Play interactive tour

Edit tour

Analysis Report 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Overview

General Information

Sample Name:	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Analysis ID:	433010
MD5:	4df9b2c6531cde226bf1b0ae86d41162
SHA1:	9a42c49714905ea1e5f042a683fd80ecff10fc87
SHA256:	4714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
Tags:	exenjratRAT
Infos:
Most interesting Screenshot:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the startup folder

Drops PE files with benign system names

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe (PID: 6964 cmdline: 'C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe' MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)

explorer.exe (PID: 5908 cmdline: 'C:\Windows\System32\explorer.exe' /c select, C:\Users\user\Music\fullview.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

svchost.exe (PID: 7084 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 6168 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

fullview.exe (PID: 5616 cmdline: 'C:\Users\user\Music\fullview.exe' MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)

fullview.exe (PID: 7080 cmdline: C:\Users\user\Music\fullview.exe MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)

svchost.exe (PID: 6476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6524 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

fullview.exe (PID: 7088 cmdline: 'C:\Users\user\Music\fullview.exe' -boot MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)

fullview.exe (PID: 6400 cmdline: C:\Users\user\Music\fullview.exe MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)

fullview.exe (PID: 5544 cmdline: 'C:\Users\user\Music\fullview.exe' -boot MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)

fullview.exe (PID: 1668 cmdline: C:\Users\user\Music\fullview.exe MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)

svchost.exe (PID: 4576 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe' MD5: 4DF9B2C6531CDE226BF1B0AE86D41162)

cleanup

Malware Configuration

Threatname: Njrat

{"Install Dir": "svchost.exe", "Install Name": "strangerstrek.duckdns.org", "Host": "True", "Port": "2090", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "Comienzo", "Version": "0.7.3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11801:$a2: SEE_MASK_NOZONECHECKS 0x11a40:$b1: [TAP] 0x119b8:$c3: cmd.exe /c ping
0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11801:$reg: SEE_MASK_NOZONECHECKS 0x115ff:$msg: Execute ERROR 0x1165b:$msg: Execute ERROR 0x119b8:$ping: cmd.exe /c ping 0 -n 2 & del
0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11801:$a2: SEE_MASK_NOZONECHECKS 0x11a40:$b1: [TAP] 0x119b8:$c3: cmd.exe /c ping
0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11801:$reg: SEE_MASK_NOZONECHECKS 0x115ff:$msg: Execute ERROR 0x1165b:$msg: Execute ERROR 0x119b8:$ping: cmd.exe /c ping 0 -n 2 & del
0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x128ae:$a2: SEE_MASK_NOZONECHECKS 0x12aed:$b1: [TAP] 0x12a65:$c3: cmd.exe /c ping
0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128ae:$reg: SEE_MASK_NOZONECHECKS 0x126ac:$msg: Execute ERROR 0x12708:$msg: Execute ERROR 0x12a65:$ping: cmd.exe /c ping 0 -n 2 & del
00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11801:$a2: SEE_MASK_NOZONECHECKS 0x11a40:$b1: [TAP] 0x119b8:$c3: cmd.exe /c ping
00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11801:$reg: SEE_MASK_NOZONECHECKS 0x115ff:$msg: Execute ERROR 0x1165b:$msg: Execute ERROR 0x119b8:$ping: cmd.exe /c ping 0 -n 2 & del
00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6f6f5:$a2: SEE_MASK_NOZONECHECKS 0x6f934:$b1: [TAP] 0x6f8ac:$c3: cmd.exe /c ping
00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6f6f5:$reg: SEE_MASK_NOZONECHECKS 0x6f4f3:$msg: Execute ERROR 0x6f54f:$msg: Execute ERROR 0x6f8ac:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x128ae:$a2: SEE_MASK_NOZONECHECKS 0x12aed:$b1: [TAP] 0x12a65:$c3: cmd.exe /c ping
00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128ae:$reg: SEE_MASK_NOZONECHECKS 0x126ac:$msg: Execute ERROR 0x12708:$msg: Execute ERROR 0x12a65:$ping: cmd.exe /c ping 0 -n 2 & del
00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x128ae:$a2: SEE_MASK_NOZONECHECKS 0x12aed:$b1: [TAP] 0x12a65:$c3: cmd.exe /c ping
00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128ae:$reg: SEE_MASK_NOZONECHECKS 0x126ac:$msg: Execute ERROR 0x12708:$msg: Execute ERROR 0x12a65:$ping: cmd.exe /c ping 0 -n 2 & del
0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6e646:$a2: SEE_MASK_NOZONECHECKS 0x82395:$a2: SEE_MASK_NOZONECHECKS 0x4a1295:$a2: SEE_MASK_NOZONECHECKS 0x6e885:$b1: [TAP] 0x825d4:$b1: [TAP] 0x4a14d4:$b1: [TAP] 0x6e7fd:$c3: cmd.exe /c ping 0x8254c:$c3: cmd.exe /c ping 0x4a144c:$c3: cmd.exe /c ping
0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6e646:$reg: SEE_MASK_NOZONECHECKS 0x82395:$reg: SEE_MASK_NOZONECHECKS 0x4a1295:$reg: SEE_MASK_NOZONECHECKS 0x6e444:$msg: Execute ERROR 0x6e4a0:$msg: Execute ERROR 0x82193:$msg: Execute ERROR 0x821ef:$msg: Execute ERROR 0x4a1093:$msg: Execute ERROR 0x4a10ef:$msg: Execute ERROR 0x6e7fd:$ping: cmd.exe /c ping 0 -n 2 & del 0x8254c:$ping: cmd.exe /c ping 0 -n 2 & del 0x4a144c:$ping: cmd.exe /c ping 0 -n 2 & del
00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11801:$a2: SEE_MASK_NOZONECHECKS 0x11a40:$b1: [TAP] 0x119b8:$c3: cmd.exe /c ping
00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11801:$reg: SEE_MASK_NOZONECHECKS 0x115ff:$msg: Execute ERROR 0x1165b:$msg: Execute ERROR 0x119b8:$ping: cmd.exe /c ping 0 -n 2 & del
00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11801:$a2: SEE_MASK_NOZONECHECKS 0x11a40:$b1: [TAP] 0x119b8:$c3: cmd.exe /c ping
00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11801:$reg: SEE_MASK_NOZONECHECKS 0x115ff:$msg: Execute ERROR 0x1165b:$msg: Execute ERROR 0x119b8:$ping: cmd.exe /c ping 0 -n 2 & del
00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x6528e:$a2: SEE_MASK_NOZONECHECKS 0x78fdd:$a2: SEE_MASK_NOZONECHECKS 0x654cd:$b1: [TAP] 0x7921c:$b1: [TAP] 0x65445:$c3: cmd.exe /c ping 0x79194:$c3: cmd.exe /c ping
00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x6528e:$reg: SEE_MASK_NOZONECHECKS 0x78fdd:$reg: SEE_MASK_NOZONECHECKS 0x6508c:$msg: Execute ERROR 0x650e8:$msg: Execute ERROR 0x78ddb:$msg: Execute ERROR 0x78e37:$msg: Execute ERROR 0x65445:$ping: cmd.exe /c ping 0 -n 2 & del 0x79194:$ping: cmd.exe /c ping 0 -n 2 & del
00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x69b6e:$a2: SEE_MASK_NOZONECHECKS 0x7d8bd:$a2: SEE_MASK_NOZONECHECKS 0x69dad:$b1: [TAP] 0x7dafc:$b1: [TAP] 0x69d25:$c3: cmd.exe /c ping 0x7da74:$c3: cmd.exe /c ping
00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x69b6e:$reg: SEE_MASK_NOZONECHECKS 0x7d8bd:$reg: SEE_MASK_NOZONECHECKS 0x6996c:$msg: Execute ERROR 0x699c8:$msg: Execute ERROR 0x7d6bb:$msg: Execute ERROR 0x7d717:$msg: Execute ERROR 0x69d25:$ping: cmd.exe /c ping 0 -n 2 & del 0x7da74:$ping: cmd.exe /c ping 0 -n 2 & del
00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11801:$a2: SEE_MASK_NOZONECHECKS 0x11a40:$b1: [TAP] 0x119b8:$c3: cmd.exe /c ping
00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11801:$reg: SEE_MASK_NOZONECHECKS 0x115ff:$msg: Execute ERROR 0x1165b:$msg: Execute ERROR 0x119b8:$ping: cmd.exe /c ping 0 -n 2 & del
0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x128ae:$a2: SEE_MASK_NOZONECHECKS 0x12aed:$b1: [TAP] 0x12a65:$c3: cmd.exe /c ping
0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128ae:$reg: SEE_MASK_NOZONECHECKS 0x126ac:$msg: Execute ERROR 0x12708:$msg: Execute ERROR 0x12a65:$ping: cmd.exe /c ping 0 -n 2 & del
00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x128ae:$a2: SEE_MASK_NOZONECHECKS 0x12aed:$b1: [TAP] 0x12a65:$c3: cmd.exe /c ping
00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x128ae:$reg: SEE_MASK_NOZONECHECKS 0x126ac:$msg: Execute ERROR 0x12708:$msg: Execute ERROR 0x12a65:$ping: cmd.exe /c ping 0 -n 2 & del
0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x23cab9:$a2: SEE_MASK_NOZONECHECKS 0x23ccf8:$b1: [TAP] 0x23cc70:$c3: cmd.exe /c ping
0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x23cab9:$reg: SEE_MASK_NOZONECHECKS 0x23c8b7:$msg: Execute ERROR 0x23c913:$msg: Execute ERROR 0x23cc70:$ping: cmd.exe /c ping 0 -n 2 & del
0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x487ba:$a2: SEE_MASK_NOZONECHECKS 0x5c509:$a2: SEE_MASK_NOZONECHECKS 0x489f9:$b1: [TAP] 0x5c748:$b1: [TAP] 0x48971:$c3: cmd.exe /c ping 0x5c6c0:$c3: cmd.exe /c ping
0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x487ba:$reg: SEE_MASK_NOZONECHECKS 0x5c509:$reg: SEE_MASK_NOZONECHECKS 0x485b8:$msg: Execute ERROR 0x48614:$msg: Execute ERROR 0x5c307:$msg: Execute ERROR 0x5c363:$msg: Execute ERROR 0x48971:$ping: cmd.exe /c ping 0 -n 2 & del 0x5c6c0:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x651a2:$a2: SEE_MASK_NOZONECHECKS 0x78ef1:$a2: SEE_MASK_NOZONECHECKS 0x653e1:$b1: [TAP] 0x79130:$b1: [TAP] 0x65359:$c3: cmd.exe /c ping 0x790a8:$c3: cmd.exe /c ping
00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x651a2:$reg: SEE_MASK_NOZONECHECKS 0x78ef1:$reg: SEE_MASK_NOZONECHECKS 0x64fa0:$msg: Execute ERROR 0x64ffc:$msg: Execute ERROR 0x78cef:$msg: Execute ERROR 0x78d4b:$msg: Execute ERROR 0x65359:$ping: cmd.exe /c ping 0 -n 2 & del 0x790a8:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: fullview.exe PID: 7088	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: fullview.exe PID: 1668	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: fullview.exe PID: 5616	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: fullview.exe PID: 7080	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: fullview.exe PID: 5544	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: fullview.exe PID: 6400	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: svchost.exe PID: 4576	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 57 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.fullview.exe.46a7ead.7.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
12.2.fullview.exe.46a7ead.7.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.fullview.exe.46a7ead.7.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
12.2.fullview.exe.46a7ead.7.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
12.2.fullview.exe.46a7ead.7.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
12.2.fullview.exe.46a7ead.7.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.fullview.exe.46a7ead.7.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
12.2.fullview.exe.46a7ead.7.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
12.2.fullview.exe.351dc45.2.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
12.2.fullview.exe.351dc45.2.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.fullview.exe.351dc45.2.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
12.2.fullview.exe.351dc45.2.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
17.2.svchost.exe.36e488d.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
17.2.svchost.exe.36e488d.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
17.2.svchost.exe.36e488d.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
17.2.svchost.exe.36e488d.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
4.2.fullview.exe.2e2916d.2.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
4.2.fullview.exe.2e2916d.2.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.fullview.exe.2e2916d.2.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
4.2.fullview.exe.2e2916d.2.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
13.2.fullview.exe.2c4edb9.2.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
13.2.fullview.exe.2c4edb9.2.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
13.2.fullview.exe.2c4edb9.2.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
13.2.fullview.exe.2c4edb9.2.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
13.2.fullview.exe.3de7ead.7.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
13.2.fullview.exe.3de7ead.7.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
13.2.fullview.exe.3de7ead.7.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
13.2.fullview.exe.3de7ead.7.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
13.2.fullview.exe.2c62b08.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
13.2.fullview.exe.2c62b08.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
13.2.fullview.exe.2c62b08.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
17.2.svchost.exe.4877ead.7.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
17.2.svchost.exe.4877ead.7.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
17.2.svchost.exe.4877ead.7.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
17.2.svchost.exe.4877ead.7.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
4.2.fullview.exe.3fb7ead.7.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
4.2.fullview.exe.3fb7ead.7.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.fullview.exe.3fb7ead.7.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
4.2.fullview.exe.3fb7ead.7.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
4.2.fullview.exe.2e3cebc.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.fullview.exe.2e3cebc.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
4.2.fullview.exe.2e3cebc.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
13.2.fullview.exe.3de7ead.7.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
13.2.fullview.exe.3de7ead.7.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
13.2.fullview.exe.3de7ead.7.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
13.2.fullview.exe.3de7ead.7.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
4.2.fullview.exe.3fb7ead.7.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
4.2.fullview.exe.3fb7ead.7.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.fullview.exe.3fb7ead.7.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
4.2.fullview.exe.3fb7ead.7.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
17.2.svchost.exe.36e488d.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
17.2.svchost.exe.36e488d.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x25750:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x2598f:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping 0x25907:$c3: cmd.exe /c ping
17.2.svchost.exe.36e488d.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x25750:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x2554e:$msg: Execute ERROR 0x255aa:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del 0x25907:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x25750:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x2598f:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping 0x25907:$c3: cmd.exe /c ping
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x25750:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x2554e:$msg: Execute ERROR 0x255aa:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del 0x25907:$ping: cmd.exe /c ping 0 -n 2 & del
16.2.fullview.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
16.2.fullview.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
16.2.fullview.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
16.2.fullview.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
13.2.fullview.exe.2c62b08.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
13.2.fullview.exe.2c62b08.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
13.2.fullview.exe.2c62b08.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
13.2.fullview.exe.2c62b08.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
18.2.fullview.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
18.2.fullview.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.2.fullview.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
18.2.fullview.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
16.0.fullview.exe.400000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
16.0.fullview.exe.400000.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
16.0.fullview.exe.400000.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
16.0.fullview.exe.400000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
12.2.fullview.exe.3531994.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
12.2.fullview.exe.3531994.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.fullview.exe.3531994.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
12.2.fullview.exe.3531994.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
17.2.svchost.exe.4877ead.7.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
17.2.svchost.exe.4877ead.7.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
17.2.svchost.exe.4877ead.7.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
17.2.svchost.exe.4877ead.7.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
4.2.fullview.exe.2e3cebc.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
4.2.fullview.exe.2e3cebc.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.fullview.exe.2e3cebc.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
4.2.fullview.exe.2e3cebc.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
18.0.fullview.exe.400000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
18.0.fullview.exe.400000.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.0.fullview.exe.400000.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
18.0.fullview.exe.400000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
11.0.fullview.exe.400000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
11.0.fullview.exe.400000.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
11.0.fullview.exe.400000.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
11.0.fullview.exe.400000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
13.2.fullview.exe.2c4edb9.2.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
13.2.fullview.exe.2c4edb9.2.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x25750:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x2598f:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping 0x25907:$c3: cmd.exe /c ping
13.2.fullview.exe.2c4edb9.2.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x25750:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x2554e:$msg: Execute ERROR 0x255aa:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del 0x25907:$ping: cmd.exe /c ping 0 -n 2 & del
11.2.fullview.exe.400000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x11bb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0x11841:$s3: Executed As 0xdecd:$s5: Stub.exe 0x11823:$s6: Download ERROR 0x11705:$s7: shutdown -r -t 00
11.2.fullview.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
11.2.fullview.exe.400000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
11.2.fullview.exe.400000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
17.2.svchost.exe.36f85dc.2.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xfdb8:$x1: cmd.exe /c ping 0 -n 2 & del " 0xfa41:$s3: Executed As 0xc0cd:$s5: Stub.exe 0xfa23:$s6: Download ERROR 0xf905:$s7: shutdown -r -t 00
17.2.svchost.exe.36f85dc.2.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
17.2.svchost.exe.36f85dc.2.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xfc01:$a2: SEE_MASK_NOZONECHECKS 0xfe40:$b1: [TAP] 0xfdb8:$c3: cmd.exe /c ping
17.2.svchost.exe.36f85dc.2.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xfc01:$reg: SEE_MASK_NOZONECHECKS 0xf9ff:$msg: Execute ERROR 0xfa5b:$msg: Execute ERROR 0xfdb8:$ping: cmd.exe /c ping 0 -n 2 & del
12.2.fullview.exe.3531994.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.fullview.exe.3531994.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x430901:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x430b40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping 0x430ab8:$c3: cmd.exe /c ping
12.2.fullview.exe.3531994.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x430901:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x4306ff:$msg: Execute ERROR 0x43075b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del 0x430ab8:$ping: cmd.exe /c ping 0 -n 2 & del
17.2.svchost.exe.36f85dc.2.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
17.2.svchost.exe.36f85dc.2.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping
17.2.svchost.exe.36f85dc.2.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del
12.2.fullview.exe.351dc45.2.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.fullview.exe.351dc45.2.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x25750:$a2: SEE_MASK_NOZONECHECKS 0x444650:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x2598f:$b1: [TAP] 0x44488f:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping 0x25907:$c3: cmd.exe /c ping 0x444807:$c3: cmd.exe /c ping
12.2.fullview.exe.351dc45.2.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x25750:$reg: SEE_MASK_NOZONECHECKS 0x444650:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x2554e:$msg: Execute ERROR 0x255aa:$msg: Execute ERROR 0x44444e:$msg: Execute ERROR 0x4444aa:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del 0x25907:$ping: cmd.exe /c ping 0 -n 2 & del 0x444807:$ping: cmd.exe /c ping 0 -n 2 & del
4.2.fullview.exe.2e2916d.2.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.fullview.exe.2e2916d.2.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x11a01:$a2: SEE_MASK_NOZONECHECKS 0x25750:$a2: SEE_MASK_NOZONECHECKS 0x11c40:$b1: [TAP] 0x2598f:$b1: [TAP] 0x11bb8:$c3: cmd.exe /c ping 0x25907:$c3: cmd.exe /c ping
4.2.fullview.exe.2e2916d.2.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x11a01:$reg: SEE_MASK_NOZONECHECKS 0x25750:$reg: SEE_MASK_NOZONECHECKS 0x117ff:$msg: Execute ERROR 0x1185b:$msg: Execute ERROR 0x2554e:$msg: Execute ERROR 0x255aa:$msg: Execute ERROR 0x11bb8:$ping: cmd.exe /c ping 0 -n 2 & del 0x25907:$ping: cmd.exe /c ping 0 -n 2 & del
Click to see the 129 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\Music\fullview.exe	Avira: detection malicious, Label: HEUR/AGEN.1122310
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Avira: detection malicious, Label: HEUR/AGEN.1122310

