0x00237b93
0x00237b94
0x00237b96
0x00237b98
0x00000000
0x00237b54
0x00237b54
0x00237b56
0x00237b58
0x00237b99
0x00237b99
0x00237b9b
0x00237b9d
0x00237b9f
0x00237ba5
0x00000000
0x00237b5a
0x00237b5a
0x00237b5c
0x00237b5e
0x00237b61
0x00237b63
0x00237b65
0x00237ba7
0x00237ba7
0x00237ba9
0x00237bac
0x00237bae
0x00237bb0
0x00000000
0x00237bb2
0x00237bb2
0x00237bb4
0x00237bb6
0x00237bb9
0x00237bbb
0x00237bbd
0x00000000
0x00237bbf
0x00237bbf
0x00237bc1
0x00237bc1
0x00000000
0x00237bc1
0x00237bbd
0x00237b67
0x00237b67
0x00237b6b
0x00237b6c
0x00237b6e
0x00237b70
0x00237b72
0x00237b74
0x00237b76
0x00237b78
0x00237b7a
0x00237b7c
0x00237b7e
0x00237b80
0x00237b82
0x00237bc3
0x00237bc3
0x00237bc5
0x00237bc7
0x00237bc8
0x00237bca
0x00237bca
0x00237bcb
0x00237bcc
0x00237bce
0x00237bd0
0x00237bd2
0x00237bd4
0x00237bd5
0x00237bd7
0x00237bda
0x00237bdc
0x00237bde
0x00237c1f
0x00237c1f
0x00237c21
0x00237c23
0x00237c24
0x00000000
0x00237be0
0x00237be0
0x00237be2
0x00237be4
0x00237c25
0x00237c25
0x00237be6
0x00237be6
0x00237be8
0x00237bea
0x00237bed
0x00237bef
0x00237bf1
0x00237bf3
0x00237bf5
0x00237bf7
0x00237bfa
0x00237bfc
0x00237bfe
0x00237c00
0x00237c02
0x00237c02
0x00237c04
0x00237c06
0x00237c0a
0x00237c0c
0x00237c0e
0x00237c10
0x00237c12
0x00237c17
0x00237c19
0x00000000
0x00237c1c
0x00237bf1
0x00237be4
0x00237b84
0x00237b84
0x00237b84
0x00237b86
0x00237b88
0x00237b8b
0x00237b8d
0x00237b8d
0x00237b91
0x00000000
0x00237b91
0x00237b82
0x00237b65
0x00237b58
0x00237c33
0x00237c35
0x00237c37
0x00237c39
0x00237c3b
0x00237c3d

Memory Dump Source

Source File: 00000000.00000002.294790223.0000000000232000.00000002.00020000.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.294775691.0000000000230000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.294938330.00000000002B0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910917f45e5ffc06db54a10805b015388ad3c47be7c63e29f44ab45f2151fb5a
Instruction ID: 7013bfcce0d2940b5e11a1c28eb07ab10fc5f3abcdaf012af22889fd2fd23513
Opcode Fuzzy Hash: 910917f45e5ffc06db54a10805b015388ad3c47be7c63e29f44ab45f2151fb5a
Instruction Fuzzy Hash: 02834BA250E3C19FD7138B789CB16D17FB0AE67214B1E05C7D4C0CF0A3E269696AD762

Uniqueness

Uniqueness Score: -1.00%

Function 06DF9410, Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

E,8K, xrefs: 06DF9686
E,8K, xrefs: 06DF967F
xg4V, xrefs: 06DF94D3

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: E,8K$E,8K$xg4V
API String ID: 0-3055588417
Opcode ID: 3deb5932a166c41bb7634f21a0a7eccdddc37db2113e24d0bf787a6b6e569478
Instruction ID: f391cbfe3f80fa2464ea1c464b59273936fc9503a90294c8882a3a7a350b7855
Opcode Fuzzy Hash: 3deb5932a166c41bb7634f21a0a7eccdddc37db2113e24d0bf787a6b6e569478
Instruction Fuzzy Hash: B6911374E10219CFCB44CFAAC584A9EFBF2FF88250F158459D529AB360D730AA41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06DFA6C0, Relevance: 2.6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

v\, xrefs: 06DFA819
v\, xrefs: 06DFA812

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: v\$v\
API String ID: 0-3517818407
Opcode ID: 25d2a11e4e46803b3dc9e6710999e401b43d00640345e8ce0ab0127ff39ecb89
Instruction ID: 3747c78bcf63682ef7d87c65a7f857a111cf487838126d3058add9a4e8fe9b0f
Opcode Fuzzy Hash: 25d2a11e4e46803b3dc9e6710999e401b43d00640345e8ce0ab0127ff39ecb89
Instruction Fuzzy Hash: 04510D70D1521ADFDB48DFAAC5805AEFBF2BF88300F28D469C519B7254D3349A428FA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DFD1E8, Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

|]lQ, xrefs: 06DFD5DF

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: |]lQ
API String ID: 0-2985113618
Opcode ID: d4d1820f1c062341ff3546cfd6d654da3ed2dd9da050e446a40f74b010d9ec9b
Instruction ID: c4ff3665b32ffb9210b875109573594526a5654b402a6b572aa1fd15aa4301e6
Opcode Fuzzy Hash: d4d1820f1c062341ff3546cfd6d654da3ed2dd9da050e446a40f74b010d9ec9b
Instruction Fuzzy Hash: B0D1CB71E1421A8FCF54CFB9C5506EEBBF3EF88214F228429D615A7354EB34E9018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DFBD48, Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

mLR, xrefs: 06DFBDBE

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: mLR
API String ID: 0-213581825
Opcode ID: 0861f535b4caf3adf9c82cbbd6cc5ec4f2c0b56bca6a72f3658e20bdd0077145
Instruction ID: a10afcb7cc2478febc158840415f099051d5000f42648fa8e670887b1441dce1
Opcode Fuzzy Hash: 0861f535b4caf3adf9c82cbbd6cc5ec4f2c0b56bca6a72f3658e20bdd0077145
Instruction Fuzzy Hash: 71D16E74E142198FDB54CFA9C980AAEFBF2FF89300F24856AD509AB355D7309941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DF9402, Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

xg4V, xrefs: 06DF94D3

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: xg4V
API String ID: 0-4218785276
Opcode ID: 633ad1211ccb7d97133caae6a01c9e3324bcd6d4aae5ad656116c1d3ef779de7
Instruction ID: b3c0d5659445aa79ea317946be95661ffb7cfe37838b5e7f85ce9c7f4b0bf188
Opcode Fuzzy Hash: 633ad1211ccb7d97133caae6a01c9e3324bcd6d4aae5ad656116c1d3ef779de7
Instruction Fuzzy Hash: 28813474E14219CFCB44CFA9C580A9EFBF2FF88310B158465D529AB260D730EA02CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06DFA018, Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

Y%r0, xrefs: 06DFA243

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: Y%r0
API String ID: 0-2450993383
Opcode ID: 4a6014aae86858105122f761988b105c93b9a4f07bd36aa96a9ef4969ca000b7
Instruction ID: 6c3af8e66e55e0202e5669e7ab9314aa6e433b609094c906331f0914a75dcc4f
Opcode Fuzzy Hash: 4a6014aae86858105122f761988b105c93b9a4f07bd36aa96a9ef4969ca000b7
Instruction Fuzzy Hash: B0713974E1020ADFDB44CF96D5819AEFBB1FF88310F1A9559D619AB314D330A942CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DFA008, Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