Found malware configuration

Show sources

Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack

Malware Configuration Extractor: Njrat {"Install Dir": "svchost.exe", "Install Name": "strangerstrek.duckdns.org", "Host": "True", "Port": "2090", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "Comienzo", "Version": "0.7.3"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\Music\fullview.exe	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Show sources

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Virustotal: Detection: 67%			Perma Link
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	ReversingLabs: Detection: 79%

Yara detected Njrat

Show sources

Source: Yara match	File source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 7088, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 1668, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 5616, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 7080, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 5544, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 6400, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4576, type: MEMORY
Source: Yara match	File source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\Music\fullview.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Joe Sandbox ML: detected

Source: 16.2.fullview.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.2.fullview.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.0.fullview.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.fullview.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.0.fullview.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.fullview.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.684656632.00000000067A0000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.759339723.0000000006710000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818685449.0000000006D70000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.833000474.00000000065D0000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.833594288.0000000007010000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49768 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49769 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49770 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49771 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49772 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49773 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49774 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49777 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49778 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49779 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49780 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49781 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49782 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49783 -> 192.169.69.25:2090
Source: Traffic	Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49784 -> 192.169.69.25:2090

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: True

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: strangerstrek.duckdns.org

Source: Joe Sandbox View	IP Address: 192.169.69.25 192.169.69.25
Source: Joe Sandbox View	IP Address: 192.169.69.25 192.169.69.25

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

Source: svchost.exe, 00000009.00000002.751847611.00000231CFB00000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.facebook.com (Facebook)
Source: svchost.exe, 00000009.00000002.751847611.00000231CFB00000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.twitter.com (Twitter)
Source: svchost.exe, 00000009.00000003.740002825.00000231CFB50000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-10T07:22:21.3909598Z\|\|.\|\|3f037643-6aef-47de-81ac-01c99fe373ef\|\|1152921505693535664\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000009.00000003.740002825.00000231CFB50000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-10T07:22:21.3909598Z\|\|.\|\|3f037643-6aef-47de-81ac-01c99fe373ef\|\|1152921505693535664\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000009.00000003.731341981.00000231CFB81000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-09T08:40:24.6537940Z\|\|.\|\|70a39ee4-92a6-4b9a-9580-ae2703a9cc56\|\|1152921505693564220\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-06-09T08:39:31.1120019Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000009.00000003.733581218.00000231CFB8A000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","Rx% equals www.facebook.com (Facebook)
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, fullview.exe, 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, fullview.exe, 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, fullview.exe, 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, fullview.exe, 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, svchost.exe, 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: Watch this video to learn how to pay us https://www.youtube.com/watch?v=Ji9IwPId5UkQThis is not a joke. This is a ransomware}Ransomware: Couldn't send address. The stub has no BTC address equals www.youtube.com (Youtube)
Source: svchost.exe, 00000009.00000003.731322628.00000231CFB50000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-09T08:40:24.6537940Z\|\|.\|\|70a39ee4-92a6-4b9a-9580-ae2703a9cc56\|\|1152921505693564220\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-06-09T08:39:31.1120019Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE

Source: unknown

DNS traffic detected: queries for: strangerstrek.duckdns.org

Source: svchost.exe, 00000009.00000002.751615644.00000231CF2BD000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000009.00000002.751615644.00000231CF2BD000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000009.00000002.751615644.00000231CF2BD000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: fullview.exe, 0000000C.00000003.746795395.0000000005A4D000.00000004.00000001.sdmp, fullview.exe, 0000000C.00000003.746606206.0000000005A4D000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado
Source: fullview.exe, 00000004.00000003.753222861.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adob
Source: fullview.exe, 00000004.00000003.688463111.000000000542D000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c
Source: fullview.exe, 00000004.00000003.753222861.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.co
Source: fullview.exe, 0000000C.00000003.811336680.0000000005A4D000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adom
Source: fullview.exe, 00000004.00000003.753222861.0000000005433000.00000004.00000001.sdmp, fullview.exe, 00000004.00000003.688463111.000000000542D000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro
Source: svchost.exe, 00000009.00000002.751615644.00000231CF2BD000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637470883.0000000005088000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637470883.0000000005088000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com=
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637436308.0000000005088000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comCInN
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637571579.0000000005088000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637571579.0000000005088000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comcro
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637522421.0000000005088000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comh-c
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637389364.0000000005089000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comyrl
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.639668812.0000000005087000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.638929660.0000000005087000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers5
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.639326811.0000000005086000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersN
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.635522881.000000000509B000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.635541486.000000000509B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comQ
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.635626829.000000000509B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicj
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636982622.00000000050BD000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636890228.0000000005084000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636768655.0000000005083000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636923218.00000000050BD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn7
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636890228.0000000005084000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cns
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.641286865.0000000005085000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.641328281.0000000005086000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm0
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.641286865.0000000005085000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmX
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636489484.0000000005082000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636489484.0000000005082000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krO
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: svchost.exe, 00000009.00000002.751687464.00000231CF2EE000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636768655.0000000005083000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636489484.0000000005082000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637170702.0000000005082000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.
Source: svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637627152.0000000005088000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com&
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637155791.0000000005083000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comadnl
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637627152.0000000005088000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comlic
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.640449829.0000000005086000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736861958.00000231CFB41000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736891454.00000231CFB50000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp	String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, fullview.exe, 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, fullview.exe, 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, fullview.exe, 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, fullview.exe, 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, svchost.exe, 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=Ji9IwPId5UkQThis

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: 11.0.fullview.exe.400000.1.unpack, Lime/kl.cs	.Net Code: VKCodeToUnicode
Source: 11.0.fullview.exe.400000.1.unpack, LimeSL.cs	.Net Code: SetHook
Source: 11.2.fullview.exe.400000.0.unpack, Lime/kl.cs	.Net Code: VKCodeToUnicode
Source: 11.2.fullview.exe.400000.0.unpack, LimeSL.cs	.Net Code: SetHook
Source: 16.2.fullview.exe.400000.0.unpack, LimeSL.cs	.Net Code: SetHook
Source: 16.2.fullview.exe.400000.0.unpack, Lime/kl.cs	.Net Code: VKCodeToUnicode

Source: svchost.exe, 00000011.00000002.828234765.0000000001200000.00000004.00000001.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Njrat

Show sources

Source: Yara match	File source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 7088, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 1668, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 5616, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 7080, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 5544, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 6400, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4576, type: MEMORY
Source: Yara match	File source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Show sources

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: fullview.exe.0.dr, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 0.0.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3d0000.0.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3d0000.0.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 4.2.fullview.exe.740000.0.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 4.0.fullview.exe.740000.0.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: svchost.exe.11.dr, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 11.0.fullview.exe.dc0000.2.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 11.0.fullview.exe.dc0000.0.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 11.2.fullview.exe.dc0000.1.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 12.0.fullview.exe.d30000.0.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 12.2.fullview.exe.d30000.0.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 13.0.fullview.exe.580000.0.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 13.2.fullview.exe.580000.0.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 16.0.fullview.exe.d40000.0.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240
Source: 16.0.fullview.exe.d40000.2.unpack, busnnett/U1.cs	Large array initialization: GetByte: array initializer size 74240

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

File created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new

Jump to behavior

Source: C:\Users\user\Music\fullview.exe

File deleted: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.5616.4731968

Jump to behavior

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Code function: 0_2_04C12548	0_2_04C12548
Source: C:\Users\user\Music\fullview.exe	Code function: 4_2_05122548	4_2_05122548
Source: C:\Users\user\Music\fullview.exe	Code function: 12_2_05832548	12_2_05832548
Source: C:\Users\user\Music\fullview.exe	Code function: 13_2_05072548	13_2_05072548

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.685770002.0000000006DF0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameeconomymode.exe8 vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.685742568.0000000006DD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.686354866.0000000007350000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.686354866.0000000007350000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.685866192.0000000007250000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000000.634243918.000000000045E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamezsinnadaverde.exe vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.684656632.00000000067A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Binary or memory string: OriginalFilenamezsinnadaverde.exe vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fullview.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: svchost.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 11.0.fullview.exe.400000.1.unpack, Rware.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.0.fullview.exe.400000.1.unpack, RwareDE.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.2.fullview.exe.400000.0.unpack, Rware.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.fullview.exe.400000.0.unpack, RwareDE.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 16.2.fullview.exe.400000.0.unpack, RwareDE.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 16.2.fullview.exe.400000.0.unpack, Rware.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 11.0.fullview.exe.400000.1.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.0.fullview.exe.400000.1.unpack, BotKillers.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.0.fullview.exe.400000.1.unpack, BotKillers.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 16.2.fullview.exe.400000.0.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.fullview.exe.400000.0.unpack, BotKillers.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 16.2.fullview.exe.400000.0.unpack, BotKillers.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 11.2.fullview.exe.400000.0.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.fullview.exe.400000.0.unpack, BotKillers.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.fullview.exe.400000.0.unpack, BotKillers.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@19/16@16/1

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Code function: 0_2_05210AFE AdjustTokenPrivileges,	0_2_05210AFE
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Code function: 0_2_05210AC7 AdjustTokenPrivileges,	0_2_05210AC7
Source: C:\Users\user\Music\fullview.exe	Code function: 4_2_06C70AFE AdjustTokenPrivileges,	4_2_06C70AFE
Source: C:\Users\user\Music\fullview.exe	Code function: 4_2_06C70AEC AdjustTokenPrivileges,	4_2_06C70AEC
Source: C:\Users\user\Music\fullview.exe	Code function: 11_2_0318259E AdjustTokenPrivileges,	11_2_0318259E
Source: C:\Users\user\Music\fullview.exe	Code function: 11_2_03182567 AdjustTokenPrivileges,	11_2_03182567
Source: C:\Users\user\Music\fullview.exe	Code function: 12_2_05900AFE AdjustTokenPrivileges,	12_2_05900AFE
Source: C:\Users\user\Music\fullview.exe	Code function: 12_2_05900AC7 AdjustTokenPrivileges,	12_2_05900AC7
Source: C:\Users\user\Music\fullview.exe	Code function: 13_2_05150AFE AdjustTokenPrivileges,	13_2_05150AFE
Source: C:\Users\user\Music\fullview.exe	Code function: 13_2_05150AC7 AdjustTokenPrivileges,	13_2_05150AC7

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

File created: C:\Users\user\Music\fullview.exe

Jump to behavior

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Music\fullview.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Virustotal: Detection: 67%
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

File read: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe 'C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\System32\explorer.exe' /c select, C:\Users\user\Music\fullview.exe
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Music\fullview.exe 'C:\Users\user\Music\fullview.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Music\fullview.exe	Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: unknown	Process created: C:\Users\user\Music\fullview.exe 'C:\Users\user\Music\fullview.exe' -boot
Source: unknown	Process created: C:\Users\user\Music\fullview.exe 'C:\Users\user\Music\fullview.exe' -boot
Source: C:\Users\user\Music\fullview.exe	Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe'
Source: C:\Users\user\Music\fullview.exe	Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\System32\explorer.exe' /c select, C:\Users\user\Music\fullview.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Music\fullview.exe 'C:\Users\user\Music\fullview.exe'	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: C:\Users\user\Music\fullview.exe	Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 11.0.fullview.exe.400000.1.unpack, Lime/Core.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.fullview.exe.400000.0.unpack, Lime/Core.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.fullview.exe.400000.0.unpack, Lime/Core.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Code function: 0_2_0045B55B push es; iretd	0_2_0045B6DA
Source: C:\Users\user\Music\fullview.exe	Code function: 4_2_007CB55B push es; iretd	4_2_007CB6DA
Source: C:\Users\user\Music\fullview.exe	Code function: 4_2_010D841E push ebp; ret	4_2_010D8429
Source: C:\Users\user\Music\fullview.exe	Code function: 4_2_010D7FC9 push ecx; ret	4_2_010D841D
Source: C:\Users\user\Music\fullview.exe	Code function: 11_2_00E4B55B push es; iretd	11_2_00E4B6DA
Source: C:\Users\user\Music\fullview.exe	Code function: 11_2_0573063F push 6D2AC360h; ret	11_2_05730656
Source: C:\Users\user\Music\fullview.exe	Code function: 11_2_0573051B push 6D2AC310h; ret	11_2_05730532
Source: C:\Users\user\Music\fullview.exe	Code function: 12_2_00DBB55B push es; iretd	12_2_00DBB6DA
Source: C:\Users\user\Music\fullview.exe	Code function: 12_2_016A83DE push ecx; ret	12_2_016A841D
Source: C:\Users\user\Music\fullview.exe	Code function: 12_2_016A8423 push ebp; ret	12_2_016A8429
Source: C:\Users\user\Music\fullview.exe	Code function: 12_2_016A8502 push 00000001h; retf	12_2_016A8504
Source: C:\Users\user\Music\fullview.exe	Code function: 12_2_016A8497 push 00000001h; ret	12_2_016A84A4
Source: C:\Users\user\Music\fullview.exe	Code function: 13_2_0060B55B push es; iretd	13_2_0060B6DA
Source: C:\Users\user\Music\fullview.exe	Code function: 13_2_00BF841E push ebp; ret	13_2_00BF8429
Source: C:\Users\user\Music\fullview.exe	Code function: 13_2_00BF7FC9 push ecx; ret	13_2_00BF841D
Source: C:\Users\user\Music\fullview.exe	Code function: 16_2_00DCB55B push es; iretd	16_2_00DCB6DA

Source: initial sample	Static PE information: section name: .text entropy: 7.9564698476
Source: initial sample	Static PE information: section name: .text entropy: 7.9564698476
Source: initial sample	Static PE information: section name: .text entropy: 7.9564698476

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Music\fullview.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	File created: C:\Users\user\Music\fullview.exe			Jump to dropped file
Source: C:\Users\user\Music\fullview.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe			Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Music\fullview.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Jump to dropped file

Source: C:\Users\user\Music\fullview.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Jump to behavior

Source: C:\Users\user\Music\fullview.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Jump to behavior

Source: C:\Users\user\Music\fullview.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run fullview			Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run fullview			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Show sources

Source: C:\Users\user\Music\fullview.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	File opened: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	File opened: C:\Users\user\Music\fullview.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	File opened: C:\Users\user\Music\fullview.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\Music\fullview.exe	File opened: C:\Users\user\Music\fullview.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:Zone.Identifier read attributes \| delete

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Music\fullview.exe

Window / User API: threadDelayed 3133

Jump to behavior

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe TID: 7000	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Music\fullview.exe TID: 1288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7020	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\Music\fullview.exe TID: 6492	Thread sleep count: 3133 > 30	Jump to behavior
Source: C:\Users\user\Music\fullview.exe TID: 3296	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Music\fullview.exe TID: 1000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Music\fullview.exe TID: 5892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe TID: 5112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Music\fullview.exe TID: 5400	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Music\fullview.exe	Last function: Thread delayed
Source: C:\Users\user\Music\fullview.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp	Binary or memory string: VBoxServiceoAntiProcess: VirtrualBox was detected! I deleted myself
Source: explorer.exe, 00000003.00000002.900998536.0000000001187000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: svchost.exe, 00000001.00000002.650495613.00000246B8660000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.706979746.00000296A1F40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.718917935.0000023B3CB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.752331008.00000231D0200000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000009.00000002.751700582.00000231CF2F9000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000009.00000002.751687464.00000231CF2EE000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.650495613.00000246B8660000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.706979746.00000296A1F40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.718917935.0000023B3CB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.752331008.00000231D0200000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.650495613.00000246B8660000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.706979746.00000296A1F40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.718917935.0000023B3CB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.752331008.00000231D0200000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp	Binary or memory string: VGAuthServiceeAntiProcess: VMware was detected! I deleted myself
Source: fullview.exe, 0000000B.00000002.901269787.0000000001453000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: svchost.exe, 00000001.00000002.650495613.00000246B8660000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.706979746.00000296A1F40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.718917935.0000023B3CB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.752331008.00000231D0200000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process token adjusted: Debug
Source: C:\Users\user\Music\fullview.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 11.0.fullview.exe.400000.1.unpack, Lime/Core.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 11.0.fullview.exe.400000.1.unpack, Lime/kl.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 11.2.fullview.exe.400000.0.unpack, Lime/Core.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 11.2.fullview.exe.400000.0.unpack, Lime/kl.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 16.2.fullview.exe.400000.0.unpack, Lime/Core.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 16.2.fullview.exe.400000.0.unpack, Lime/kl.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Music\fullview.exe	Memory written: C:\Users\user\Music\fullview.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Memory written: C:\Users\user\Music\fullview.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Music\fullview.exe	Memory written: C:\Users\user\Music\fullview.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\System32\explorer.exe' /c select, C:\Users\user\Music\fullview.exe	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: C:\Users\user\Music\fullview.exe	Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe

Source: explorer.exe, 00000003.00000002.901239924.00000000017E0000.00000002.00000001.sdmp, fullview.exe, 0000000B.00000002.901557417.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000002.901239924.00000000017E0000.00000002.00000001.sdmp, fullview.exe, 0000000B.00000002.901557417.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.901239924.00000000017E0000.00000002.00000001.sdmp, fullview.exe, 0000000B.00000002.901557417.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.901239924.00000000017E0000.00000002.00000001.sdmp, fullview.exe, 0000000B.00000002.901557417.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: fullview.exe, 0000000B.00000002.902417621.0000000003501000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|9
Source: fullview.exe, 0000000B.00000002.902417621.0000000003501000.00000004.00000001.sdmp	Binary or memory string: Program Manager<
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, fullview.exe, 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, fullview.exe, 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, fullview.exe, 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, fullview.exe, 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, svchost.exe, 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp	Binary or memory string: Shell_traywnd

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Music\fullview.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: fullview.exe, 0000000B.00000002.901269787.0000000001453000.00000004.00000020.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information:

Yara detected Njrat

Show sources

Source: Yara match	File source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 7088, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 1668, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 5616, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 7080, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 5544, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 6400, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4576, type: MEMORY
Source: Yara match	File source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Njrat

Show sources

Source: Yara match	File source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 7088, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 1668, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 5616, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 7080, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 5544, type: MEMORY
Source: Yara match	File source: Process Memory Space: fullview.exe PID: 6400, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4576, type: MEMORY
Source: Yara match	File source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Startup Items1	Startup Items1	Disable or Modify Tools1	Input Capture11	File and Directory Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Registry Run Keys / Startup Folder121	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery12	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection112	Obfuscated Files or Information2	Security Account Manager	Security Software Discovery131	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol21	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder121	Software Packing13	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Virtualization/Sandbox Evasion31	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading111	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion31	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection112	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories2	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	67%	Virustotal		Browse
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	100%	Avira	HEUR/AGEN.1122310
4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Music\fullview.exe	100%	Avira	HEUR/AGEN.1122310
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	100%	Avira	HEUR/AGEN.1122310
C:\Users\user\Music\fullview.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\Music\fullview.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.0.fullview.exe.dc0000.2.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
11.0.fullview.exe.dc0000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
18.2.fullview.exe.d30000.1.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
12.0.fullview.exe.d30000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
4.2.fullview.exe.740000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
12.2.fullview.exe.46a7ead.7.unpack	100%	Avira	HEUR/AGEN.1110362	Download File
13.0.fullview.exe.580000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack	100%	Avira	HEUR/AGEN.1110362	Download File
16.0.fullview.exe.d40000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
4.0.fullview.exe.740000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
17.0.svchost.exe.980000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
13.2.fullview.exe.3de7ead.7.unpack	100%	Avira	HEUR/AGEN.1110362	Download File
13.2.fullview.exe.580000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
16.0.fullview.exe.d40000.2.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
4.2.fullview.exe.3fb7ead.7.unpack	100%	Avira	HEUR/AGEN.1110362	Download File
18.0.fullview.exe.d30000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
11.2.fullview.exe.dc0000.1.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
0.0.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3d0000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
17.2.svchost.exe.980000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
16.2.fullview.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3d0000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
18.2.fullview.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
16.0.fullview.exe.400000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
17.2.svchost.exe.4877ead.7.unpack	100%	Avira	HEUR/AGEN.1110362	Download File
16.2.fullview.exe.d40000.1.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
18.0.fullview.exe.400000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
11.0.fullview.exe.400000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.2.fullview.exe.d30000.0.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
18.0.fullview.exe.d30000.2.unpack	100%	Avira	HEUR/AGEN.1122310	Download File
11.2.fullview.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
strangerstrek.duckdns.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fonts.comicj	0%	Avira URL Cloud	safe
True	0%	Avira URL Cloud	safe
http://ns.adobe.co	0%	Virustotal		Browse
http://ns.adobe.co	0%	Avira URL Cloud	safe
http://ns.adom	0%	Avira URL Cloud	safe
http://www.tiro.comadnl	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.carterandcone.comCInN	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm0	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://ns.micro	0%	Avira URL Cloud	safe
http://ns.adob	0%	Avira URL Cloud	safe
http://www.carterandcone.comh-c	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://ns.ado	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cns	0%	Avira URL Cloud	safe
http://www.carterandcone.com=	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.tiro.com&	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htmX	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://ns.adobe.c	0%	Avira URL Cloud	safe
http://www.fonts.comQ	0%	Avira URL Cloud	safe
http://www.microsoft.	0%	URL Reputation	safe
http://www.microsoft.	0%	URL Reputation	safe
http://www.microsoft.	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.goodfont.co.krO	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.tiro.	0%	URL Reputation	safe
http://www.tiro.	0%	URL Reputation	safe
http://www.tiro.	0%	URL Reputation	safe
http://www.carterandcone.comyrl	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn7	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.carterandcone.comcro	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
strangerstrek.duckdns.org	192.169.69.25	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
True	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comicj	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.635626829.000000000509B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobe.co	fullview.exe, 00000004.00000003.753222861.0000000005433000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ns.adom	fullview.exe, 0000000C.00000003.811336680.0000000005A4D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp	false		high
http://www.tiro.comadnl	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637155791.0000000005083000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comCInN	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637436308.0000000005088000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm0	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.641328281.0000000005086000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636489484.0000000005082000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637470883.0000000005088000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.micro	fullview.exe, 00000004.00000003.753222861.0000000005433000.00000004.00000001.sdmp, fullview.exe, 00000004.00000003.688463111.000000000542D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersN	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.639326811.0000000005086000.00000004.00000001.sdmp	false		high
http://ns.adob	fullview.exe, 00000004.00000003.753222861.0000000005433000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comh-c	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637522421.0000000005088000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636768655.0000000005083000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado	fullview.exe, 0000000C.00000003.746795395.0000000005A4D000.00000004.00000001.sdmp, fullview.exe, 0000000C.00000003.746606206.0000000005A4D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cns	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636890228.0000000005084000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com=	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637470883.0000000005088000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.galapagosdesign.com/DPlease	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.635522881.000000000509B000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636489484.0000000005082000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com&	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637627152.0000000005088000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://en.help.roblox.com/hc/en-us	svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp	false		high
http://www.urwpp.deDPlease	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.640449829.0000000005086000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmX	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.641286865.0000000005085000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.641286865.0000000005085000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure	svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comTC	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637571579.0000000005088000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.c	fullview.exe, 00000004.00000003.688463111.000000000542D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/develop	svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp	false		high
https://www.youtube.com/watch?v=Ji9IwPId5UkQThis	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, fullview.exe, 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, fullview.exe, 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, fullview.exe, 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, fullview.exe, 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, svchost.exe, 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp	false		high
http://www.fonts.comQ	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.635541486.000000000509B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.	svchost.exe, 00000009.00000002.751687464.00000231CF2EE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comlic	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637627152.0000000005088000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.krO	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636489484.0000000005082000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://corp.roblox.com/parents/	svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736861958.00000231CFB41000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736891454.00000231CFB50000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637170702.0000000005082000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comyrl	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637389364.0000000005089000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636982622.00000000050BD000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636890228.0000000005084000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636768655.0000000005083000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.639668812.0000000005087000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn7	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636923218.00000000050BD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comcro	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637571579.0000000005088000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.g5e.com/termsofservice	svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers5	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.638929660.0000000005087000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.169.69.25	strangerstrek.duckdns.org	United States		23033	WOWUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433010
Start date:	11.06.2021
Start time:	05:07:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@19/16@16/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.8% (good quality ratio 0.2%) Quality average: 25.2% Quality standard deviation: 38.5%
HCA Information:	Successful, ratio: 96% Number of executed functions: 514 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.113.196.254, 52.147.198.201, 13.88.21.125, 104.43.139.144, 20.82.209.183, 20.54.104.15, 20.54.26.129, 20.54.7.98, 2.20.142.210, 2.20.142.209, 8.253.204.121, 8.253.207.120, 67.26.81.254, 8.248.137.254, 8.248.143.254, 20.82.210.154, 92.122.213.247, 92.122.213.194, 20.82.209.104 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, teams-9999.teams-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:08:35	API Interceptor	10x Sleep call for process: svchost.exe modified
05:08:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fullview C:\Users\user\Music\fullview.exe -boot
05:08:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fullview C:\Users\user\Music\fullview.exe -boot
05:09:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.169.69.25	66D9612BA9CDE67EDEA09F3482459F3BFE03FAAA13EAD.exe	Get hash	malicious	Browse	ipvhosted.duckdns.org/rmarch/fre.php
	ttmPnejtED.js	Get hash	malicious	Browse	pluginsrv.duckdns.org:7744/is-ready
	New Order.xlsx	Get hash	malicious	Browse	systemserverrootmapforfiletrn.duckdns.org/explorer/black.exe
	Your Transport Plan has Changed - Maersk.xlsx	Get hash	malicious	Browse	covidinternationalspreadsoomuchtruehead.duckdns.org/covid/blk.exe
	XQqVczq7eQ.exe	Get hash	malicious	Browse	wetransferfax.duckdns.org/sftp.exe
	http://office365update.duckdns.org	Get hash	malicious	Browse	office365update.duckdns.org/
	TUdme7rF2G.rtf	Get hash	malicious	Browse	wsdykungcommunicationtarisupliermg55gms.duckdns.org/kungdoc/winlog.exe
	http://communicationideadedicatedserversystem.duckdns.org/bns/vbc.exe	Get hash	malicious	Browse	communicationideadedicatedserversystem.duckdns.org/bns/vbc.exe
	doc04483720200602121810.xlsx	Get hash	malicious	Browse	honeysposecurityfileexchangeservice.duckdns.org/org/vbc.exe
	doc04483720200602121810.xlsx	Get hash	malicious	Browse	honeysposecurityfileexchangeservice.duckdns.org/org/vbc.exe
	BBVA-Confirming Facturas Pagadas al Vencimiento.xlsx	Get hash	malicious	Browse	mkpksb2overhypetheykillppelforlifehelgg.duckdns.org/mkpk2doc/regasm.exe
	VqtnFLslNj_Purchase Order.vbs	Get hash	malicious	Browse	onyeeze.duckdns.org:5000/is-ready
	1.bin.js	Get hash	malicious	Browse	unknownsoft.duckdns.org:7755/is-ready
	Doc1.mht	Get hash	malicious	Browse	pluginsrv2.duckdns.org:8899/is-ready
	https://cdn.discordapp.com/attachments/692273473430749187/695380419897458718/RFQ.tar.gz	Get hash	malicious	Browse	pluginsrv2.duckdns.org:8000/is-ready
	http://systemserverrootmapforfiletrn.duckdns.org/explorer/black.exe	Get hash	malicious	Browse	systemserverrootmapforfiletrn.duckdns.org/explorer/black.exe
	help.wsf	Get hash	malicious	Browse	postventa-vodafone.duckdns.org/is-ready
	order.xlsx	Get hash	malicious	Browse	windowsfirewallsecurityauthorise.duckdns.org/big/svch.html
	order.xlsx	Get hash	malicious	Browse	windowsfirewallsecurityauthorise.duckdns.org/big/svch.html
	54RFQ EU (190926) CRYPTED.js	Get hash	malicious	Browse	pluginsrv1.duckdns.org:7757/is-ready