Y%r0, xrefs: 06DFA243

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: Y%r0
API String ID: 0-2450993383
Opcode ID: 29a5a6bcee0441774b1cef81d158315eeebadcbf69091404a076d4fc40db02d9
Instruction ID: 797b44d30e293cc4c8a1daae6dc8f295c4628e118bc0c4ca8037d5e3c049b6a8
Opcode Fuzzy Hash: 29a5a6bcee0441774b1cef81d158315eeebadcbf69091404a076d4fc40db02d9
Instruction Fuzzy Hash: 61612874E1420ADFCB44CF9AD4819AEFBB1FF88310F19855AD919AB314D334A942CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DFA6B2, Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

v\, xrefs: 06DFA819

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID: v\
API String ID: 0-1980790632
Opcode ID: ca5c7988f03e4ab93b9e57227d7171fe8ee7bf6bbec3232096954e1c3a520878
Instruction ID: 98368b1690f5698bce3a3acd4609a0ab655e53d165857bea0a1b221f1c72c252
Opcode Fuzzy Hash: ca5c7988f03e4ab93b9e57227d7171fe8ee7bf6bbec3232096954e1c3a520878
Instruction Fuzzy Hash: 81512D70D1520ADFDB48DFAAC5805AEFBF2BF88300F28D46AC519E7254D33496428FA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DF0E58, Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f406f9c9adacb4bb55887ca9aee190ad45ced8b87a560edb2e3a67aceff7de
Instruction ID: 3a3ee58a0e9a6fcc5c1b657f89b36938f434d6132c29dff8b5609f47b805c435
Opcode Fuzzy Hash: d2f406f9c9adacb4bb55887ca9aee190ad45ced8b87a560edb2e3a67aceff7de
Instruction Fuzzy Hash: E3026D75E20115CFDBA8CF69C884A6DB7F2BF89214B168169EA05DB371DB31EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06DFBE35, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ffd1e2ae3660b4f83b0454c07b6bfecffd69a303fed7b403c7a470aae48d79
Instruction ID: ca98ec168a57dc0b8c750dbe7b8ccb78b4b04b1b8bc1a86316fb61557e47a5fc
Opcode Fuzzy Hash: d5ffd1e2ae3660b4f83b0454c07b6bfecffd69a303fed7b403c7a470aae48d79
Instruction Fuzzy Hash: E0C13974E242198FCB54CFA5C980AAEFBF2FF89300F25859AD509AB355D7309941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04521018, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.299481444.0000000004520000.00000040.00000001.sdmp, Offset: 04520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180fc06de5665d583f702c984ffe55f6dc54fd355fd96286910622fe566ae527
Instruction ID: 35859ad5d1122829d7fe8949d5f6d368068528a4c81a7c43e89bd7e0414af2b3
Opcode Fuzzy Hash: 180fc06de5665d583f702c984ffe55f6dc54fd355fd96286910622fe566ae527
Instruction Fuzzy Hash: C4714870E1566ACFCB44CFA6C9444EEBBF2FB8A300F10942AD116E7254E7345A429F95

Uniqueness

Uniqueness Score: -1.00%

Function 06DF6C71, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6139fc9eede9efda9ace9cda9434f50bf6075ff4c072fa09db3f207b6f7a5bbb
Instruction ID: bc849f6db7c8a86886c73fe24630470fc225fffddb5dd76b63f86f8f01a751b3
Opcode Fuzzy Hash: 6139fc9eede9efda9ace9cda9434f50bf6075ff4c072fa09db3f207b6f7a5bbb
Instruction Fuzzy Hash: 01714670E2124ADFDB44CFA9D4819AEFBB1FB89310F11942AD655AB314C330DA46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06DFA918, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f65c7a7098fdb9c0c560d6036ef32bb5e57435ae47448c64778181f20b09d3
Instruction ID: 76ac891545ebe7f0fa2f926f80454f3255dba34a483eb30e65faae5bfdda051b
Opcode Fuzzy Hash: a3f65c7a7098fdb9c0c560d6036ef32bb5e57435ae47448c64778181f20b09d3
Instruction Fuzzy Hash: DC611670E15209DFDB44CFA9C5809DEFBF2BF88310F299429D519BB354D7319A418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DFA90A, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b9e1264e4a0e9d08df51f78d2dee5602e39f3f7581389c1a1ddc09fa64bf41
Instruction ID: 80f3bc53fc46694d65133fdf5c4aca7ec7bab86e3d36a0a755a36b06a57809c1
Opcode Fuzzy Hash: 89b9e1264e4a0e9d08df51f78d2dee5602e39f3f7581389c1a1ddc09fa64bf41
Instruction Fuzzy Hash: 01613570E15209DFDB44CFA9C9808DEFBF2FF88210F29842AD509BB354D7319A418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DFAB62, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddf85448eb2bdd28ef89113585b541261705078e20e7661851371e6f4152fef
Instruction ID: 97d1ae79f77c56044299fa18899733c976b38b88d9ed73a8338239d9e926b3a3
Opcode Fuzzy Hash: bddf85448eb2bdd28ef89113585b541261705078e20e7661851371e6f4152fef
Instruction Fuzzy Hash: A04118B4E1420ADFDB44CFAAC5415DEFBF2BB88300F19C4A6C509B7254D7349A41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DFAB70, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507adaa63a4ddb1f98a8d4277c3b5c0bded68528c69b52faa38e5e1fa410ec9d
Instruction ID: 7a3bd486e5f0e6f4961fe83a3943b2aafbcb6cb33818843c5d63cad6f88e6634
Opcode Fuzzy Hash: 507adaa63a4ddb1f98a8d4277c3b5c0bded68528c69b52faa38e5e1fa410ec9d
Instruction Fuzzy Hash: 5D41D4B4E1420ADFDB44CFAAC5815EEFBF2BB88200F15D46AC519A7214E7349A41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DFD6E0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309250510.0000000006DF0000.00000040.00000001.sdmp, Offset: 06DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8b9d39a076adfffd75707ab19f3e3f671101d107ceb72cd6a3858dc53ab26d
Instruction ID: 3248aff5eec3cac87b7a5e9c657a43e9b94ff47e66cb49416bc45096e106a94f
Opcode Fuzzy Hash: 0f8b9d39a076adfffd75707ab19f3e3f671101d107ceb72cd6a3858dc53ab26d
Instruction Fuzzy Hash: E7211A71E116198FEB48CFAAD9406DEBBF3BFC8300F14C07AD508A7255DA304A068B51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 7lQnHeq3XF.exe PID: 784 Parent PID: 5360 7lQnHeq3XF.exeCOMMON

Executed Functions

Function 057BF5F8, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a972e47b074b09d65ec264b7d05d0dc61f5bbbb1d0ab6bfd18be6b7a5a449912
Instruction ID: 40dd571e4f45f95e2c30a841982bd63bc5e55d40e0a64ee3d9bc7880076ebd69
Opcode Fuzzy Hash: a972e47b074b09d65ec264b7d05d0dc61f5bbbb1d0ab6bfd18be6b7a5a449912
Instruction Fuzzy Hash: D8F16974A00209CFEB14DFA9C858BEDBBF2FF48704F15C169E405AB265DBB0A945DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0312B6C0, Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0312B730
GetCurrentThread.KERNEL32 ref: 0312B76D
GetCurrentProcess.KERNEL32 ref: 0312B7AA
GetCurrentThreadId.KERNEL32 ref: 0312B803

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8e80e234a78c7c2deef02825d79fbbfe1bedbb74a0599ef521300bda76ea181e
Instruction ID: 87f4afdb6b60807e1c03c158ea022634ec19b0a093f0e723ea4577c0489e8c2c
Opcode Fuzzy Hash: 8e80e234a78c7c2deef02825d79fbbfe1bedbb74a0599ef521300bda76ea181e
Instruction Fuzzy Hash: 5E5163B09046498FDB14DFA9D948B9EBBF1AF4C314F248459E019B7391C7349884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0312B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0312B730
GetCurrentThread.KERNEL32 ref: 0312B76D
GetCurrentProcess.KERNEL32 ref: 0312B7AA
GetCurrentThreadId.KERNEL32 ref: 0312B803

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 83c4ff823425406b5abe3d59d99721e56277c91f3a30763e051e4d0d23148431
Instruction ID: 120b51e416a0cbffde344156657a2912c060122edba2d60cd7c175ac73b062e9
Opcode Fuzzy Hash: 83c4ff823425406b5abe3d59d99721e56277c91f3a30763e051e4d0d23148431
Instruction Fuzzy Hash: 135151B49006498FDB14DFAADA88BDEBBF1AF4C314F248459E019B7390C734A884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 057B17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224cd9815ccc2dd8adc0a49a307caa6264179682d608e1b4c05a7f7c4f494f6f
Instruction ID: 0ab4810a2a6be7efe83a6caae07cf7966c87968def16590180c09529059f3cd8
Opcode Fuzzy Hash: 224cd9815ccc2dd8adc0a49a307caa6264179682d608e1b4c05a7f7c4f494f6f
Instruction Fuzzy Hash: 6522B078E05205CFEB14CB98D498FFEBBB2FB88310F618555D402AB365C7B4A881DB61

Uniqueness

Uniqueness Score: -1.00%

Function 057BE190, Relevance: 1.7, APIs: 1, Instructions: 215threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 057BE289

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 41b82688e02f8fb8f1b731a7e738cbbbcd224a33ad283b5fea701968f5bb5d8c
Instruction ID: 1b9514bcfec8faddbc285f61c6f8503473cf631341b0f1648c1d33d7792bf99c
Opcode Fuzzy Hash: 41b82688e02f8fb8f1b731a7e738cbbbcd224a33ad283b5fea701968f5bb5d8c
Instruction Fuzzy Hash: DC818B70E042188FDB10DFA5C844BEEBBF9BF48314F15846AE815AB350DBB4A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031293E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0312962E

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 37911d3510843e1fab96891f0a95b7fa5f8d554aeb8085ce369feca919fd8829
Instruction ID: 2502e97fed46e30c919bf42849fd7cecf6cde086781f902e6d4f9b5e7e019dae
Opcode Fuzzy Hash: 37911d3510843e1fab96891f0a95b7fa5f8d554aeb8085ce369feca919fd8829
Instruction Fuzzy Hash: AD7143B0A00B158FD724DF2AD54075ABBF5FF88204F04896EE48ADBA40DB74E865CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0312FB81, Relevance: 1.7, APIs: 1, Instructions: 156COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0312FD0A

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a93c218028ea01f96789d38180ae8a210c52d01d7626f53409ed498004782e7a
Instruction ID: 21c1458eaca77a4deaea27e5a92b810b0b78cbea98c518d5c4e67b66f4e647fe
Opcode Fuzzy Hash: a93c218028ea01f96789d38180ae8a210c52d01d7626f53409ed498004782e7a
Instruction Fuzzy Hash: 8D611471C04259AFCF05CFA9D880ACEBFB5FF49310F19816AE818AB221D7759855CF90

Uniqueness

Uniqueness Score: -1.00%

Function 057BE179, Relevance: 1.6, APIs: 1, Instructions: 142threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 057BE289

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 815b754ea3397b4e630cb526c1c4e0302cc9d210a737e46a8c833518b0570ca5
Instruction ID: f5343aea886c6e5e84103516420bec1f43631a78a1234d85e34e239ce1a66a22
Opcode Fuzzy Hash: 815b754ea3397b4e630cb526c1c4e0302cc9d210a737e46a8c833518b0570ca5
Instruction Fuzzy Hash: 63518970D002588FEF11DFA4C844BEDBBBABF48304F15856AE815AB390DBB49845DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0312FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0312FD0A

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e462ac3148f7a9b0852a1e7a2952ff342f70959364340b7548237b4bfd02608e
Instruction ID: bbd1ba97752d5388b08fd7325983f929d60a2724b0a47389680059d2f2d6a740
Opcode Fuzzy Hash: e462ac3148f7a9b0852a1e7a2952ff342f70959364340b7548237b4bfd02608e
Instruction Fuzzy Hash: FD41B0B1D003199FDB14CFA9D884ADEFFB5BF88314F24812AE819AB210D775A955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 057B45F4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 057B46B1

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9fd1281d3512919bc770397a3a6f7b18bbeef9134265dcd170894bc235a18b1f
Instruction ID: be587197aaa5f739aa64135d0f6afda77b3fd3b1c1f1f18193ed57ac599864e2
Opcode Fuzzy Hash: 9fd1281d3512919bc770397a3a6f7b18bbeef9134265dcd170894bc235a18b1f
Instruction Fuzzy Hash: 3D41F3B1C00618CFDB24DFA5C844BCEBBB6FF49304F208069D509AB251DBB55946DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 057B3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 057B46B1

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f9b3147846e5e28cf641fdde41965bd6a231cd7aca470b8f2398e37b948efa1d
Instruction ID: b511af5441605ee11becb8fd0b077101bda45fe2aa82ba60c14644e3a8ef70cb
Opcode Fuzzy Hash: f9b3147846e5e28cf641fdde41965bd6a231cd7aca470b8f2398e37b948efa1d
Instruction Fuzzy Hash: D741D2B1C04618CFDF24DFA9C8847DDBBB6BF49308F208069D509AB251DBB55946DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 057B2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 057B2531

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 166a1d8177d73a06fe6cdfafbc290bb005379b3e83e6994c2b8aa769d632fc73
Instruction ID: 9eeb392219fcb6b5f5ccccc6cfac5684b506261d231b1212a4cd7f63f1c3c548
Opcode Fuzzy Hash: 166a1d8177d73a06fe6cdfafbc290bb005379b3e83e6994c2b8aa769d632fc73
Instruction Fuzzy Hash: 00414CB89003058FDB14CF9AD848BAABBF6FF88314F24C499D5196B321D774A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 057BB898, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: de3c2a65f9fab5a5588981e95cb6f29ee41f74e5ee9313aa117af456380e5c7a
Instruction ID: c9d5a12a8e912ce64e6a19c1e7e620ff67fa8fd0674668b871ac85c496e5b570
Opcode Fuzzy Hash: de3c2a65f9fab5a5588981e95cb6f29ee41f74e5ee9313aa117af456380e5c7a
Instruction Fuzzy Hash: 16318B729042499FCB119FA9D844ADEBFF8EF09210F04806AE954A7221C3759950DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0312BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0312BD87

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9cc7c46ce39d0eef2b9f0914ea6254777c450f2a6ef30c5b647c326b9a060a62
Instruction ID: 1c587238d672e228d2f712557e091d2a722c39d53bbe95343d4c8f9c5eef42cb
Opcode Fuzzy Hash: 9cc7c46ce39d0eef2b9f0914ea6254777c450f2a6ef30c5b647c326b9a060a62
Instruction Fuzzy Hash: BD2105B5900258AFCB10CFA9D884ADEFFF8EB48324F14805AE914A7311D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0312BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0312BD87

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7c173c2178dae0c3d1d0f03b761c78e796abf4be380b9e8caefbd8bec3105363
Instruction ID: 1e87580785c7b00459452c1489c36e74c94ce2256a09511c0f9dfda3dd5c016d
Opcode Fuzzy Hash: 7c173c2178dae0c3d1d0f03b761c78e796abf4be380b9e8caefbd8bec3105363
Instruction Fuzzy Hash: EF21E6B59002189FDB10CF99D884ADEFFF4EB48324F14801AE914A3310C378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03129849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031296A9,00000800,00000000,00000000), ref: 031298BA

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3d9887c2891fb247297f79c2ae4acc5b8159dda073dc19a2bdcd24216acd1a6e
Instruction ID: f3844804a66dbab73d31de5cb8e46dcfcce9c145d7d60bd322319b5ada2a5da6
Opcode Fuzzy Hash: 3d9887c2891fb247297f79c2ae4acc5b8159dda073dc19a2bdcd24216acd1a6e
Instruction Fuzzy Hash: D41114B2C002199FDB10CFAAD444BDEFBF8AB48320F19842EE919B7600C375A555CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 057BA504, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,057BB8B2,?,?,?,?,?), ref: 057BB957

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: f8e9b6a4c0670164a3961c19278876da1aab8a8fd2800ceb4d06c6ecfca0d022
Instruction ID: 80c3c24628ebf84dbd64a2bf5cf9bb25673f07d2583f7c496d58b04442d11a5b
Opcode Fuzzy Hash: f8e9b6a4c0670164a3961c19278876da1aab8a8fd2800ceb4d06c6ecfca0d022
Instruction Fuzzy Hash: CF1126B1800249DFDB10DFAAD844BDEBBF8EF48360F14841AE955B7210C379A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03128768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031296A9,00000800,00000000,00000000), ref: 031298BA

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fe5a3a2932126b72d02783186ba65ecbf780119c83bd92a5757c8b46f8a47063
Instruction ID: 227a17d640a2610ba313c2cc2841883ef63d717d10615b75fa534522319b10fc
Opcode Fuzzy Hash: fe5a3a2932126b72d02783186ba65ecbf780119c83bd92a5757c8b46f8a47063
Instruction Fuzzy Hash: B31103B6D002199FDB20CF9AD444BDEFBF4EB48320F19842AE915B7600C379A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 057B32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,018653E8,00000000,?), ref: 057BE73D