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WOWUS	ORDER-6010.pdf.exe	Get hash	malicious	Browse	192.169.69.25
	9CCC5F07D0BF7152841C893C892DF407C854D5FF45C1A.exe	Get hash	malicious	Browse	192.169.69.26
	0F4F0709D120ABA22D4687BFABFA5004DD54B0FCC6EF1.exe	Get hash	malicious	Browse	192.169.69.25
	WNr7kU4wSU.exe	Get hash	malicious	Browse	192.169.69.26
	2ga2LylVIM.exe	Get hash	malicious	Browse	192.169.69.25
	AFa8kUgrni.exe	Get hash	malicious	Browse	192.169.69.25
	u8SFl9j1I8.exe	Get hash	malicious	Browse	45.14.115.62
	66D9612BA9CDE67EDEA09F3482459F3BFE03FAAA13EAD.exe	Get hash	malicious	Browse	192.169.69.25
	68815FD1B30680F0810F01B9D651B31995E2DBCE667D2.exe	Get hash	malicious	Browse	192.169.69.25
	export of document 555091.xlsm	Get hash	malicious	Browse	216.244.77.186
	generated purchase order 6149057.xlsm	Get hash	malicious	Browse	216.244.77.186
	export of check 209162.xlsm	Get hash	malicious	Browse	216.244.77.186
	copy of payment 0535.xlsm	Get hash	malicious	Browse	216.244.77.186
	scan of document 8030.xlsm	Get hash	malicious	Browse	216.244.77.186
	fax_74557.xlsm	Get hash	malicious	Browse	216.244.77.186
	CMjsfg603M.exe	Get hash	malicious	Browse	192.169.69.25
	619DBBJxtN.exe	Get hash	malicious	Browse	192.169.69.25
	TCyJbxozes.xlsm	Get hash	malicious	Browse	216.244.65.162
	TCyJbxozes.xlsm	Get hash	malicious	Browse	216.244.65.162
	documents-1731157050.xlsm	Get hash	malicious	Browse	216.244.65.162

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.log Download File
Process:	C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	506
Entropy (8bit):	5.243697660922101
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U26KPZb6Khav:MLF20NaL329hJ5g522rW26KUKhk
MD5:	2DE73C34B5DFB4A6363AAA6CC0236D40
SHA1:	3FB7418FBD86A4FC2F47DA2B9D50AE5920F87BFE
SHA-256:	20CD6E9106E3672979DA34DAB605DFC4485AD2103BAC8924F49CCEF4AC98D1A5
SHA-512:	58CA38D9403B18E7DEB762C05FF8E3AEF48A1369A1331D886EB3050750778D5332FAA0272B51E53506B819439672C1872DE2B9CB0B3E149DE38374960B05B50D
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\1dcb6d1a15814b6b26f32879e7ec1d98\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fullview.exe.log Download File
Process:	C:\Users\user\Music\fullview.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	506
Entropy (8bit):	5.243697660922101
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U26KPZb6Khav:MLF20NaL329hJ5g522rW26KUKhk
MD5:	2DE73C34B5DFB4A6363AAA6CC0236D40
SHA1:	3FB7418FBD86A4FC2F47DA2B9D50AE5920F87BFE
SHA-256:	20CD6E9106E3672979DA34DAB605DFC4485AD2103BAC8924F49CCEF4AC98D1A5
SHA-512:	58CA38D9403B18E7DEB762C05FF8E3AEF48A1369A1331D886EB3050750778D5332FAA0272B51E53506B819439672C1872DE2B9CB0B3E149DE38374960B05B50D
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\1dcb6d1a15814b6b26f32879e7ec1d98\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	506
Entropy (8bit):	5.243697660922101
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U26KPZb6Khav:MLF20NaL329hJ5g522rW26KUKhk
MD5:	2DE73C34B5DFB4A6363AAA6CC0236D40
SHA1:	3FB7418FBD86A4FC2F47DA2B9D50AE5920F87BFE
SHA-256:	20CD6E9106E3672979DA34DAB605DFC4485AD2103BAC8924F49CCEF4AC98D1A5
SHA-512:	58CA38D9403B18E7DEB762C05FF8E3AEF48A1369A1331D886EB3050750778D5332FAA0272B51E53506B819439672C1872DE2B9CB0B3E149DE38374960B05B50D
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\1dcb6d1a15814b6b26f32879e7ec1d98\System.Core.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	814
Entropy (8bit):	3.167885907884326
Encrypted:	false
SSDEEP:	24:vqrOr+VACxmM7CkGcLWb2cLbMqlkGcLWb2cLb:voOrSACxmM7pHWb3bMNHWb3b
MD5:	CD424EB5C932D52634D00281C306EFD8
SHA1:	C5DD42A3A24112EFE8BCC6BB08E5F8B7B867E8A3
SHA-256:	49D8AC7F3741C2C798A24ED0297ACB7D0B0591C62FFB5D25F0C9D4894600BC37
SHA-512:	930883496C51CF11122EBDDEBD26A3E91E3AAD92E7F7205722EEF1264C38550E7DE75BC3D269AFE51742835E841C75AE0D6B507B7FE7C180904BBA7FFF749CB3
Malicious:	false
Preview:	....................f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.A.p.p.D.a.t.a./.R.o.a.m.i.n.g./.M.i.c.r.o.s.o.f.t./.W.i.n.d.o.w.s./.S.t.a.r.t. .M.e.n.u./.P.r.o.g.r.a.m.s./.S.t.a.r.t.u.p./.s.v.c.h.o.s.t...e.x.e.....P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e................\...............f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.M.u.s.i.c./.f.u.l.l.v.i.e.w...e.x.e.....P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e............................................b.U.,..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Download File
Process:	C:\Users\user\Music\fullview.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	676608
Entropy (8bit):	7.265789074193961
Encrypted:	false
SSDEEP:	12288:xoxaLRopZpV0cs6jbfYKA/uxqxxHdRetMYxj3N5HzjfB:exaLRUZ/PvAK7x+dRetMgj3N5Hzl
MD5:	4DF9B2C6531CDE226BF1B0AE86D41162
SHA1:	9A42C49714905EA1E5F042A683FD80ECFF10FC87
SHA-256:	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C391E0BFBB9D0B96BBF9
SHA-512:	292EDF0D733D05B3B725EA00414299C6CCEC8D50DA9E0CE3D50CAFBF4144E87D3E62DCDADB11A2B139E39F8A72CB5E394BD108E6D4413517CCA459079DF6BA8D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Y................................. ........@.. ....................... ............@.....................................O.......P............................................................................ ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......L...p ......!....O...E...........................................0..A....... .........%.....(......... .........%.....(.........(,........&...R.(.....(.........&..... .... ....(9...(#...(.... .... ....(...+o....Q.....&.0..$.........(.....%......s......o....&.....&b. .... ....(...+.....&....0..f.......~........E....-..............."............,...+..+..{....,...+...q. .b..Y+..{....o......(.........&...0..........~........E................g...........6.....

C:\Users\user\Music\fullview.exe Download File
Process:	C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	676608
Entropy (8bit):	7.265789074193961
Encrypted:	false
SSDEEP:	12288:xoxaLRopZpV0cs6jbfYKA/uxqxxHdRetMYxj3N5HzjfB:exaLRUZ/PvAK7x+dRetMgj3N5Hzl
MD5:	4DF9B2C6531CDE226BF1B0AE86D41162
SHA1:	9A42C49714905EA1E5F042A683FD80ECFF10FC87
SHA-256:	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C391E0BFBB9D0B96BBF9
SHA-512:	292EDF0D733D05B3B725EA00414299C6CCEC8D50DA9E0CE3D50CAFBF4144E87D3E62DCDADB11A2B139E39F8A72CB5E394BD108E6D4413517CCA459079DF6BA8D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Y................................. ........@.. ....................... ............@.....................................O.......P............................................................................ ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......L...p ......!....O...E...........................................0..A....... .........%.....(......... .........%.....(.........(,........&...R.(.....(.........&..... .... ....(9...(#...(.... .... ....(...+o....Q.....&.0..$.........(.....%......s......o....&.....&b. .... ....(...+.....&....0..f.......~........E....-..............."............,...+..+..{....,...+...q. .b..Y+..{....o......(.........&...0..........~........E................g...........6.....

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1220
Entropy (8bit):	3.3063592917134037
Encrypted:	false
SSDEEP:	24:vqrOr+VACxmM7CkGcLWb2cLbMqlkGcLWb2cLbqqsERH28kGcLWb2cLb:voOrSACxmM7pHWb3bMNHWb3bq+QHWb3b
MD5:	859781EA37E2E022A9A82A6CF11FB8C0
SHA1:	C499451692C7C553D3C5C21E7E8E9120734A2A05
SHA-256:	08A8B7206491A4A23673C26BA30006881FB6D37CB436DE1F7C126D4EEF37BAA2
SHA-512:	29DA47BEB9464A588C721F7CF9DDF276E7DF09497F193F5104D2C1AE30838BEACE0E43797D1ACDA7F7EC086B1642D68547822022C470D5361E9938F58A02EFF2
Malicious:	false
Preview:	....................f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.A.p.p.D.a.t.a./.R.o.a.m.i.n.g./.M.i.c.r.o.s.o.f.t./.W.i.n.d.o.w.s./.S.t.a.r.t. .M.e.n.u./.P.r.o.g.r.a.m.s./.S.t.a.r.t.u.p./.s.v.c.h.o.s.t...e.x.e.....P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e................\...............f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.M.u.s.i.c./.f.u.l.l.v.i.e.w...e.x.e.....P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e................................f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.D.e.s.k.t.o.p./.4.7.1.4.D.6.8.D.B.B.9.F.9.A.C.3.6.4.2.5.F.2.E.C.7.3.E.D.4.3.4.C.F.5.7.4.0.7.F.3.6.0.6.3.C...e.x.e.....P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1220
Entropy (8bit):	3.3063592917134037
Encrypted:	false
SSDEEP:	24:vqrOr+VACxmM7CkGcLWb2cLbMqlkGcLWb2cLbqqsERH28kGcLWb2cLb:voOrSACxmM7pHWb3bMNHWb3bq+QHWb3b
MD5:	859781EA37E2E022A9A82A6CF11FB8C0
SHA1:	C499451692C7C553D3C5C21E7E8E9120734A2A05
SHA-256:	08A8B7206491A4A23673C26BA30006881FB6D37CB436DE1F7C126D4EEF37BAA2
SHA-512:	29DA47BEB9464A588C721F7CF9DDF276E7DF09497F193F5104D2C1AE30838BEACE0E43797D1ACDA7F7EC086B1642D68547822022C470D5361E9938F58A02EFF2
Malicious:	false
Preview:	....................f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.A.p.p.D.a.t.a./.R.o.a.m.i.n.g./.M.i.c.r.o.s.o.f.t./.W.i.n.d.o.w.s./.S.t.a.r.t. .M.e.n.u./.P.r.o.g.r.a.m.s./.S.t.a.r.t.u.p./.s.v.c.h.o.s.t...e.x.e.....P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e................\...............f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.M.u.s.i.c./.f.u.l.l.v.i.e.w...e.x.e.....P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1....P.e.r.m.i.s.s.i.o.n.S.e.t....c.l.a.s.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...P.e.r.m.i.s.s.i.o.n.S.e.t....v.e.r.s.i.o.n...1....U.n.r.e.s.t.r.i.c.t.e.d...t.r.u.e................................f.i.l.e.:./././.C.:./.U.s.e.r.s./.j.o.n.e.s./.D.e.s.k.t.o.p./.4.7.1.4.D.6.8.D.B.B.9.F.9.A.C.3.6.4.2.5.F.2.E.C.7.3.E.D.4.3.4.C.F.5.7.4.0.7.F.3.6.0.6.3.C...e.x.e.....P.o.l.i.c.y.S.t.a.t.e.m.e.n.t....v.e.r.s.i.o.n...1

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.265789074193961
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
File size:	676608
MD5:	4df9b2c6531cde226bf1b0ae86d41162
SHA1:	9a42c49714905ea1e5f042a683fd80ecff10fc87
SHA256:	4714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
SHA512:	292edf0d733d05b3b725ea00414299c6ccec8d50da9e0ce3d50cafbf4144e87d3e62dcdadb11a2b139e39f8a72cb5e394bd108e6d4413517cca459079df6ba8d
SSDEEP:	12288:xoxaLRopZpV0cs6jbfYKA/uxqxxHdRetMYxj3N5HzjfB:exaLRUZ/PvAK7x+dRetMgj3N5Hzl
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Y................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x48ce0e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x598DF5B7 [Fri Aug 11 18:21:43 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cdbc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x750	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8bc00	0x19700
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x90000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8ae14	0x8b000	False	0.937953153103	data	7.9564698476	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x750	0x800	False	0.37939453125	data	4.40768498219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x90000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x8e0a0	0x4c4	data
RT_MANIFEST	0x8e564	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018 Ames Department Stores, Inc.
Assembly Version	0.0.0.0
InternalName	zsinnadaverde.exe
FileVersion	18.9.20.3
CompanyName	Ames Department Stores, Inc.
Comments	2mmzsekqryh
ProductName	Maintain secure boundaries between Exchange organizations and Active Directory forests
ProductVersion	18.9.20.3
FileDescription	Maintain secure boundaries between Exchange organizations and Active Directory forests
OriginalFilename	zsinnadaverde.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/11/21-05:09:05.658550	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49768	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:08.666842	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	8.8.8.8
06/11/21-05:09:09.625434	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49769	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:13.405936	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49770	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:18.259546	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49771	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:22.130122	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49772	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:25.939244	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49773	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:29.698874	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49774	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:33.589581	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49777	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:37.421430	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49778	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:41.192477	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49779	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:45.021374	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49780	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:48.795325	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49781	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:52.908657	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49782	2090	192.168.2.4	192.169.69.25
06/11/21-05:09:56.927327	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49783	2090	192.168.2.4	192.169.69.25
06/11/21-05:10:00.522464	TCP	2021176	ET TROJAN Bladabindi/njRAT CnC Command (ll)	49784	2090	192.168.2.4	192.169.69.25