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 38be608606fdcd6dc2a8c13db08af908677f3196dd30aadb6a5fc0cd26945c5c
Instruction ID: d0de871dd5b72a2e8342b11d7c65bf8af913f420d3c2b6a75a8300b19d9b4cba
Opcode Fuzzy Hash: 38be608606fdcd6dc2a8c13db08af908677f3196dd30aadb6a5fc0cd26945c5c
Instruction Fuzzy Hash: 371128B58003099FDB20CF9AD845BEEBBF8EB48324F148459E955A3341D378A944DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 057BE6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,018653E8,00000000,?), ref: 057BE73D

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bd2f1c6b53d20c608baf5fa93a0d63da2bd6fd8a38e8236f1a0d8b08bde5dc61
Instruction ID: d8913388f416c6552449b4078ce475f80f2226fe2a6eb3daf541b64e62fbbac9
Opcode Fuzzy Hash: bd2f1c6b53d20c608baf5fa93a0d63da2bd6fd8a38e8236f1a0d8b08bde5dc61
Instruction Fuzzy Hash: 1A1116B58003099FDB10CF99D885BEEBBF8FB48324F14845AE914A3310D378A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0312FE38, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0312FE9D

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8998afd1bd2acf929620b1a831766f48bff82e0577d6ca3de7e9376e54282731
Instruction ID: 2827d17ef6ec619fac371a2b0ecbe4781c44728a12b1a37b38e32f00ad339bae
Opcode Fuzzy Hash: 8998afd1bd2acf929620b1a831766f48bff82e0577d6ca3de7e9376e54282731
Instruction Fuzzy Hash: EB1113B58002189FDB20CF99D484BDEBBF8EB48324F11845AE815B7201C379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031295C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0312962E

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ee34992de32ecfe23038736d0ccd04cfa3b5d510869262cff31484dd2e05091d
Instruction ID: c7bb4d1a86bf67a733c535a888affc0709f2cd10f6c80a07b98a7e0f2097cda3
Opcode Fuzzy Hash: ee34992de32ecfe23038736d0ccd04cfa3b5d510869262cff31484dd2e05091d
Instruction Fuzzy Hash: FB11DFB6C006598FCB20CF9AD844BDEFBF4AF88224F14846AD419B7610C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 057BA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 057BBCBD

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8251fcd6979e6633179ac7d73f9859c68b731cc9561b12667de99aa2245f10b7
Instruction ID: 4a79323ddbafa64570cae5ab2230fc3e42b4fb3dd06fce108eaa8e44c5a7aff2
Opcode Fuzzy Hash: 8251fcd6979e6633179ac7d73f9859c68b731cc9561b12667de99aa2245f10b7
Instruction Fuzzy Hash: 4211F2B58003499FDB20DF9AD985BDEBBF8EB48320F108459E919A7300C7B5A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 057B1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,057B226A,?,00000000,?), ref: 057BC435

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d6220affd3314ad79d74c2cf8fb3c3b639df56e9d08aebeb51b7a177a9ac1d99
Instruction ID: b9177fe78ae54b2e46830eee7534f45f61af2e08485529c8193ce1111a103eaf
Opcode Fuzzy Hash: d6220affd3314ad79d74c2cf8fb3c3b639df56e9d08aebeb51b7a177a9ac1d99
Instruction Fuzzy Hash: 0F1103B58003499FDB20DF9AD885BEEBFF8EB48324F108459E515A7600C3B5A944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 057B50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 057BD29D

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d5c940acaadde66e1bc3f23ae9e32c97d774c271d8495f1911a6fbe016135809
Instruction ID: d93e234eddac373d762d0ed6a93495eccb77720e69a972c5571c1b300e74fc5f
Opcode Fuzzy Hash: d5c940acaadde66e1bc3f23ae9e32c97d774c271d8495f1911a6fbe016135809
Instruction Fuzzy Hash: B01106B58007499FDB20DF9AD944BDEBBF8EB48320F108459E915B7300C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 057BD238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 057BD29D

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 06c0a96db97a0aa3dd1e0a9a529a9c1f88d4b866c938fd3f3ba949adbcc604b3
Instruction ID: 45365e448717b9fe6ef7ba35f457efc8fe31783c25318625c24a9154ddc83514
Opcode Fuzzy Hash: 06c0a96db97a0aa3dd1e0a9a529a9c1f88d4b866c938fd3f3ba949adbcc604b3
Instruction Fuzzy Hash: B411F5B58003499FDB20DF99D885BDEBFF8FB48320F108419E515A7640C3B9A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 057BC3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,057B226A,?,00000000,?), ref: 057BC435

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6d5290422016c41689210a46b1bded2261e3fe38c58ac1bf398895404c729099
Instruction ID: 354a786af9d278c787d4d2f7cd6aee8436addb3333f5bf6bfedb7638776ccd75
Opcode Fuzzy Hash: 6d5290422016c41689210a46b1bded2261e3fe38c58ac1bf398895404c729099
Instruction Fuzzy Hash: 7311C2B58003499FDB20DF9AD885BEEBFF8EB48324F14845AE555A7600C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 057BDC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 057BF435

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 445f13390b2c9b90e242e5b742642794ad980fa43b36e55d89efc7a23bc27213
Instruction ID: fea35677c9eb498d7febf5d491d2a9b29b21af06349d60a766d012eeba0053b4
Opcode Fuzzy Hash: 445f13390b2c9b90e242e5b742642794ad980fa43b36e55d89efc7a23bc27213
Instruction Fuzzy Hash: 311103B19042489FDB20DF99D844BDEBBF4EB48364F148459E559B7200C3B8A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 057BBC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 057BBCBD

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3dacc1941e2f6a4debe0cf6ffdaac14c53fd1456ff11f5dc1fbbeee986d39424
Instruction ID: 27efa19be212119e7f0aedebc0c949698f931fb94fe6e37046bd3bb8ca3c7e5b
Opcode Fuzzy Hash: 3dacc1941e2f6a4debe0cf6ffdaac14c53fd1456ff11f5dc1fbbeee986d39424
Instruction Fuzzy Hash: 1311F2B58002499FDB20DF99D984BDEBBF8EB48320F248459E919A7200C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0312FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0312FE9D

Memory Dump Source

Source File: 0000000C.00000002.475685262.0000000003120000.00000040.00000001.sdmp, Offset: 03120000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: bc1970d4f749d031e34456b50cbcb3c30a61eb61391465ab3cd0c70f1136de3c
Instruction ID: 3cc9f9c0ce304d76331a4bf99ac466202291a5b42046a924e9246854c9672c8c
Opcode Fuzzy Hash: bc1970d4f749d031e34456b50cbcb3c30a61eb61391465ab3cd0c70f1136de3c
Instruction Fuzzy Hash: 6B1103B58002099FDB20DF99D585BDEFBF8EB48324F14845AE915A7301C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 057BF3D8, Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 057BF435