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 05:09:04.888365984 CEST	49768	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:05.270692110 CEST	2090	49768	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:05.273372889 CEST	49768	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:05.658550024 CEST	49768	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:06.000242949 CEST	2090	49768	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:09.308514118 CEST	49769	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:09.593332052 CEST	2090	49769	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:09.593436003 CEST	49769	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:09.625433922 CEST	49769	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:09.982062101 CEST	2090	49769	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:13.068901062 CEST	49770	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:13.371803045 CEST	2090	49770	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:13.371963024 CEST	49770	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:13.405936003 CEST	49770	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:13.787329912 CEST	2090	49770	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:17.344278097 CEST	49771	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:17.721909046 CEST	2090	49771	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:17.722522020 CEST	49771	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:18.259546041 CEST	49771	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:18.577558994 CEST	2090	49771	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:21.740449905 CEST	49772	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:22.095433950 CEST	2090	49772	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:22.095674992 CEST	49772	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:22.130121946 CEST	49772	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:22.536426067 CEST	2090	49772	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:25.634933949 CEST	49773	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:25.896579981 CEST	2090	49773	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:25.896765947 CEST	49773	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:25.939244032 CEST	49773	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:26.334356070 CEST	2090	49773	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:29.436384916 CEST	49774	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:29.668318033 CEST	2090	49774	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:29.668538094 CEST	49774	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:29.698873997 CEST	49774	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:30.030806065 CEST	2090	49774	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:33.117090940 CEST	49777	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:33.507507086 CEST	2090	49777	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:33.507726908 CEST	49777	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:33.589581013 CEST	49777	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:33.937946081 CEST	2090	49777	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:37.072197914 CEST	49778	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:37.382383108 CEST	2090	49778	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:37.382556915 CEST	49778	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:37.421430111 CEST	49778	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:37.785609007 CEST	2090	49778	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:40.909295082 CEST	49779	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:41.159437895 CEST	2090	49779	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:41.159694910 CEST	49779	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:41.192476988 CEST	49779	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:41.574688911 CEST	2090	49779	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:44.666002989 CEST	49780	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:44.978307962 CEST	2090	49780	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:44.978734016 CEST	49780	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:45.021373987 CEST	49780	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:45.387738943 CEST	2090	49780	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:48.491094112 CEST	49781	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:48.766208887 CEST	2090	49781	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:48.766335011 CEST	49781	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:48.795325041 CEST	49781	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:49.191963911 CEST	2090	49781	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:52.327435970 CEST	49782	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:52.612813950 CEST	2090	49782	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:52.614249945 CEST	49782	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:52.908657074 CEST	49782	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:53.280567884 CEST	2090	49782	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:56.621592999 CEST	49783	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:56.887439013 CEST	2090	49783	192.169.69.25	192.168.2.4
Jun 11, 2021 05:09:56.887773037 CEST	49783	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:56.927326918 CEST	49783	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:09:57.186721087 CEST	2090	49783	192.169.69.25	192.168.2.4
Jun 11, 2021 05:10:00.264158964 CEST	49784	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:10:00.516460896 CEST	2090	49784	192.169.69.25	192.168.2.4
Jun 11, 2021 05:10:00.516601086 CEST	49784	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:10:00.522464037 CEST	49784	2090	192.168.2.4	192.169.69.25
Jun 11, 2021 05:10:00.930309057 CEST	2090	49784	192.169.69.25	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 05:07:47.235093117 CEST	49714	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:47.297647953 CEST	53	49714	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:48.455547094 CEST	58028	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:48.507256985 CEST	53	58028	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:49.271984100 CEST	53097	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:49.332009077 CEST	53	53097	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:50.116871119 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:50.170346975 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:51.325320959 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:51.377120018 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:52.505340099 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:52.559029102 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:53.381258965 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:53.434442043 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:54.255022049 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:54.306026936 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:55.084492922 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:55.135504007 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:55.958132982 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:56.016576052 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:57.371150970 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:57.421817064 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:58.154439926 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:58.214751959 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 11, 2021 05:07:59.565663099 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:07:59.619735956 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:00.344687939 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:00.396044970 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:01.332179070 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:01.393887043 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:02.126149893 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:02.177123070 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:02.983745098 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:03.033864975 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:04.209381104 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:04.260154963 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:05.032062054 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:05.082380056 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:20.474477053 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:20.536684036 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:35.032800913 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:35.186784983 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:35.825135946 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:35.889003038 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:36.073438883 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:36.144052982 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:36.463407040 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:36.527219057 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:36.959777117 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:37.140023947 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:37.756829023 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:37.818697929 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:38.432176113 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:38.496263981 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:39.021497965 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:39.083472013 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:39.883500099 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:39.937222958 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:40.894696951 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:40.957184076 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:41.577378988 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:41.641522884 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:42.174377918 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:42.236212969 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:44.146809101 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:44.197410107 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:44.310956001 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:44.369905949 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:45.475709915 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:45.538126945 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:56.471431017 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:56.538613081 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 11, 2021 05:08:56.681895018 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:08:56.750427961 CEST	53	55916	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:01.357621908 CEST	52752	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:01.418029070 CEST	53	52752	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:03.615022898 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:04.626250029 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:04.881957054 CEST	53	60542	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:08.666721106 CEST	53	60542	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:09.047086000 CEST	60689	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:09.306271076 CEST	53	60689	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:13.008507013 CEST	64206	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:13.067322016 CEST	53	64206	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:17.239105940 CEST	50904	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:17.300529003 CEST	53	50904	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:21.675340891 CEST	57525	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:21.737289906 CEST	53	57525	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:25.571778059 CEST	53814	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:25.632543087 CEST	53	53814	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:29.371440887 CEST	53418	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:29.433598042 CEST	53	53418	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:30.815078974 CEST	62833	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:30.882560015 CEST	53	62833	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:32.116275072 CEST	59260	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:32.187819004 CEST	53	59260	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:33.061381102 CEST	49944	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:33.114150047 CEST	53	49944	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:37.010565996 CEST	63300	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:37.069361925 CEST	53	63300	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:40.844315052 CEST	61449	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:40.906454086 CEST	53	61449	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:44.609051943 CEST	51275	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:44.663188934 CEST	53	51275	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:48.424278975 CEST	63492	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:48.488208055 CEST	53	63492	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:52.262861013 CEST	58945	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:52.321726084 CEST	53	58945	8.8.8.8	192.168.2.4
Jun 11, 2021 05:09:56.365417004 CEST	60779	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:09:56.619036913 CEST	53	60779	8.8.8.8	192.168.2.4
Jun 11, 2021 05:10:00.210443974 CEST	64014	53	192.168.2.4	8.8.8.8
Jun 11, 2021 05:10:00.262615919 CEST	53	64014	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jun 11, 2021 05:09:08.666841984 CEST	192.168.2.4	8.8.8.8	cffd	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 11, 2021 05:09:03.615022898 CEST	192.168.2.4	8.8.8.8	0x3ef9	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:04.626250029 CEST	192.168.2.4	8.8.8.8	0x3ef9	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:09.047086000 CEST	192.168.2.4	8.8.8.8	0xf76e	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:13.008507013 CEST	192.168.2.4	8.8.8.8	0xe2a2	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:17.239105940 CEST	192.168.2.4	8.8.8.8	0x3c0f	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:21.675340891 CEST	192.168.2.4	8.8.8.8	0x7966	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:25.571778059 CEST	192.168.2.4	8.8.8.8	0xdcb6	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:29.371440887 CEST	192.168.2.4	8.8.8.8	0xf4dc	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:33.061381102 CEST	192.168.2.4	8.8.8.8	0xd14e	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:37.010565996 CEST	192.168.2.4	8.8.8.8	0xd901	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:40.844315052 CEST	192.168.2.4	8.8.8.8	0x11fc	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:44.609051943 CEST	192.168.2.4	8.8.8.8	0x7124	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:48.424278975 CEST	192.168.2.4	8.8.8.8	0x7f39	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:52.262861013 CEST	192.168.2.4	8.8.8.8	0x9c89	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:56.365417004 CEST	192.168.2.4	8.8.8.8	0x6c8e	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)
Jun 11, 2021 05:10:00.210443974 CEST	192.168.2.4	8.8.8.8	0xdc29	Standard query (0)	strangerstrek.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 11, 2021 05:09:04.881957054 CEST	8.8.8.8	192.168.2.4	0x3ef9	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:08.666721106 CEST	8.8.8.8	192.168.2.4	0x3ef9	Server failure (2)	strangerstrek.duckdns.org	none	none	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:09.306271076 CEST	8.8.8.8	192.168.2.4	0xf76e	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:13.067322016 CEST	8.8.8.8	192.168.2.4	0xe2a2	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:17.300529003 CEST	8.8.8.8	192.168.2.4	0x3c0f	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:21.737289906 CEST	8.8.8.8	192.168.2.4	0x7966	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:25.632543087 CEST	8.8.8.8	192.168.2.4	0xdcb6	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:29.433598042 CEST	8.8.8.8	192.168.2.4	0xf4dc	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:33.114150047 CEST	8.8.8.8	192.168.2.4	0xd14e	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:37.069361925 CEST	8.8.8.8	192.168.2.4	0xd901	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:40.906454086 CEST	8.8.8.8	192.168.2.4	0x11fc	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:44.663188934 CEST	8.8.8.8	192.168.2.4	0x7124	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:48.488208055 CEST	8.8.8.8	192.168.2.4	0x7f39	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:52.321726084 CEST	8.8.8.8	192.168.2.4	0x9c89	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:09:56.619036913 CEST	8.8.8.8	192.168.2.4	0x6c8e	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)
Jun 11, 2021 05:10:00.262615919 CEST	8.8.8.8	192.168.2.4	0xdc29	No error (0)	strangerstrek.duckdns.org		192.169.69.25	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964 Parent PID: 5780

General

Start time:	05:07:53
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe'
Imagebase:	0x3d0000
File size:	676608 bytes
MD5 hash:	4DF9B2C6531CDE226BF1B0AE86D41162
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 7084 Parent PID: 568

General

Start time:	05:07:55
Start date:	11/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 5908 Parent PID: 6964

General

Start time:	05:08:13
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\explorer.exe' /c select, C:\Users\user\Music\fullview.exe
Imagebase:	0x3b0000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 6168 Parent PID: 800

General

Start time:	05:08:15
Start date:	11/06/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: fullview.exe PID: 5616 Parent PID: 6168

General

Start time:	05:08:16
Start date:	11/06/2021
Path:	C:\Users\user\Music\fullview.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Music\fullview.exe'
Imagebase:	0x740000
File size:	676608 bytes
MD5 hash:	4DF9B2C6531CDE226BF1B0AE86D41162
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 6476 Parent PID: 568

General

Start time:	05:08:20
Start date:	11/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6524 Parent PID: 568

General

Start time:	05:08:27
Start date:	11/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6868 Parent PID: 568

General

Start time:	05:08:33
Start date:	11/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: fullview.exe PID: 7080 Parent PID: 5616

General

Start time:	05:08:35
Start date:	11/06/2021
Path:	C:\Users\user\Music\fullview.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Music\fullview.exe
Imagebase:	0xdc0000
File size:	676608 bytes
MD5 hash:	4DF9B2C6531CDE226BF1B0AE86D41162
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: fullview.exe PID: 7088 Parent PID: 3424

General

Start time:	05:08:43
Start date:	11/06/2021
Path:	C:\Users\user\Music\fullview.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Music\fullview.exe' -boot
Imagebase:	0xd30000
File size:	676608 bytes
MD5 hash:	4DF9B2C6531CDE226BF1B0AE86D41162
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: fullview.exe PID: 5544 Parent PID: 3424

General

Start time:	05:08:51
Start date:	11/06/2021
Path:	C:\Users\user\Music\fullview.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Music\fullview.exe' -boot
Imagebase:	0x7ff69f0d0000
File size:	676608 bytes
MD5 hash:	4DF9B2C6531CDE226BF1B0AE86D41162
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: fullview.exe PID: 6400 Parent PID: 7088

General

Start time:	05:09:03
Start date:	11/06/2021
Path:	C:\Users\user\Music\fullview.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Music\fullview.exe
Imagebase:	0xd40000
File size:	676608 bytes
MD5 hash:	4DF9B2C6531CDE226BF1B0AE86D41162
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 4576 Parent PID: 3424

General

Start time:	05:09:10
Start date:	11/06/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe'
Imagebase:	0x980000
File size:	676608 bytes
MD5 hash:	4DF9B2C6531CDE226BF1B0AE86D41162
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: fullview.exe PID: 1668 Parent PID: 5544

General

Start time:	05:09:10
Start date:	11/06/2021
Path:	C:\Users\user\Music\fullview.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Music\fullview.exe
Imagebase:	0xd30000
File size:	676608 bytes
MD5 hash:	4DF9B2C6531CDE226BF1B0AE86D41162
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: njrat1, Description: Identify njRat, Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964 Parent PID: 5780 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeCOMMON

Executed Functions

Function 05210AC7, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05210B47

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 7ee27b9ad66a3482c4537880cf1a090562056a136bf12a59cd17201ac736592b
Instruction ID: 5b217d72132220b674d48859192d1f8439d629f8388814d72aa6c837901eeab9
Opcode Fuzzy Hash: 7ee27b9ad66a3482c4537880cf1a090562056a136bf12a59cd17201ac736592b
Instruction Fuzzy Hash: 6A218D755097809FDB228F25DC44B52BFE4EF16314F0884EAE9858F163D271A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05210AFE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05210B47

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: f3c8d62710ced981713aeafa5ebf85a16cee00679623f06c00710b670d96c9ce
Instruction ID: aaf0bb0a26cced0f43c16a69d09995ed39be1484775f67d31a77fb2124c9fda5
Opcode Fuzzy Hash: f3c8d62710ced981713aeafa5ebf85a16cee00679623f06c00710b670d96c9ce
Instruction Fuzzy Hash: F3115E715103009FDB20CF55D988B66FBE4FF14324F08C4AAED4A8B652D375E554CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04C12548, Relevance: .7, Instructions: 746COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7180f0b52f8388ddc941915213ba1483fd5f1e48d870c99e08a20307f2aa34f
Instruction ID: 2e5c3802d741271853c503d5c3c58289ae9f75b7b0dd024fd0c85ee7e4adf647
Opcode Fuzzy Hash: e7180f0b52f8388ddc941915213ba1483fd5f1e48d870c99e08a20307f2aa34f
Instruction Fuzzy Hash: 61627B34B006058FCB14EB79D45472EB7B3EB8A344F28816AC40AA73A9DF359D47DB94

Uniqueness

Uniqueness Score: -1.00%

Function 05210C88, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,66E46401,00000000,00000000,00000000,00000000), ref: 05210D22

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: ce0dae5003210b20c85ee0d16a3096488440e0f69dd7e4e7688bd5c4143aabcf
Instruction ID: 54c9e191536c2fbf7044beb8ff14940b36bbaf117991985e1005c1f76cd6dd82
Opcode Fuzzy Hash: ce0dae5003210b20c85ee0d16a3096488440e0f69dd7e4e7688bd5c4143aabcf
Instruction Fuzzy Hash: FB21E6B25093806FEB128F65DC45F56BFB8EF06320F0884DBE984DB153D224E945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05210D81, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,66E46401,00000000,00000000,00000000,00000000), ref: 05210E12

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 82d75386145324c826ca24f8d009cb69d8ab006df1a5c005ff7371cbe4a56998
Instruction ID: 7bc4acb4be9ff9ff7b1a2ef22663fcd5d53d4c13385bc9d0b0a369cd64473d6b
Opcode Fuzzy Hash: 82d75386145324c826ca24f8d009cb69d8ab006df1a5c005ff7371cbe4a56998
Instruction Fuzzy Hash: F8219471509384AFE7228F25DC44F67BFA8EF05310F0884AAE945DB152D264E949CB75

Uniqueness

Uniqueness Score: -1.00%

Function 05211154, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 052111FA

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: f6c27e2a8ed8f5a59ab5f7b8f159cb390afc1f1c8618beef596ff6543e3f122f
Instruction ID: 3455dfa24753116cae77ffefd26e41cb8861e5a81bc6e2b303fe396e9d7541f7
Opcode Fuzzy Hash: f6c27e2a8ed8f5a59ab5f7b8f159cb390afc1f1c8618beef596ff6543e3f122f
Instruction Fuzzy Hash: 4E21A37540E3C06FC3138B358C55A11BFB4EF47610F1D80CFD8848B5A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05211224, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 052112BE

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9d527afd2ca7345b808eb2dc2425aab50bf054caf8bbc5bc29eca2fad6d9c228
Instruction ID: 8606f34a73ee219afe0670f006f39a409b968d8f93a3d43a2b8d1b76a66e837f
Opcode Fuzzy Hash: 9d527afd2ca7345b808eb2dc2425aab50bf054caf8bbc5bc29eca2fad6d9c228
Instruction Fuzzy Hash: 3021DA755093C06FD3138B25DC51F62BFB4EF47A10F0981DBE9848B653D225A91AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0521094B, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052109C6

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bcd1873fdc468b22d780bf20ff97257924a15dd8f6baa3b843bca3b7cf79a529
Instruction ID: 98fe81a3cb5621f7478a61988337a1bc26181b8560ddd4b7278c7cee482745ec
Opcode Fuzzy Hash: bcd1873fdc468b22d780bf20ff97257924a15dd8f6baa3b843bca3b7cf79a529
Instruction Fuzzy Hash: D12180725093C05FEB128B65DC95B93BFE8EF16210F0984EBED89CB253D264E849C761

Uniqueness

Uniqueness Score: -1.00%

Function 05210DAE, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,66E46401,00000000,00000000,00000000,00000000), ref: 05210E12