Memory Dump Source

Source File: 0000000C.00000002.483105399.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 122984cec77169ae3e8a322ea53b9ae3e157d913ae31c71492c914d8df83b2e0
Instruction ID: 0baab78a8d274d0e756b22464f58574798c45dc9a46166bb80da27406d69670a
Opcode Fuzzy Hash: 122984cec77169ae3e8a322ea53b9ae3e157d913ae31c71492c914d8df83b2e0
Instruction Fuzzy Hash: 0B1115B5800208CFCB10DFA9D544BDEBFF4AF48324F248469D519B7640C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 016FD4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.474421465.00000000016FD000.00000040.00000001.sdmp, Offset: 016FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba26a0ae685efafbde062dad319b88f7f36a8955f0118448d1f1181da641583b
Instruction ID: a3b8fb4450d3d311e8df09d092e980c54923f13cd5c6121056ac4e035677869c
Opcode Fuzzy Hash: ba26a0ae685efafbde062dad319b88f7f36a8955f0118448d1f1181da641583b
Instruction Fuzzy Hash: 2B2128B1504240DFDB11DF98DCC4B66BF65FB84328F24C56DEA054B246C336E856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 016FD3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.474421465.00000000016FD000.00000040.00000001.sdmp, Offset: 016FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b989c6eefcf109b6f2e7cf00d4888882eb862459d8c967caa0bc3310dcf851bd
Instruction ID: 2236ba6c7b43de3ebd9544d9bdba3af7107711395bcf8e1072813c736f99505a
Opcode Fuzzy Hash: b989c6eefcf109b6f2e7cf00d4888882eb862459d8c967caa0bc3310dcf851bd
Instruction Fuzzy Hash: 252103B2504240DFDB11DF94DCC0BA6BB65FB84324F24C5ADEA094B246C336F846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0170D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.474557870.000000000170D000.00000040.00000001.sdmp, Offset: 0170D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f8302cd9eed37e230a5d25071dbf9f93a93423eaa154ad592c97d5c12d82be
Instruction ID: c11bf30dbd0e8782d6a2c789fbe776914c207db0a16dc2ca00ddcd87bc1d248a
Opcode Fuzzy Hash: c4f8302cd9eed37e230a5d25071dbf9f93a93423eaa154ad592c97d5c12d82be
Instruction Fuzzy Hash: BC2103B1604300DFDB22DFD4D8C0B16FBA5FB84354F24C5A9E80D4B286C336D806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 016FD3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.474421465.00000000016FD000.00000040.00000001.sdmp, Offset: 016FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: 1890fadc703dfd566c0b2493b3852c52df91433cb50464d279857904ac2275f2
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: 7F11DF72404280CFCB02CF54D9C0B56BF71FB84324F24C6ADD9090B616C336E45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 016FD49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.474421465.00000000016FD000.00000040.00000001.sdmp, Offset: 016FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: 87a07d8803968fe4fa58829fb187a45acb4f93e3e4605c6bb439f6f2bcf98aee
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: 4D11AFB6804280DFDB12CF58D9C4B16BF61FB84324F24C6ADD9050B617C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0170D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.474557870.000000000170D000.00000040.00000001.sdmp, Offset: 0170D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction ID: 00cc205adf12496f14ee1da6eed26aee665cd7fab283bb284ef3aa9a27ef76fa
Opcode Fuzzy Hash: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction Fuzzy Hash: 3B118E75504380DFDB12CF54D5D4B15FBA1FB44324F24C6A9D8494B696C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: 7lQnHeq3XF.exe PID: 3088 Parent PID: 528 7lQnHeq3XF.exeCOMMON

Executed Functions

Function 0557FCD8, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.400530666.0000000005570000.00000040.00000001.sdmp, Offset: 05570000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7148c6143cd0bc4f7ecb260321b23db539926fda8c04cd64012d0e320da4a72a
Instruction ID: e8579c38434f84fef9a0f4d718c789de9d72ac2becff2c15b635ff0997c546d6
Opcode Fuzzy Hash: 7148c6143cd0bc4f7ecb260321b23db539926fda8c04cd64012d0e320da4a72a
Instruction Fuzzy Hash: F571C474E1120A9FCB44DFE6D8545EEBBB2FF89310F10842AD916AB394DB305A42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0291FBEA, Relevance: 1.7, APIs: 1, Instructions: 238COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0291FE0A

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 21df0141b4c940ca2cafcc89b935687d793c5036a0a1501c3fbde93b107d9354
Instruction ID: 994291f81d781f43bcafb9f70c6ce0d11c1cd229d13c2eb75e9cfca7c1f1e336
Opcode Fuzzy Hash: 21df0141b4c940ca2cafcc89b935687d793c5036a0a1501c3fbde93b107d9354
Instruction Fuzzy Hash: 60818EB1C053889FDB02CFA5C8909CDBFB5FF49304F2981AAE455AB262D3349946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A4289C, Relevance: 1.6, APIs: 1, Instructions: 146processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02A429FB

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c31b51ba59efb8906fda6076e239dd7dabe5ced2ce4ceb45f35052e6201ddc26
Instruction ID: d73642ae068ab058cd5bfbfd1edd9eb7d92cb12164093aea7132de5bc2e22fc2
Opcode Fuzzy Hash: c31b51ba59efb8906fda6076e239dd7dabe5ced2ce4ceb45f35052e6201ddc26
Instruction Fuzzy Hash: 16510671900319DFDB60DF95C880BDEBBB1BF88314F1585AAE948B7250CB359A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A428A8, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02A429FB

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 53487e3311c314a3d476915a71548dfd92d68410c087ea99b183d76c45ddb81b
Instruction ID: d2c6ff9afaaa87020f5d083ced55a6c54c4d9fe75fc459299f032dfe3ddef874
Opcode Fuzzy Hash: 53487e3311c314a3d476915a71548dfd92d68410c087ea99b183d76c45ddb81b
Instruction Fuzzy Hash: 6351F571900319DFDB60DF95C880BDEBBB1BF88314F1581AAE948A7210DB359A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0291DDB0, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0291FE0A

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6dfc9d70cd6c524272f64f7bb875fef7e7fbf98df73e67cf352ee1a75bf86286
Instruction ID: 8c59d25624f6984c5e8f4c3750ad7c1e41252f1c4fcc8fd85837358819e861d6
Opcode Fuzzy Hash: 6dfc9d70cd6c524272f64f7bb875fef7e7fbf98df73e67cf352ee1a75bf86286
Instruction Fuzzy Hash: 2651FFB1D0030D9FDB14CFAAC890ADEBFB5BF48314F24856AE819AB211D770A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0291DDCC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0291FE0A

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b7589ba8ebadc7247651086274b5940bd14c9b325c09cb0aef577e36ca9ef39a
Instruction ID: 28c3833de18cca658cb2018e3b1b58a43d9c630bbe9860147dbc54c0c9da3aa1
Opcode Fuzzy Hash: b7589ba8ebadc7247651086274b5940bd14c9b325c09cb0aef577e36ca9ef39a
Instruction Fuzzy Hash: 4151AFB1D0070D9FDB14CF9AC884ADEBBB5FF88314F24852AE819AB251D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02913DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02915421

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: efacdc12a381ca29c9d2150184cbf8f460beb2a6bea732c5c2597f847a6d0b12
Instruction ID: ebbf4dc8a2f0faf142f00da2d4ba4af2541797a58c1d558aa1c11ce421820437
Opcode Fuzzy Hash: efacdc12a381ca29c9d2150184cbf8f460beb2a6bea732c5c2597f847a6d0b12
Instruction Fuzzy Hash: 1A41F170C0061CCBEB24DFAAC844B9EBBB5FF88308F618069D409BB251DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0291536C, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02915421

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 174a998458c6d59c452c499d20ed598255618305e92b0f1046eb143608ae1d3c
Instruction ID: 0cd0166e1d416ea8f01a3360df3d0d8d77d113f76ac015e4e15580485135ad33
Opcode Fuzzy Hash: 174a998458c6d59c452c499d20ed598255618305e92b0f1046eb143608ae1d3c
Instruction Fuzzy Hash: 0D41E1B1C0061CCFDB24DFAAC88479DBBB5BF88309F618069D419BB251DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0291FF01, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0291FF28,?,?,?,?), ref: 0291FF9D

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a50edb14142312f2c0da48ba5e78426441c1b8dfc475f21d07ddfd35a96d9ae5
Instruction ID: d976960bcfb134893a91fd390c2c9f616c436c7a758cc7e094a23dca62d15065
Opcode Fuzzy Hash: a50edb14142312f2c0da48ba5e78426441c1b8dfc475f21d07ddfd35a96d9ae5
Instruction Fuzzy Hash: BB21A6B5804248DFCB11DFA9E988ACEBFF4EF49314F18849AE455A7252C374A905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A42F61, Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02A42FF5

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 81d8b3c0e03ef54eebdeec94b9f8a26e03b0feec9da7623ea9e917ef8d1d26ab
Instruction ID: b85a6e463e92e9776e7af84aee3847c4de136a3b4ed401e9f165eb8671c94df4
Opcode Fuzzy Hash: 81d8b3c0e03ef54eebdeec94b9f8a26e03b0feec9da7623ea9e917ef8d1d26ab
Instruction Fuzzy Hash: 8A2105B19002499FCB10CF9AD885BDEBBF4FB48314F10852AE919A3640D774A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02919800, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0291B87E,?,?,?,?,?), ref: 0291B93F

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a0d43db23873a8322ce36a0ebc2f55369d6373af4e68ca3d324fee4bb6a1aebc
Instruction ID: 780e0cba13fb0bd7f729766ae1c67bca84f9f303ce0484cb87ed367c74c50529
Opcode Fuzzy Hash: a0d43db23873a8322ce36a0ebc2f55369d6373af4e68ca3d324fee4bb6a1aebc
Instruction Fuzzy Hash: 1221E5B5900209AFDB10CFAAD984ADEFBF9EB48324F14845AE915A3310D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A42F68, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02A42FF5