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 36884bc4398a663941be1d11f25b417a5069757e5ce164e80e00c19b669c323b
Instruction ID: ae2a169cebce7aca85e6da1ccced574e3afc7f34b920fcaebeb0518d1336f372
Opcode Fuzzy Hash: 36884bc4398a663941be1d11f25b417a5069757e5ce164e80e00c19b669c323b
Instruction Fuzzy Hash: 9811AF75600304AFEB21CF66DC88F6BBBE8EF04720F14846AED49CB245D674E444CA75

Uniqueness

Uniqueness Score: -1.00%

Function 05210CC6, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,66E46401,00000000,00000000,00000000,00000000), ref: 05210D22

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 2c99658b0bf28e817c5503a99d95d9d2e8c2b41f9667cb21cdcc6d93166d6dab
Instruction ID: 1bf3fb5ed55b2b413fd1d657be30d6ebc404b84edd9e778ddfce04e5ab0c0fa8
Opcode Fuzzy Hash: 2c99658b0bf28e817c5503a99d95d9d2e8c2b41f9667cb21cdcc6d93166d6dab
Instruction Fuzzy Hash: 19119DB1500304AFEB21CF69DC85B6BBBA8EF04720F14846AED498B645D674E844CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 05210386, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 052103FD

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 387d0dffe5dc961bea6633d2ef0cf80761a8f6372ac881829a39dba6b5d599dd
Instruction ID: 339dc8ef370fe016b7b14db3c30275d15e303c33424a52e8fec7c9a5ea485b42
Opcode Fuzzy Hash: 387d0dffe5dc961bea6633d2ef0cf80761a8f6372ac881829a39dba6b5d599dd
Instruction Fuzzy Hash: A32190754097C09FDB228B21DC54A62BFB0EF1B214F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 052107F6, Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05210858

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 71a500f6b6a1e7c374a30209e20043a83d328dd83b2a426dfc1888417d3a0da0
Instruction ID: dbe7e03984859916f5f159f179d8604531f0f377b7e2c79675ba243b158ac3a5
Opcode Fuzzy Hash: 71a500f6b6a1e7c374a30209e20043a83d328dd83b2a426dfc1888417d3a0da0
Instruction Fuzzy Hash: A21184715093819FD711CF65DC45B52BFE8EF46210F0984EADD89CF252D274E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05211D53, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05211DBD

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9778500761534e71fa847052e0b1da45160ce98ed100edde8b2e679f0cd506fd
Instruction ID: 9b6102720225a4eb3074f03ec2a93d63bcf56c7d77977a81bcb26af50bc7710d
Opcode Fuzzy Hash: 9778500761534e71fa847052e0b1da45160ce98ed100edde8b2e679f0cd506fd
Instruction Fuzzy Hash: 8D1190714097809FDB228F15DC85F52FFB4EF06224F1884DEED858B563C275A419CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0521097E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052109C6

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: de50b6ce4977425da450b4ca10d5cfff85901d6fdb5d377485383d449f37c41a
Instruction ID: e08495560dd2c0bcf01f4615ffd3e2980597a0c4d12da91031467b15baf7a507
Opcode Fuzzy Hash: de50b6ce4977425da450b4ca10d5cfff85901d6fdb5d377485383d449f37c41a
Instruction Fuzzy Hash: EE11E5716103418FEB20CF2AD888B57FBD8EF14620F08C46ADD4ACB646D274E844CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0521081E, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05210858

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0ab9cd8716b91c6e4c2bd97ed6e5f3225e6a141eb1c297f5a440d105290c421c
Instruction ID: dd54834a93adfdb7dc9a7a1390143bb8b6b3c6ca26eb1192a29ba3af8024c3c4
Opcode Fuzzy Hash: 0ab9cd8716b91c6e4c2bd97ed6e5f3225e6a141eb1c297f5a440d105290c421c
Instruction Fuzzy Hash: 2B01B171A183418FDB60DF2AD888766FBD8EF00220F18C4AADD49CF646DA74E444CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052111AA, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 052111FA

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 97125d56c0a74d00c9a5578cc17502c799b579f30e07f5994e905b7e32b3638c
Instruction ID: 4861024e737ca62ef66751d76f5b22bcfe8e2da7b6bcbc17d3b55a93b4b94f3d
Opcode Fuzzy Hash: 97125d56c0a74d00c9a5578cc17502c799b579f30e07f5994e905b7e32b3638c
Instruction Fuzzy Hash: A501A271500604ABD614DF1ADC82B26FBA8FB89B20F14811AED084B741D231F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0521126E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 052112BE

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3d8a5bdf3a9b148ca0a946f886001aa2d986a549ad01210ceb8bf5e843fc2af4
Instruction ID: 5df3d9bee4833ba27849cdd0281aead876eaa5eee19a9a73983c244a1e98bd3a
Opcode Fuzzy Hash: 3d8a5bdf3a9b148ca0a946f886001aa2d986a549ad01210ceb8bf5e843fc2af4
Instruction Fuzzy Hash: AF01AD71500604ABD624DF1ADC82B26FBA8FB89B20F14811AED084B741E271F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05211D82, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05211DBD

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6c4e85da8a5c9537dafdd81a0bdef4e64c311e3a8962afa9a2c5ff1145b4914e
Instruction ID: bf581d16d66ef7c1c1267df03b9e5d4509046574ec7765150e982f8d06f371d0
Opcode Fuzzy Hash: 6c4e85da8a5c9537dafdd81a0bdef4e64c311e3a8962afa9a2c5ff1145b4914e
Instruction Fuzzy Hash: A801BC35510B008FDB208F5AD884B66FBE0EF14320F08C4AEDE4A4B656D275E428CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052103C2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 052103FD

Memory Dump Source

Source File: 00000000.00000002.682693536.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 00765b9a32eadd21f48d835a394d0aca227f1896a98d20054ffd8ef8092c353f
Instruction ID: 55cd43fbe031aac25abb229fcf6853e9228003a3c1ccf5208c151185a36d6906
Opcode Fuzzy Hash: 00765b9a32eadd21f48d835a394d0aca227f1896a98d20054ffd8ef8092c353f
Instruction Fuzzy Hash: 11017835510300DFDB20CF56E888B66FBE1FF18320F08C49ADD494B616D275E498CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 04C11D90, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

Dlq, xrefs: 04C11E45

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID: Dlq
API String ID: 0-1337854601
Opcode ID: 54070f41332569a841954191c27a7dcec2511aaa71b307145e21672c0de31e69
Instruction ID: acacc182039dcc430f1925b7475cfdd4eea9e67757746b079a1b85342ce44036
Opcode Fuzzy Hash: 54070f41332569a841954191c27a7dcec2511aaa71b307145e21672c0de31e69
Instruction Fuzzy Hash: 7441C431F053499FCB15DFBDD8046EEBFF6AF8A310F14416AD504E72A5EA3099068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04C11E18, Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Dlq, xrefs: 04C11E45

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID: Dlq
API String ID: 0-1337854601
Opcode ID: 11aa22e32686a2abd1849e2785d69b8785b16ea6909ea675724bff19d334c253
Instruction ID: 1e7f9c7476cbe0c366b31919f1571c405242cfa0544cda28d8f56595d0689fd5
Opcode Fuzzy Hash: 11aa22e32686a2abd1849e2785d69b8785b16ea6909ea675724bff19d334c253
Instruction Fuzzy Hash: 7C410A30E102199BCB14DBA9D895BEDBBF6AF8D351F188069E905B7290DF34AD019B60

Uniqueness

Uniqueness Score: -1.00%

Function 04C14AA0, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

:@fq, xrefs: 04C14E9A

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: cb3cca6049a3245e17b2927aa67ff61949dd9c2dfc5f88fe64d079195c4f119d
Instruction ID: e866acfc6d1c2b74dfd837aa7eced7d3a5c9fffacc6d31df4bd11d839823ff9c
Opcode Fuzzy Hash: cb3cca6049a3245e17b2927aa67ff61949dd9c2dfc5f88fe64d079195c4f119d
Instruction Fuzzy Hash: 20419430A04615CFC758CFA9C880B7AB7F6AF46310F19857BE065D7261D334F504AB59

Uniqueness

Uniqueness Score: -1.00%

Function 04C10007, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

>_kq, xrefs: 04C1007A

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: f1b2c4373b72d7491530c35154517eb16f8c4f5ce78732e20d09030d27ce13ae
Instruction ID: 313372c5eef7416a1d497284e529fb379e8e41797f4368df7838045f75ae0639
Opcode Fuzzy Hash: f1b2c4373b72d7491530c35154517eb16f8c4f5ce78732e20d09030d27ce13ae
Instruction Fuzzy Hash: CE21286150E3C54FD3135B24AC257993FB2AF43251F6A01DBC5C1CF5E7DA684819C762

Uniqueness

Uniqueness Score: -1.00%

Function 04C12538, Relevance: .7, Instructions: 689COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c3d6d184ff7464b9862e5935d5be50d4b7921e0dcbe9c28f460e118beb759a
Instruction ID: a10c45e1a0c6451d809733918791f440177475ae1ce32a4de169752c5dbbc1de
Opcode Fuzzy Hash: 68c3d6d184ff7464b9862e5935d5be50d4b7921e0dcbe9c28f460e118beb759a
Instruction Fuzzy Hash: 47528A34B00605CFDB14EB79D45472EB7B3AB8A344F28816AC406A73A9DF359D47DB84

Uniqueness

Uniqueness Score: -1.00%

Function 04C13760, Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c63d3186cc8fd92c608fb46132e3644369a80f72fb2dea7d22556251346301
Instruction ID: 3654bdb364e7c160f34ad55558f3453cf08a95279f597a2373381136f2ddab04
Opcode Fuzzy Hash: 98c63d3186cc8fd92c608fb46132e3644369a80f72fb2dea7d22556251346301
Instruction Fuzzy Hash: A6D1B770B00258CFE710CFA9C454B6DBBF3BB86315F648166D806AB3B5DA70ED459B90

Uniqueness

Uniqueness Score: -1.00%

Function 04C13700, Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7660d064f17446fed03803b0413699374de33fada6e169680c5a1d46b6f008cf
Instruction ID: 8b73735e8d679247d9a420a50d0d69490b017643feac9287c2fbfc9b7c9eea6e
Opcode Fuzzy Hash: 7660d064f17446fed03803b0413699374de33fada6e169680c5a1d46b6f008cf
Instruction Fuzzy Hash: 6AB1E770B00245CFEB10CFA9D454B6DBBB3BB86715F248166E806AF3B5DA70ED409B90

Uniqueness

Uniqueness Score: -1.00%

Function 04C13750, Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2911c958b79a1002ebc66ce7bce2412fc29aef834134dacd600c47f95b2289
Instruction ID: 87e926cfb26bd4055af6a3ae67e00baaa852e40583d6e463d835da730bdbe634
Opcode Fuzzy Hash: 2a2911c958b79a1002ebc66ce7bce2412fc29aef834134dacd600c47f95b2289
Instruction Fuzzy Hash: 1FB1C470B00245DFEB00CFA9C454B6DBBB3BB86315F248566E806AB3B5DA70ED409B90

Uniqueness

Uniqueness Score: -1.00%

Function 04C133A8, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979cc1de2894df37f18ee4141c22e2907af06fb8ff011f0efbae46ccd5b8a23e
Instruction ID: 724bdfbbedddef6865024c9f1cf2295b159cec076c05ea0ba1f276ad80185f28
Opcode Fuzzy Hash: 979cc1de2894df37f18ee4141c22e2907af06fb8ff011f0efbae46ccd5b8a23e
Instruction Fuzzy Hash: 2991C230B002159FDB04ABBDD45466EB7E7BFCA704B2485B9E906EB3A1EE30DC059791

Uniqueness

Uniqueness Score: -1.00%

Function 04C11730, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e11403b0860a595896e250973e78faa8e6af00ada18c3f5c44364ec83f3cbfa
Instruction ID: 49b541efecf3543edb96ac79911c1f6065dcaad43d21b62610a49c566c085197
Opcode Fuzzy Hash: 4e11403b0860a595896e250973e78faa8e6af00ada18c3f5c44364ec83f3cbfa
Instruction Fuzzy Hash: 17518B75608240CFD7018A29D4806B67BE2EB4B300F1E8466D556CB363DB3CEA0AEB90

Uniqueness

Uniqueness Score: -1.00%

Function 04C11520, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e40bd75400abd3c4579b70782a9d2bb262674456830d7743bc54a4087ac553
Instruction ID: ede823a85dc5ad38e7c2f6e559859b9167de5c839403f4c9cd0b5e3400e57cbd
Opcode Fuzzy Hash: 79e40bd75400abd3c4579b70782a9d2bb262674456830d7743bc54a4087ac553
Instruction Fuzzy Hash: C7513071609284DFC3244B19E444A3A7BA2EB47300F9D806EE687CF5B2DA7AED01E750

Uniqueness

Uniqueness Score: -1.00%

Function 04C11A60, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206998fdf2c0c179cdf8eb5392aa00d4447c1ad958b3f20e0d1ef5c746c06f3d
Instruction ID: 0ef77e03c071144e57d81b190e23f6fe9b36185531d5b514db846f58e384380d
Opcode Fuzzy Hash: 206998fdf2c0c179cdf8eb5392aa00d4447c1ad958b3f20e0d1ef5c746c06f3d
Instruction Fuzzy Hash: 28513B34B002149FDB04AF79C858B6DBAF3BF89301F258069E906EB3A5DE759C05DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04C11A70, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9227b3e3d9aaaf8805a371ea42236f2b8cc1564123c1afa91ad2fe3e47701d81
Instruction ID: 00f82f06e66830093e4c9ff077712261b4c1e13e8aa73a54b52f5b607899223e
Opcode Fuzzy Hash: 9227b3e3d9aaaf8805a371ea42236f2b8cc1564123c1afa91ad2fe3e47701d81
Instruction Fuzzy Hash: E7514A34B002149FDB04AFB9C458B6DBAF3BFC9301F258069E906EB3A5DE759C019B61

Uniqueness

Uniqueness Score: -1.00%

Function 04C16211, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a08282bc8a1583023168ac2c159dd5a2a18044a905395859919b39f6d46bda0
Instruction ID: 9d4d323f81e0fdd89353a633cd05de8eef8631d02a65e55c650b9f40f698614f
Opcode Fuzzy Hash: 0a08282bc8a1583023168ac2c159dd5a2a18044a905395859919b39f6d46bda0
Instruction Fuzzy Hash: 894164347042025BD708EB75E89463E77A3EBCB7907148629D616C73E8EE38AC03E751

Uniqueness

Uniqueness Score: -1.00%

Function 04C10638, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b9cd2177f0bf92679b5af0a60ba563c7933e7d6d931f0774fb502907091245
Instruction ID: 29ebbdb8b440984196f9bf46c16f2c75dea3b68496b9fb15c2541da26be8cdea
Opcode Fuzzy Hash: a5b9cd2177f0bf92679b5af0a60ba563c7933e7d6d931f0774fb502907091245
Instruction Fuzzy Hash: 114157716082468FD3158F6EEC047BABFE2EF83301F05466AE881DB9A2D774A844D791

Uniqueness

Uniqueness Score: -1.00%

Function 04C130F8, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926716d300afd76f4029e452eedc6477a49df52f289b873419744bcc27009f66
Instruction ID: 3b06adc5ccef734987b650745c3b28a537c14c6b583d86b3b52c674d275a39f1
Opcode Fuzzy Hash: 926716d300afd76f4029e452eedc6477a49df52f289b873419744bcc27009f66
Instruction Fuzzy Hash: 19418F706083828FD714EF79D46062ABBE2AFC6304F14896DE4858B3A5DB30DD06DB66

Uniqueness

Uniqueness Score: -1.00%

Function 04C150D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7175b78b50a8e3a9e1f3e5ef14fce08290f10f5af733f13bfed9bf44e83118
Instruction ID: 72e7e5619314456825af949e83c19c024847240b5d425fead4e7b88681d14ad7
Opcode Fuzzy Hash: 5d7175b78b50a8e3a9e1f3e5ef14fce08290f10f5af733f13bfed9bf44e83118
Instruction Fuzzy Hash: 46413A31B10214AFDB04EB79C858B6DBBE6AFCA704F2540A9E406DB7B1DF719C058B81

Uniqueness

Uniqueness Score: -1.00%

Function 04C10798, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b927ba8cd925c8456f6173af162e450e1423dd5f795b8e50745fdc97caeb51
Instruction ID: 7628b7dfc8dfecfe67ad8dcf38c17681e9298daa5d38eaf9bb24605aa096751d
Opcode Fuzzy Hash: 37b927ba8cd925c8456f6173af162e450e1423dd5f795b8e50745fdc97caeb51
Instruction Fuzzy Hash: 203144357043009FE3005B39DC49B6E7B92EBC6B00F48846AF006EB7D5CEB49846DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04C14A90, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8164e2bafcde678f20c514add28907420c76fe2607e38306f7e5dcecf65b4f
Instruction ID: 7caa6e9ad5ce384b7a5e2f569fcf2f833e9be7d31537328638576aa17ce2287e
Opcode Fuzzy Hash: 3c8164e2bafcde678f20c514add28907420c76fe2607e38306f7e5dcecf65b4f
Instruction Fuzzy Hash: 3231A031A04615CFC718CFA9C880BBAB7F2AF42314F09857BE465DB2A1D334E604AB59

Uniqueness

Uniqueness Score: -1.00%

Function 04C14C38, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c51e40b7f963c20b4621d0ef50a1e673a34758f60a4e79f86ca592113934be
Instruction ID: 8a8c753c50d81f8b8abb41c4cda2a66f29a5bdf9c55b1fb8be42676a02a4bbf1
Opcode Fuzzy Hash: d9c51e40b7f963c20b4621d0ef50a1e673a34758f60a4e79f86ca592113934be
Instruction Fuzzy Hash: F7219370B04605CBCB18CF2EC8616BE77A6EF86711F04861BE42A9B2A0D334F641A659

Uniqueness

Uniqueness Score: -1.00%

Function 04C11952, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b98a96fb6fea9872baed93798ccc19eb5501d316fbe60dc1509bba38d4c437
Instruction ID: 1ee3077d2da732a57b94d23d0c0fa8c8bd6f6b3a9dc7b96c77d840c75b4a4d75
Opcode Fuzzy Hash: a2b98a96fb6fea9872baed93798ccc19eb5501d316fbe60dc1509bba38d4c437
Instruction Fuzzy Hash: DA21D634519385CFC701EB38E95865D7F61FF82309F1986AAC0404F26EDEB8990AD7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04C132E0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec2e8fa4134ab97c60fd825f828e36702d89f0beab8bfe0dc269a2848f2b063
Instruction ID: 538c66d56b41e55594b8d416206aa21f241d190350bc555cbfb3b1082af47b6e
Opcode Fuzzy Hash: eec2e8fa4134ab97c60fd825f828e36702d89f0beab8bfe0dc269a2848f2b063
Instruction Fuzzy Hash: 0121A171900348EFDB009F6AD8457DDBFB8FB09324F248429E819AB350C7756880CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04C1523D, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de994c42d381571c7006e0b6da0f4b30e609ac5aef9ca77224438d14da187960
Instruction ID: 72685f920ddcab241f48bdd02063972e8eca0facfad57f097b1276d92998b66a
Opcode Fuzzy Hash: de994c42d381571c7006e0b6da0f4b30e609ac5aef9ca77224438d14da187960
Instruction Fuzzy Hash: E0118131B44204EFCB059B64D958BADBBF3BF86305F6801AAE416DB2B2CB755C099B01

Uniqueness

Uniqueness Score: -1.00%

Function 027107AC, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679323160.0000000002710000.00000040.00000040.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b307bf7510bb99fbc7ed44b6e5875e4eb9911ac95e4c41e1b3660c3b404a9c78
Instruction ID: c0fe553e814cf8b1badc012e69c52835e6227a861ee5213eb67152fc0aff3eee
Opcode Fuzzy Hash: b307bf7510bb99fbc7ed44b6e5875e4eb9911ac95e4c41e1b3660c3b404a9c78
Instruction Fuzzy Hash: 4711B434208345DFD715DB18D941B26BBA1EF88718F24C9ACED491B642C77BD843CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04C1059F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d278f784f4c745a247df3cdf13a29fbd8e5e6227fac7b4c5345c720de4333c51
Instruction ID: 239168b06a510f42e3c396e2efba47b365c8823c3ae2c8c2d8fb366ebb6e08db
Opcode Fuzzy Hash: d278f784f4c745a247df3cdf13a29fbd8e5e6227fac7b4c5345c720de4333c51
Instruction Fuzzy Hash: 5E112BA26189118AE714CA3F984137576A3BB83226F0C8673E467DC8F5E26CE1C1B218

Uniqueness

Uniqueness Score: -1.00%

Function 04C11391, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba4de621e1eb77a88d55640035d975635ab579431d692aefa947ad394b6a17b
Instruction ID: 15ceb2a703d2c958595ce7878979e55098b192ff2a65aeaf94abea33fed6a6cf
Opcode Fuzzy Hash: 9ba4de621e1eb77a88d55640035d975635ab579431d692aefa947ad394b6a17b
Instruction Fuzzy Hash: 9401D42271C16056E324882FD800776B68BA78B224F4C8733A6D6C66A4ED6DF9407259

Uniqueness

Uniqueness Score: -1.00%

Function 04C113A0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcf25411c07e2f66a49f25d3ca56c1f69130755d5a5fe8739248962ee455a1d
Instruction ID: a287cea5b1c3739279c217ffe08dd588bb76d3b808055814e78718b69d1a58c1
Opcode Fuzzy Hash: 9bcf25411c07e2f66a49f25d3ca56c1f69130755d5a5fe8739248962ee455a1d
Instruction Fuzzy Hash: BF01A22271C02446E314882FD90077A718BE78F621F8C8333B6D6C66A8FD6DF9807699

Uniqueness

Uniqueness Score: -1.00%

Function 04C16498, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dba01585b1851eb0acf9d616f1ceee53587b2de5795297f804892a04b6395d4
Instruction ID: 942d73f9b5766c0ee476b96eab13fee9406080532130225def7241f88e7ca7fe
Opcode Fuzzy Hash: 5dba01585b1851eb0acf9d616f1ceee53587b2de5795297f804892a04b6395d4
Instruction Fuzzy Hash: EC0128363082509BE324D62DE8007793B83C787322F09007BE55EC37A2C82DAC45A769

Uniqueness

Uniqueness Score: -1.00%

Function 02710799, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679323160.0000000002710000.00000040.00000040.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61615bb1bf806ceebaf9577b61fad14278e6424e956154d29bf3f8e3da43ac46
Instruction ID: 43e7cb48f8e79eef3d4bdd00e16381b3323e34321e0798adc16eb14bf08eef99
Opcode Fuzzy Hash: 61615bb1bf806ceebaf9577b61fad14278e6424e956154d29bf3f8e3da43ac46
Instruction Fuzzy Hash: 5B115E35108281CFC716CB14D990B15BFB1AF86318F28C6EED8894B693C33AD847DB51

Uniqueness

Uniqueness Score: -1.00%

Function 027105CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679323160.0000000002710000.00000040.00000040.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cdc174d94b92bdad1257cbf93c5783f7292132efd78b0c1871e134f399e568
Instruction ID: 8d0812c2144f1ad65f26fbc9a313e5ec67a5b03f0adec01f9b230cb80639a3f8
Opcode Fuzzy Hash: 79cdc174d94b92bdad1257cbf93c5783f7292132efd78b0c1871e134f399e568
Instruction Fuzzy Hash: F701D6715487806FC7118F5AEC41893FFF8EF8623070984ABEC89CB612D125B959CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04C10299, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d272ab5e925d4d4033d9ed50d0e6fcafcc062052e71da21c1b606b997a2d316
Instruction ID: 8fb5111eee03ee822f39afdd716f285e1d83877699bb06c3e7d34a19397bd125
Opcode Fuzzy Hash: 3d272ab5e925d4d4033d9ed50d0e6fcafcc062052e71da21c1b606b997a2d316
Instruction Fuzzy Hash: 16F027312003004FE7022B75B8513AD3B65DB47314B110477E003CBAA6ED19E94293A7

Uniqueness

Uniqueness Score: -1.00%

Function 04C16470, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd42db50b2c390538aa1765f39900f6fe1cb266c3d6bf1c75a06098d1cedc0c
Instruction ID: aed88b021ba396845b6e7b41b26955501fb10666f9039b7d79492805f682d44a
Opcode Fuzzy Hash: 2bd42db50b2c390538aa1765f39900f6fe1cb266c3d6bf1c75a06098d1cedc0c
Instruction Fuzzy Hash: F2F0E9653002402BE30597289C41B296B4AD7C3721F154179F005CF2D2CD21DC019364

Uniqueness

Uniqueness Score: -1.00%

Function 04C163F9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0802f642c3dedc331c88fd8584578584dc298f95d222194d74ce0fa9553d2e4
Instruction ID: a91fa418e9f5b1f99447b0f280a9f9786febd2e1e6f9c58ccc079c928e414de1
Opcode Fuzzy Hash: f0802f642c3dedc331c88fd8584578584dc298f95d222194d74ce0fa9553d2e4
Instruction Fuzzy Hash: 40F0E5563053943BE305562A6C42F6B6F8EDBC7A20F45046EF24DCB383D8508C0883B9

Uniqueness

Uniqueness Score: -1.00%

Function 04C15E28, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2bd183545e93559a81c1922132029d4c156e7c26d73df2c310afa37563fcd3
Instruction ID: e5a94b52e517631ecfd370dfee327a497d0606bae58603b76ab14c49990215e0
Opcode Fuzzy Hash: db2bd183545e93559a81c1922132029d4c156e7c26d73df2c310afa37563fcd3
Instruction Fuzzy Hash: CAE09B317101107BD714667A9C41F5A32DBEFC9710F144169F605DB290DDA4EC0143A8

Uniqueness

Uniqueness Score: -1.00%

Function 02710868, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679323160.0000000002710000.00000040.00000040.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 896ed87e305c58250be6d7df8c13a66f1ba5bef09ee000e82ec99dafd6c64db5
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: B4F04635208645DFC302CF04D940B26FBA2EB89718F24C6ADED480B762C337E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 04C114B0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcc2f51fd42c5930275798d52ab2af3e9b80e3a342df7a675d294b63c999799
Instruction ID: fc57649fd5db35a635946eaf8e354d444b3f89e4e22e49e7dbc9b48368e49caf
Opcode Fuzzy Hash: 6fcc2f51fd42c5930275798d52ab2af3e9b80e3a342df7a675d294b63c999799
Instruction Fuzzy Hash: 6AF082397443809FD7119B78EC1CA193FA5AF8B312B0101F6E506C73E6DB649C05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C1145B, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd51e53666304cdf70aaecf7123d235fc97cd3794b9f7a0c93b77fc4dba879b
Instruction ID: 7f3668a0a276cecf11cd79dbd37c711d5784e3d5b5af4fc4753889b6dceb11c2
Opcode Fuzzy Hash: fbd51e53666304cdf70aaecf7123d235fc97cd3794b9f7a0c93b77fc4dba879b
Instruction Fuzzy Hash: E4F0A7717042046FD704DBA4D851B9A7FE5DB45310F5040A9E509D7382DA329902C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 04C16408, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a54b2494b103370fb6e7a798bf666ffa0ffb3d67994a85c069f8afd5b372934
Instruction ID: afda885078ea57a187197460fcfb62140fed6645f75be90ea75c2025b9f86c1e
Opcode Fuzzy Hash: 6a54b2494b103370fb6e7a798bf666ffa0ffb3d67994a85c069f8afd5b372934
Instruction Fuzzy Hash: 04E0866630131437E344656F6C46F6BA78EDBC5B60F445439B20EDB382DC519C0446B8

Uniqueness

Uniqueness Score: -1.00%

Function 027105F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679323160.0000000002710000.00000040.00000040.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb9350b3674bd5b9080561ac80d1f33f74ea93c7b7f14a297c9b20329280977
Instruction ID: 54b1a34a05d049f5f9f0b89c7b73f92aa3a788d599f0171e85a25ceb4fd77397
Opcode Fuzzy Hash: cdb9350b3674bd5b9080561ac80d1f33f74ea93c7b7f14a297c9b20329280977
Instruction Fuzzy Hash: FAE06D766006005BDA50DF0AEC81452FBD8EB84630718C06BDC0D8B700E536F5058EA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C102A8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae1369e91fc6faaae2dd0898ac8712330e07b34240145c0e3f205a766efb08c
Instruction ID: b1a89911b8d584f45d848c9864c0ca6b7a7a2a2dc37a55581a23847cdabe891b
Opcode Fuzzy Hash: 6ae1369e91fc6faaae2dd0898ac8712330e07b34240145c0e3f205a766efb08c
Instruction Fuzzy Hash: 63E092303103105BDB057B6AA85536E369ADB87741F50043AE107CABA8DD2AE94167A7

Uniqueness

Uniqueness Score: -1.00%

Function 04C11468, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1cad8a7c26c8700c9ada2dfb45a4e5f6409c840d35d0f35464c7c7a801d9ee
Instruction ID: 15d64418f5e8192216a4e4269ca70bbdb04033b76ba4166941899f5ca7ce580b
Opcode Fuzzy Hash: db1cad8a7c26c8700c9ada2dfb45a4e5f6409c840d35d0f35464c7c7a801d9ee
Instruction Fuzzy Hash: 5CE048717041186FC744EBA9DC51A9FBBE9DB85710F508069E50AE7341DE329D02C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 04C124E9, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd7fbe47a71e23b46bd099faf04045b210cf60e744d5d62881d98f7f2e57958
Instruction ID: 07d06d4c4521605dc286ef0ea4aac928fb174862bcd7e72c54c16a7ab946b93b
Opcode Fuzzy Hash: 3dd7fbe47a71e23b46bd099faf04045b210cf60e744d5d62881d98f7f2e57958
Instruction Fuzzy Hash: FBD01265948A818EF322A724E450FF03F219B47290F5707D6C084CB9F7CA141D02D396

Uniqueness

Uniqueness Score: -1.00%

Function 04C10780, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7862cdb3b1b2b4a5a9fa1cf4ad623606930d3f8048111c679ee1b20e1b4c0cf1
Instruction ID: e276022410030435e51cdddd4729814e1367405059715b5a6907acda00b8a8c1
Opcode Fuzzy Hash: 7862cdb3b1b2b4a5a9fa1cf4ad623606930d3f8048111c679ee1b20e1b4c0cf1
Instruction Fuzzy Hash: E2B0122235563813180D319D38128EDB38DC9C6975280206FF50E97342CD8A3D0103FE

Uniqueness

Uniqueness Score: -1.00%

Function 04C11369, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400078b6c4879b1b7b51391a1cbdb1095ae8366136b74a1af5c8ba5b51b25c08
Instruction ID: 8cfb08e80aad7f187eaad1d6b8f31a5c59ced8f75f5cbd693debb2329faf4522
Opcode Fuzzy Hash: 400078b6c4879b1b7b51391a1cbdb1095ae8366136b74a1af5c8ba5b51b25c08
Instruction Fuzzy Hash: 20C0806298D3D05BF3111714ED01B257E205762304F25487152C5DD5D5C765C4158729