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0964321dcf8362a3d6fb9f4db82cb5594d4b15bce83dc89b326b9ba759ad6958
Instruction ID: ece5b560d4961825bb6f43329a8e65a9157b1c7c0b391c27d7265047eb889604
Opcode Fuzzy Hash: 0964321dcf8362a3d6fb9f4db82cb5594d4b15bce83dc89b326b9ba759ad6958
Instruction Fuzzy Hash: 2D21E4B1900249DFCB10CF9AD885BDEFBF4FB88314F50852AE919A3640D774A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0291B8B0, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0291B87E,?,?,?,?,?), ref: 0291B93F

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 175b6d485905482fafc575dab083df9f65fb27f91ca91b455e3f1c82ad4ac5a0
Instruction ID: f5c5126cf74bb75b29e70efeba306081f25d4e41d595287ee34222f181d34151
Opcode Fuzzy Hash: 175b6d485905482fafc575dab083df9f65fb27f91ca91b455e3f1c82ad4ac5a0
Instruction Fuzzy Hash: 512100B59002499FDB10CFAAD584ADEBBF9EB48324F14845AE954A3311C338A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A42CD1, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02A42D57

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5ffbcecc4a2844f89b4f50c6b7432e09db9d6ef2c0ee8c0c2c1d3c4ed3bf7dc7
Instruction ID: 47264db700ab6c114c7a082f4501808daddf02e93025ede7dc859cdbdbd90378
Opcode Fuzzy Hash: 5ffbcecc4a2844f89b4f50c6b7432e09db9d6ef2c0ee8c0c2c1d3c4ed3bf7dc7
Instruction Fuzzy Hash: 1A21F3B69003099FCB10CF9AD885BDEFBF4FB48320F10842AE928A3210D774A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A42C12, Relevance: 1.6, APIs: 1, Instructions: 60threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 02A42C8F

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 61e7c18721bf01b98a2a9193b8253fd32c039a7488ddbb539f7148fe2910cc51
Instruction ID: 11c7a566b0dbfaf2b3b4cb79d8a31496439068fbc53d9f6ce9cb114a941d163e
Opcode Fuzzy Hash: 61e7c18721bf01b98a2a9193b8253fd32c039a7488ddbb539f7148fe2910cc51
Instruction Fuzzy Hash: E321F7B1D006199FCB10CF9AC9857DEFBF4FB48224F158169E818A3340D774A9448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A42CD8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02A42D57

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7b3c76a04a5d09da5431c83f068bcd03ce3c37213f364e4c3a37261aa2e37b3c
Instruction ID: 83e538c279c1388fad2c452c99bc280be25d55d9e1d1bce0c70975b22aa48c78
Opcode Fuzzy Hash: 7b3c76a04a5d09da5431c83f068bcd03ce3c37213f364e4c3a37261aa2e37b3c
Instruction Fuzzy Hash: B021E2B59003499FCB10CF9AD884BDEFBF4FB48320F10842AE928A3250D774A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A42C18, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 02A42C8F

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: c8f86b02d6275518f0c1475fbf233150db711acd3161b22d3e811f555428e0c6
Instruction ID: 6cf2d57646caddc6be371bbed8383c0a6e5fac6f2ebc83f277142caa5b50c681
Opcode Fuzzy Hash: c8f86b02d6275518f0c1475fbf233150db711acd3161b22d3e811f555428e0c6
Instruction Fuzzy Hash: F8211AB1D006199FCB10CF9AC9857DEFBF4FB48224F158169E818A3340D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02919AF0, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02919951,00000800,00000000,00000000), ref: 02919B62

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a3fe0d094e96ec939a5a23dd7999e0d15d334ebad0db27233dd4f44354658639
Instruction ID: 774cb9e64b606b75930d5d7f79d4ca42067b21f192928d7d67c1c644129234b6
Opcode Fuzzy Hash: a3fe0d094e96ec939a5a23dd7999e0d15d334ebad0db27233dd4f44354658639
Instruction Fuzzy Hash: AF1114B2D002099FDB20CF9AD484BDEFBF9EB88324F14842EE419A7640C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02919478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02919951,00000800,00000000,00000000), ref: 02919B62

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 487d3c5ca1a27a9018f5c383c28d321858b9490a70cfd4418ab331079cb30728
Instruction ID: 67e0aab484a9b7b97e6f1e13299a31128236a2cdd6a1786bfcac694350dd2240
Opcode Fuzzy Hash: 487d3c5ca1a27a9018f5c383c28d321858b9490a70cfd4418ab331079cb30728
Instruction Fuzzy Hash: 831103B29003099FDB20DF9AD444BDEFBF9EB48324F14842EE416A7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A42DA0, Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02A42E13

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 72fc37c6981ab1f60419fff5680e21ac365a89293d0666852526764d0cd21cce
Instruction ID: ed03f1ebb0d023e34f3d4bfb106f5ab3a401662ad2cc5fed79d77eaf76f14055
Opcode Fuzzy Hash: 72fc37c6981ab1f60419fff5680e21ac365a89293d0666852526764d0cd21cce
Instruction Fuzzy Hash: E41104B5900249AFCB20DF9AD885BDFBFF4EF88324F148419E529A7210C735A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02919869, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 029198D6

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6f03b7c79109366c281c6dde99fc5f0aafc2d43248d587cbaabdfc77d3959213
Instruction ID: eda63c95add90d0d121b1235f21cccc052d4d5f5f35bcdfe3c77039287d2d8ff
Opcode Fuzzy Hash: 6f03b7c79109366c281c6dde99fc5f0aafc2d43248d587cbaabdfc77d3959213
Instruction Fuzzy Hash: 9B11F3B6C006098FDB20DF9AD444BDEFBF8EB88224F14845AD429A7200C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A42DA8, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02A42E13

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9dae51dbec0c3a7f970786e91f76a917c3bef2deaadbbcdd3423d3e15eba5c5d
Instruction ID: bdef8602863f8d281e19f98f625013034168153524271f8fe744b6f4b1241864
Opcode Fuzzy Hash: 9dae51dbec0c3a7f970786e91f76a917c3bef2deaadbbcdd3423d3e15eba5c5d
Instruction Fuzzy Hash: DE1113B59002499FCB20DF9AD884BDEBFF4FB88324F108419E929A7210C735A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02919870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 029198D6

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5911087278b086e1d12d0c2df64b3e39f6e1e9195cda24f0134f14986825ca31
Instruction ID: da6edf31b4aa20423b75661ad850ae61aea95b5ee222f4bf69e1e34214310a78
Opcode Fuzzy Hash: 5911087278b086e1d12d0c2df64b3e39f6e1e9195cda24f0134f14986825ca31
Instruction Fuzzy Hash: E811D2B5D006498FDB20DF9AD444ADEFBF8EB89324F14846AD419A7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0291DE04, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0291FF28,?,?,?,?), ref: 0291FF9D

Memory Dump Source

Source File: 00000010.00000002.394929993.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 59a7196524e11ceab949d4c7ec0b866c95368e2135b191519aad5777a465f718
Instruction ID: cdc5bc731bf9e5f392088526377034eec72d44da295c61fb6707df5b8021fcc4
Opcode Fuzzy Hash: 59a7196524e11ceab949d4c7ec0b866c95368e2135b191519aad5777a465f718
Instruction Fuzzy Hash: 5611F5B59003099FDB20DF9AD584BDEFBF8EB49324F108459E915A7740C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A4398A, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02A439ED

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: eb47bcd56bfba864a6d32919e1bddb42da83e122d4a76867baabac4e5f29800b
Instruction ID: b5ced18456f05e5e10ad28028e1666b7dae9170221ba862dc6ad7281a8fec4b9
Opcode Fuzzy Hash: eb47bcd56bfba864a6d32919e1bddb42da83e122d4a76867baabac4e5f29800b
Instruction Fuzzy Hash: F411FEB58002499FCB20DF9AD885BDFFBF8EB48324F24845AE855A3200C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A43118, Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02A4317F