Uniqueness

Uniqueness Score: -1.00%

Function 04C12513, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3ab3da232d7e7ad012ad8b0d7c84af26a3db2e4f1117b35f4ea5d11229975c
Instruction ID: b835672551ad20fd2db9fd7caa4984ed0463aee4d3a0a3eb6b313445afd005f6
Opcode Fuzzy Hash: af3ab3da232d7e7ad012ad8b0d7c84af26a3db2e4f1117b35f4ea5d11229975c
Instruction Fuzzy Hash: 0BC0801514CFC08FD305F72094505153F11A54711074747DAC1C0871F7C51C1C03D745

Uniqueness

Uniqueness Score: -1.00%

Function 04C100F0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681472512.0000000004C10000.00000040.00000001.sdmp, Offset: 04C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9ffc74370f6b915fd32e170795d7fbfdfebea8a279b48da2bf0f4aa0ea3468
Instruction ID: 9fba1a93e35418fbd4c99ffae88716c87fe89a0027b3ca2d384c1163cae8dfd8
Opcode Fuzzy Hash: 3b9ffc74370f6b915fd32e170795d7fbfdfebea8a279b48da2bf0f4aa0ea3468
Instruction Fuzzy Hash: CFC04899A4EBC18EEB132B74A918B297FA10F53602F0A04DAC0C2C54A3CAA94518C327

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: fullview.exe PID: 5616 Parent PID: 6168 fullview.exeCOMMON

Executed Functions

Function 06C70AEC, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06C70B47

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 435b6337bd6a6fa42a5338564f04dda408d446f2e214906f6dbc5b0da49a6c94
Instruction ID: a6e42b582375c12001082dbebef848987db451c4ca6bc79fd6e9301cd0461a2f
Opcode Fuzzy Hash: 435b6337bd6a6fa42a5338564f04dda408d446f2e214906f6dbc5b0da49a6c94
Instruction Fuzzy Hash: 99116D72500344AFEB21CF15DD84B62FBE8EF04224F08C46EED858B652D331E918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06C70AFE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06C70B47

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 30d79f016382b9a0aef6d0698c482a286512c2f89f6ef427c723ff8be2accbe9
Instruction ID: 76a7cc5cf0fabff7c93237444fa7aaf10d97ea985725114ed15bae10e9ed730d
Opcode Fuzzy Hash: 30d79f016382b9a0aef6d0698c482a286512c2f89f6ef427c723ff8be2accbe9
Instruction Fuzzy Hash: 59117071A003049FDB60CF56D984B66FBE4EF04224F08C4AEED458B652D375E518CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05122548, Relevance: .7, Instructions: 746COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f726d077bd1667e0ba47fa1283ffb15cc8bb5ce791c53795842b125b1892dbef
Instruction ID: 3460125be66b40af312af6a39c8b6339ab08849fabe67e61e7a7d5824b8b1079
Opcode Fuzzy Hash: f726d077bd1667e0ba47fa1283ffb15cc8bb5ce791c53795842b125b1892dbef
Instruction Fuzzy Hash: 57625B35B012158FCB18EB79E45476EB7B3BB88300F24C52AC45A9B399DF359D66CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05126DA2, Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

(, xrefs: 05127047

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: bb35d8eed71fbf6908e76da5ef562c5fc7a6435ca3142abc451a6e5bc9b40003
Instruction ID: 77601f4e9b26044513805de73bf2ed2a698884cd8db31637d7d3beee3e2fc55e
Opcode Fuzzy Hash: bb35d8eed71fbf6908e76da5ef562c5fc7a6435ca3142abc451a6e5bc9b40003
Instruction Fuzzy Hash: 59E1FA757001549FD744DBA8D891B6EBBB2EF88314F24C059E9199B389CB36EC13CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06C71A1E, Relevance: 1.6, APIs: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 06C71AC9

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 33e1d9265662d94094dc79be389a361c5dfd46945b63c15fb0f09dbda5811e51
Instruction ID: 11dfd6206ea7e17826f6a19759cde491849803bb3bff13d44642d20d89db4daf
Opcode Fuzzy Hash: 33e1d9265662d94094dc79be389a361c5dfd46945b63c15fb0f09dbda5811e51
Instruction Fuzzy Hash: 60317EB1504380AFE722CF65CC44F66BFE8EF06320F0885AEE9858B652D375E509DB61

Uniqueness

Uniqueness Score: -1.00%

Function 010CAC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 010CACD1

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 25327b25f86cf3b602a47e71bfe810174e84324fd8aba484c5f741ccd3fe98ea
Instruction ID: 3a53abea6da7f9d2464751f12b6aee39f41fbc4db775730df42a1b106fe8d94a
Opcode Fuzzy Hash: 25327b25f86cf3b602a47e71bfe810174e84324fd8aba484c5f741ccd3fe98ea
Instruction Fuzzy Hash: C2319371504784AFE7228B25DC85FA7BFE8EF05720F0884AAED819B152D264E549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010CAD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,CDD40DBE,00000000,00000000,00000000,00000000), ref: 010CADD4

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2ff7cc197e998f535a4ff96db603c2ebf2f62b71c321615104f1141abd3f5cc7
Instruction ID: 1ed999f09bbb51a9f99d8212b16f090e290b6f8fd89c248166ade34b748c9252
Opcode Fuzzy Hash: 2ff7cc197e998f535a4ff96db603c2ebf2f62b71c321615104f1141abd3f5cc7
Instruction Fuzzy Hash: CE3181715097849FE722CF25DC84FA6BFF8EF06710F0884DAE9858B153D264E548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06C70C88, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,CDD40DBE,00000000,00000000,00000000,00000000), ref: 06C70D22

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 4fb33df6d747c4f7130d7aec66b4899b7930504fcd9745882236829f2aa43cb1
Instruction ID: fe997c6ca54fd1b423f3aa44ca4618d3afca0da1bf5e5dc3469d37b8d5dffa29
Opcode Fuzzy Hash: 4fb33df6d747c4f7130d7aec66b4899b7930504fcd9745882236829f2aa43cb1
Instruction Fuzzy Hash: 3A21D5B25093806FE7228F24DC45BA6BFB8EF06320F08849BE984DB153C224E949C761

Uniqueness

Uniqueness Score: -1.00%

Function 010CA2AC, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 010CA346

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0682773e078fd392b9606d5eecb88510921a16c56c97c0cbf452714349d8b804
Instruction ID: 1175ceac6dfac41fac08c3fac042cc37431f586892dda242054ea582510c3d2f
Opcode Fuzzy Hash: 0682773e078fd392b9606d5eecb88510921a16c56c97c0cbf452714349d8b804
Instruction Fuzzy Hash: E231717140E3C06FD3138B259C55A66BFB4EF47620F0A80DFE884CB5A3D229A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 06C70E78, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 06C70F1E

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: d9e0bcd53c1ef91d79a979aa4643fc957c580e0e41b03c12bf79c2c986f41f52
Instruction ID: 2bc253db1b964d570c156141ed8370a8fd64273a2a0f809fddb31e8d4d5caece
Opcode Fuzzy Hash: d9e0bcd53c1ef91d79a979aa4643fc957c580e0e41b03c12bf79c2c986f41f52
Instruction Fuzzy Hash: F221A0714093806FD3128B25CC51F66BFB4EF47620F0A84DBE8848B593D624A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 06C70D81, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,CDD40DBE,00000000,00000000,00000000,00000000), ref: 06C70E12

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: a309331493ede187179b3c93d58f44f4860c0138205ac643ece585510f227b4c
Instruction ID: 5bd38f93e1eb23f0f999c5b2b476d616bc9cdc2845b955ddc3d283334ccefb36
Opcode Fuzzy Hash: a309331493ede187179b3c93d58f44f4860c0138205ac643ece585510f227b4c
Instruction Fuzzy Hash: 772197B1505384AFE722CF25DC44F66BFBCEF46320F0884AAE985DB152D264E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06C71154, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 06C711FA

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 6747abda0b5f842a6f6f5f1dd5b7ad9a446001044e835ff016d66bb6d5b02f72
Instruction ID: 01fc6d34eafd6a987646a56e92a39070238e19b904ead11d57df669384f87e93
Opcode Fuzzy Hash: 6747abda0b5f842a6f6f5f1dd5b7ad9a446001044e835ff016d66bb6d5b02f72
Instruction Fuzzy Hash: 34217F7550E3C06FC3138B358C55A21BFB4EF87A10F1D81DFD8848B6A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06C71B20, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,CDD40DBE,00000000,00000000,00000000,00000000), ref: 06C71BB5

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 2e77df7603d5dbadc05baaba44a0e10c36136127ab3bb29a5c5f8d35aa322682
Instruction ID: 1b86d2e50e57ae2d9e024b0525346c9ef089ef158ee9266df8692b0071803b17
Opcode Fuzzy Hash: 2e77df7603d5dbadc05baaba44a0e10c36136127ab3bb29a5c5f8d35aa322682
Instruction Fuzzy Hash: 4321C5B64087846FE712CB25DC40BA2BFBCEF46720F1884DAE9849B153D224A909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 010CBC64, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 010CBCF5

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: f282c6049eba9c2ffdb112fc75ea003fe8fe365b9080237c0348e75739175108
Instruction ID: 9b1ac67ccffc45fecbbf600bcef374ef660ca5e20e643ae4b6eff45575976cf6
Opcode Fuzzy Hash: f282c6049eba9c2ffdb112fc75ea003fe8fe365b9080237c0348e75739175108
Instruction Fuzzy Hash: 44218E755093C49FD7228F25DC95B66BFF4EF06620F0984DBE884CF263D224A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06C71A4A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 06C71AC9

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 79a4f7916df867a7b63db5e18472c6f2f76b808eda889be3698618b512370ab8
Instruction ID: d7b6fba249c8b0ba127783db32eba64f695d41d0c04a140d47c4f5ccee5a3d35
Opcode Fuzzy Hash: 79a4f7916df867a7b63db5e18472c6f2f76b808eda889be3698618b512370ab8
Instruction Fuzzy Hash: DA217F71A00740AFE721DF66CD45B66FBE8EF08720F08856EE9858B651D375E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06C71224, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 06C712BE

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8049389de82a248454a8ecf20d3e84158d189ee7b13e0ed12b6959af436f1257
Instruction ID: 816469028259ff0753000e7f5b256c9893e7869f1f042701671246a3cc8518cb
Opcode Fuzzy Hash: 8049389de82a248454a8ecf20d3e84158d189ee7b13e0ed12b6959af436f1257
Instruction Fuzzy Hash: 5321C8755093C06FD3138B25DC51B72BFB4EF47A20F0981DBE9848B653D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 06C7185A, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,CDD40DBE,00000000,00000000,00000000,00000000), ref: 06C718EC

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 19c0095b750fbfa5e689d1cbce65dbb27d0e331cc110e346597bbb22d7ed35e6
Instruction ID: 010dffe1f2ec9487f5121ded4e63eef9a538a15ee8c562bd96314a21d07b8fb5
Opcode Fuzzy Hash: 19c0095b750fbfa5e689d1cbce65dbb27d0e331cc110e346597bbb22d7ed35e6
Instruction Fuzzy Hash: 4621ACB2504380AFE7228F15CC84F67BFBCEF05320F08859AE9859B652C264E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010CAC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 010CACD1

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 20e13247f01b12ae95cabb8447507351970530121bf25fab8fcdf8842bad609c
Instruction ID: 786156290ddc6ded7f738d76603aecc9dba82e2d311856abe7d643e5638deea0
Opcode Fuzzy Hash: 20e13247f01b12ae95cabb8447507351970530121bf25fab8fcdf8842bad609c
Instruction Fuzzy Hash: D721A472600708AFE7319F59DC85F6BFBECEF04720F04845AED859B642E624E5498BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06C7094B, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 06C709C6

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5cc0c90f06aba33057c600e450ca9d78a02fade21343e247cef3c3ce079664a3
Instruction ID: 2ab87dee538791f63ab20bc0ca7667797c5f108fd2f5049e8b8733f5494aefc7
Opcode Fuzzy Hash: 5cc0c90f06aba33057c600e450ca9d78a02fade21343e247cef3c3ce079664a3
Instruction Fuzzy Hash: B9217FB25093805FE7528B65DC85B92BFA8EF06220F0984EAE884CB253D264E908C761

Uniqueness

Uniqueness Score: -1.00%

Function 010CAE43, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E2C,?,?), ref: 010CAEC6

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 6c139e8a5cd510e0854dbcc0ac1339c8120f7c4653441bcb7ed94589f4c848fe
Instruction ID: e42b11275a4301a2fe61fd852b6b72d0f0da331a27086a3941e9161114cc6e33
Opcode Fuzzy Hash: 6c139e8a5cd510e0854dbcc0ac1339c8120f7c4653441bcb7ed94589f4c848fe
Instruction Fuzzy Hash: CB21A5715493846FD3128B26DC41F72BFB8EF87620F0981DAED848B652D225A915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 010CAD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,CDD40DBE,00000000,00000000,00000000,00000000), ref: 010CADD4

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9a4e396346384cb69cedf56d86cdfce3d5fb73ed22b5b7414d022848d7dbd93c
Instruction ID: 5ea43b118c9624855eb8fb8c1082341f0bc846913d71107c1da4e73fe3c07f06
Opcode Fuzzy Hash: 9a4e396346384cb69cedf56d86cdfce3d5fb73ed22b5b7414d022848d7dbd93c
Instruction Fuzzy Hash: 232184716007089FE761DF19DC84FAABBECEF04710F04849AED858B656E764E404CEB1

Uniqueness

Uniqueness Score: -1.00%

Function 06C70DAE, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,CDD40DBE,00000000,00000000,00000000,00000000), ref: 06C70E12

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: f5063f3f70df50fbaf4914a8f3b8c893bdaa714e28c39caf3572d3774898c370
Instruction ID: 4c796c16feba5424ca321f65b3a3027488a5934a2c605c249e20afac50ce1a1b
Opcode Fuzzy Hash: f5063f3f70df50fbaf4914a8f3b8c893bdaa714e28c39caf3572d3774898c370
Instruction Fuzzy Hash: F611AFB1600304AFEB61CF25DC84FA6BBA8EF04720F14C46AED45CB641D674E548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 010CB42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 010CB4A9

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: b457e2f2968ccdb7388b80cf291bb9e45410ff16cd62c0eb51c6cd7ea0b8495c
Instruction ID: c377203bc4accbdf3fe408ab31de3817ac4e3fdf7baa2dfd4c0df8e443cd4693
Opcode Fuzzy Hash: b457e2f2968ccdb7388b80cf291bb9e45410ff16cd62c0eb51c6cd7ea0b8495c
Instruction Fuzzy Hash: 4E218EB15093845FD7628F29DC45B62FFE8EF06614F0880CEED84CB293D265A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010CBD39, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 010CBDA4

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 59fe91924c0faaa406c7a8161540b08296d73fca16e578b2a55c423e97961aac
Instruction ID: 754602adb8d1df6fab1afbef3f4199ba37c1518b32dde8cb480fb19421201289
Opcode Fuzzy Hash: 59fe91924c0faaa406c7a8161540b08296d73fca16e578b2a55c423e97961aac
Instruction Fuzzy Hash: 322181714093C05FD7528B25DD81B52BFB8EF02210F0984DBED858F653D264A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06C7187A, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,CDD40DBE,00000000,00000000,00000000,00000000), ref: 06C718EC

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7c4b5ac1f68e6c8aa13a056df70be08a089f128894f3eb3551944b5c20c7c2ae
Instruction ID: c912f70d38c3bf213d8c77b1d4ead3d22028d012cde13ff67bd34f0ef26f37f1
Opcode Fuzzy Hash: 7c4b5ac1f68e6c8aa13a056df70be08a089f128894f3eb3551944b5c20c7c2ae
Instruction Fuzzy Hash: 67118EB2600704AFEB718E16CC81B66FBACEF04720F08855AED459BA42D774E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 06C70CC6, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,CDD40DBE,00000000,00000000,00000000,00000000), ref: 06C70D22

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 3e7baca1515f90e8d303ecbf9aef76bbcd7f252995a4fb27d184e979065359d7
Instruction ID: 9675c131eb116