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6f6eb216d09c8c2e0846aa60d75b1f77112a47619728fef92bec6671e7f58633
Instruction ID: 1fb1889f96a15d72740e623a14b5deaa8de48cb87ddc7bef7d191ab92518597a
Opcode Fuzzy Hash: 6f6eb216d09c8c2e0846aa60d75b1f77112a47619728fef92bec6671e7f58633
Instruction Fuzzy Hash: D111F2B19002099FCB20DF9AD885BDEFBF8EF48224F24845AD529A7240D775A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A43990, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02A439ED

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 01570f43741b34fd90bcca43e187d86a09635f8f208f53686dd729ea57628da6
Instruction ID: a274c16010e79d37fe6e297fb2dabe0a8af7390024094ca31d72d6b5edeb55db
Opcode Fuzzy Hash: 01570f43741b34fd90bcca43e187d86a09635f8f208f53686dd729ea57628da6
Instruction Fuzzy Hash: 7A1112B58003499FCB20DF9AD885BDEFBF8FB48324F20845AE815A3200C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A43120, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02A4317F

Memory Dump Source

Source File: 00000010.00000002.394996024.0000000002A40000.00000040.00000001.sdmp, Offset: 02A40000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a068d19f3d41d64c940f2a0ecec03875133b6d5cdd9797f4916525655b4a2373
Instruction ID: 98231bbdece44c7ee98e3c7e53ff40d96678d38a5897e1cacc0107d7b74c6f7f
Opcode Fuzzy Hash: a068d19f3d41d64c940f2a0ecec03875133b6d5cdd9797f4916525655b4a2373
Instruction Fuzzy Hash: B111E5B1D006498FCB20DF9AD984BDEFBF4EB48324F248459D529A7240C775A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.394747674.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d629552fd20cf56c6bb4469e778b4fce7e46ef20ba1f89a6429751feb474d787
Instruction ID: 87a1dfe0d40d0e8319b7fb6ff2081c071eb90433d2303f6ad74f8732b1ae3fb6
Opcode Fuzzy Hash: d629552fd20cf56c6bb4469e778b4fce7e46ef20ba1f89a6429751feb474d787
Instruction Fuzzy Hash: B12106B2504241DFDB18DF50DAC1F2ABB65FB94324F2485BDEA094B246C336E846E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.394747674.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52ed0f6adeeda033b8c4e0d8b806062050b14792cdfdd238431b1b298e8d752
Instruction ID: 0a6bd35b3079c31094d320fc408231f55bb0a85d35bc889868c1e3ca8ce58bb4
Opcode Fuzzy Hash: c52ed0f6adeeda033b8c4e0d8b806062050b14792cdfdd238431b1b298e8d752
Instruction Fuzzy Hash: 10212872904241DFCB15DF54DAC1F2ABF65FB84328F28897DE9054B246C336D846E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0288D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.394814169.000000000288D000.00000040.00000001.sdmp, Offset: 0288D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859127a35815b4717eacfda44fe627953cf7972063ffffb8a19bf31ec6951665
Instruction ID: 4e08fa1c7531a363eb87c23819ecce7e18c0b6672f372283ba48e4ea98f34c35
Opcode Fuzzy Hash: 859127a35815b4717eacfda44fe627953cf7972063ffffb8a19bf31ec6951665
Instruction Fuzzy Hash: 0421F57D504244DFDB14EF64D9C0B16BB65FB84318F24C5A9E80A8B286C73AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0288D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.394814169.000000000288D000.00000040.00000001.sdmp, Offset: 0288D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009e600614639cb5a3ffc325331de055014a2db16bd8188b06f51106e0842d52
Instruction ID: c3f25ea97d5d8cd620c121855c0ea1c033dc68626bc9f559fa9d114107c2f032
Opcode Fuzzy Hash: 009e600614639cb5a3ffc325331de055014a2db16bd8188b06f51106e0842d52
Instruction Fuzzy Hash: 1621F57D504204DFDB11EF64D9C0B26BB65FB84318F24C6A9E8098B286C336E846CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0288D007, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.394814169.000000000288D000.00000040.00000001.sdmp, Offset: 0288D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d29ccbafa6bd7f5b68221d64bf9639f1636500f09e2206ff053f214c59a2d50
Instruction ID: 45928b22a2dfa271ea3f05992940ec4ffc598d3846d8385e884c1cbdaba746b1
Opcode Fuzzy Hash: 6d29ccbafa6bd7f5b68221d64bf9639f1636500f09e2206ff053f214c59a2d50
Instruction Fuzzy Hash: 642192795093C08FCB02CF24D990B15BF71EB46214F28C5DAD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.394747674.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: 401b14a223819f2df50cbb2f23791f95e7cbd8b14154d8bd7cd1860bd938dad3
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: DB11AF76804280CFCB15CF14DAC4B1ABF71FB84324F2886ADD8490B656C336D85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.394747674.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: 8f52208a836b3d8c5cd0853583c80127a8cde0f6d7db0d58956beb63ef9da975
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: E611AF76804281DFCB15CF14DAC4B1ABF71FB94324F2486ADD9094B616C33AE85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0557FA28, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.400530666.0000000005570000.00000040.00000001.sdmp, Offset: 05570000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dae0d4d096110440d03a6d617e1881128552f9d1988d9d13ddea2ef3721f242
Instruction ID: 8353db697ad17c6b3e91995fadd86d3024327017629261bc7cfa1e09c464b1c8
Opcode Fuzzy Hash: 1dae0d4d096110440d03a6d617e1881128552f9d1988d9d13ddea2ef3721f242
Instruction Fuzzy Hash: 48117C75E156189BCB04CFA6E8045EEFBBBBF89210F04943AD505B3214DB349841CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 0288D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.394814169.000000000288D000.00000040.00000001.sdmp, Offset: 0288D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction ID: c924db83c84817c81eb99a39a7fb33de3e290f34b81427e6706348572f004fb2
Opcode Fuzzy Hash: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction Fuzzy Hash: FF119079504280DFCB11DF24D5C4B15FB71FB84314F24C6ADD8498B696C33AE44ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.394747674.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7dce286015391a7c089a03be07a6ce477e023a60b5b4077e9533bad1bc3072
Instruction ID: 545b04c2622467bb4201964adc3d57ecef1653bde9f11753126dfe1c0c905820
Opcode Fuzzy Hash: 4c7dce286015391a7c089a03be07a6ce477e023a60b5b4077e9533bad1bc3072
Instruction Fuzzy Hash: 8001F7728083419AE7205F15CEC5F6AFB9CEF41338F18856EED185B246D3799844EAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.394747674.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973e800068aba8fe2d2e68a6344ce4e117c596998152414611ca687654e6df35
Instruction ID: 0feff1fe071d2e8cc6dd1d2da577b8cf451cbecaf7b53e6b7f0d2609b5ebbc68
Opcode Fuzzy Hash: 973e800068aba8fe2d2e68a6344ce4e117c596998152414611ca687654e6df35
Instruction Fuzzy Hash: 3BF0C271404244AEEB108E15DDC4B66FB98EF41334F18C05EED080B286C3799C44DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0557FBB0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.400530666.0000000005570000.00000040.00000001.sdmp, Offset: 05570000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ab48ee32235cdd8a401652242200e7c71d9c595837694ba6a4dbe2a16a25f9
Instruction ID: 4ae5c3552d60f9fec79f4ac001591e03561607088a450d0bef52f836d8776454
Opcode Fuzzy Hash: 32ab48ee32235cdd8a401652242200e7c71d9c595837694ba6a4dbe2a16a25f9
Instruction Fuzzy Hash: 7BE0E270E4120CAFCB80EFE9E51579DBBF4AB04308F1080EA8828E3340EB345A45CF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: 7lQnHeq3XF.exe PID: 576 Parent PID: 3088 7lQnHeq3XF.exeCOMMON

Executed Functions

Function 02A993E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02A9962E

Memory Dump Source

Source File: 00000018.00000002.410285720.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 51d95953ad85a9aee77820d9a289f54a50f39d3c590c6c4b9917bffc33a1bea5
Instruction ID: bb0bff29f4a7ef50405e972983dcf44f2fc8992482f22dcb2e19935489016786
Opcode Fuzzy Hash: 51d95953ad85a9aee77820d9a289f54a50f39d3c590c6c4b9917bffc33a1bea5
Instruction Fuzzy Hash: 40714770A00B069FDB24DF2AD58079BB7F1BF89214F00892DD586D7A40EB75E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A9FB81, Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A9FD0A

Memory Dump Source

Source File: 00000018.00000002.410285720.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f9b5c9ed9de74ec1d4664430f1915a96b0fcfcb21e5085c454c37c20148662e9
Instruction ID: 8774b87ef376c3599ac4e4a6079f0162b87ebcfcac43a53386d0bfe63082dfa4
Opcode Fuzzy Hash: f9b5c9ed9de74ec1d4664430f1915a96b0fcfcb21e5085c454c37c20148662e9
Instruction Fuzzy Hash: EF51D1B1D003099FDF14CFAAD984ADEBBB1FF88314F24816AE419AB610D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A9DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A9FD0A

Memory Dump Source

Source File: 00000018.00000002.410285720.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 15d701fe8f018ff91b2b3a9f76cf7e51b27715f81a5dd0e7b3860be4f2a4dab5
Instruction ID: efef84b1e3e909d8d87720b1490392e0242b0dad9663a00e32742daef93be73a
Opcode Fuzzy Hash: 15d701fe8f018ff91b2b3a9f76cf7e51b27715f81a5dd0e7b3860be4f2a4dab5
Instruction Fuzzy Hash: AF51A0B1D00309AFDF14CF9AD984ADEBBF5BF48314F24812AE819AB610D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A9A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A9BCC6,?,?,?,?,?), ref: 02A9BD87

Memory Dump Source

Source File: 00000018.00000002.410285720.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7c291c755e52e0776221f00c54f58f633f052d5db672ae19e8d113547b965e8b
Instruction ID: 1dc73eb1ebdb289bb1a93513feb8ccd7caafc850b868db8dac3ca68a6e0fba7b
Opcode Fuzzy Hash: 7c291c755e52e0776221f00c54f58f633f052d5db672ae19e8d113547b965e8b
Instruction Fuzzy Hash: C821E6B5900349AFDF10CF9AD984ADEFBF4EB48324F14845AE955A7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A9BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A9BCC6,?,?,?,?,?), ref: 02A9BD87

Memory Dump Source

Source File: 00000018.00000002.410285720.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e5f45eb1368710b4e50b22211279a21369b5016f27751b700dfa3b7404826714
Instruction ID: e078f01727faa5d228a1abf26ed4da10f325374ef827765666f8ba3c0e27268a
Opcode Fuzzy Hash: e5f45eb1368710b4e50b22211279a21369b5016f27751b700dfa3b7404826714
Instruction Fuzzy Hash: FC21D4B5900249AFDB10CFAAD984ADEBBF4EB48324F14845AE954A7310D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A98768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A996A9,00000800,00000000,00000000), ref: 02A998BA

Memory Dump Source

Source File: 00000018.00000002.410285720.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d79c861d2208600ff0d43aec62489e40fa5a7fcb7058d069031731ce8ccbb531
Instruction ID: aa4a268d72673037e4ea6d739c42ede7001e245f30edc1c7d34b30791f681a91
Opcode Fuzzy Hash: d79c861d2208600ff0d43aec62489e40fa5a7fcb7058d069031731ce8ccbb531
Instruction Fuzzy Hash: EA11F2B69002099FDF10CF9AD484A9EFBF4AB48324F14846EE519A7600C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A99849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A996A9,00000800,00000000,00000000), ref: 02A998BA

Memory Dump Source

Source File: 00000018.00000002.410285720.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 028b693fa113032d2b61f30916c65f2aee0aab59ca1a8160402e6b3352f76c94
Instruction ID: a882f6aa1f6949ea13784ffb4deb30c84bd4a314a80ccd237c373870f0e7b19f
Opcode Fuzzy Hash: 028b693fa113032d2b61f30916c65f2aee0aab59ca1a8160402e6b3352f76c94
Instruction Fuzzy Hash: 2011E4B6D002099FDF10CF9AD984ADEFBF4EB48324F14846EE815A7600C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A995C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02A9962E

Memory Dump Source

Source File: 00000018.00000002.410285720.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b0558312ce0d4d08e062260eecb409642266f1672874a33bc26bb79c705e2088
Instruction ID: b664fd35c00af751a04fbb4c02b9735a7735324e3240d504d45f0f0d0a02d88e
Opcode Fuzzy Hash: b0558312ce0d4d08e062260eecb409642266f1672874a33bc26bb79c705e2088
Instruction Fuzzy Hash: 6A1110B6C006499FCF20CF9AD884BDFFBF8AF88224F14846AD419A7600D774A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A9DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02A9FE28,?,?,?,?), ref: 02A9FE9D

Memory Dump Source

Source File: 00000018.00000002.410285720.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4da7d90b4b0b9780147cd29e7a532128ca293b95708893df0b6b1d451d533037
Instruction ID: e3405c4c538e8ba0079791b06a7e96b013690c74aa55258ac657294423341580
Opcode Fuzzy Hash: 4da7d90b4b0b9780147cd29e7a532128ca293b95708893df0b6b1d451d533037
Instruction Fuzzy Hash: 3A1145B58002489FCB20DF9AD584BDFFBF8EB48324F10845AE919A3701C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A9FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02A9FE28,?,?,?,?), ref: 02A9FE9D

Memory Dump Source

Source File: 00000018.00000002.410285720.0000000002A90000.00000040.00000001.sdmp, Offset: 02A90000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ea37348b5a83f149dbc83c3b06cb57f9477d445b1170a0f4b8cb909273773198
Instruction ID: dfb6b1111d8dccfb8167143ca6071fd021e752c335c780af8113b5fed811aa9f
Opcode Fuzzy Hash: ea37348b5a83f149dbc83c3b06cb57f9477d445b1170a0f4b8cb909273773198
Instruction Fuzzy Hash: 2B1136B5800209DFDB20CF9AD585BDEFBF8EB48324F10845AE818A3701C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0109D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.410009905.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8854a4a4055a36d50c864740bc1a259ce0efa49ce324c050a1f1debc552bab7
Instruction ID: 11ef42f22f65ec978d109026fdbdbc9f10ae7aa02a770d77c5e31b7c2fc40175
Opcode Fuzzy Hash: e8854a4a4055a36d50c864740bc1a259ce0efa49ce324c050a1f1debc552bab7
Instruction Fuzzy Hash: 692148B1584200DFDF11DF94D8D0B6ABFA5FB84328F2485A9E9450B206C336D845D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0109D3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.410009905.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a323683b0be4fe274c4eabfffb7c86be086cbc526101e015dcc8094d1019714
Instruction ID: 74718272ac8581633f51924b4a3fa1db3c16a2cf1cac7cf244421de14b03dba2
Opcode Fuzzy Hash: 4a323683b0be4fe274c4eabfffb7c86be086cbc526101e015dcc8094d1019714
Instruction Fuzzy Hash: 2E2133B1544200DFCF01DF94D9D0BAABBA5FB84324F24C5A8E9494F206C736E846D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0138D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.410065177.000000000138D000.00000040.00000001.sdmp, Offset: 0138D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fa6f98b1b1571cd51ddce17d302ec6537118dad00fc76d05fefe2fb871f0c8
Instruction ID: 6937e4c0dd73ac7751dc08cea1041b21daf338fe1cf5f4522c84c149706b2cba
Opcode Fuzzy Hash: 76fa6f98b1b1571cd51ddce17d302ec6537118dad00fc76d05fefe2fb871f0c8
Instruction Fuzzy Hash: 7A2125B1504304DFDB15EF94D8C0B16BB65FB84358F24C5A9E80A4B686C336D807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0109D3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.410009905.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: a0d0532cba3cb039dce25e917e46c3ebee4f1b0eb97ee53c749174308980a2f6
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: BF11AF76444280CFCF16CF54D9D4B56BFB1FB84324F24C6A9D8490B616C336E45ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0109D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.410009905.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction ID: 413e616c8a3844fdab13973f921e35ff5a5bf00da3ef770ef48960a283283d86
Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
Instruction Fuzzy Hash: 6F11AF76844280CFDF12CF58D9D4B16BFA1FB84324F2486A9D9450B617C336D45ADBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0138D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.410065177.000000000138D000.00000040.00000001.sdmp, Offset: 0138D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction ID: d944e1dc1db9db42f7d314b779803ed86c29d0d382866525d3b41231967590de
Opcode Fuzzy Hash: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
Instruction Fuzzy Hash: 39118EB5504380DFDB12DF54D5C4B15FB61FB44318F24C6A9D8494B696C33AD44BCB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 7lQnHeq3XF

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior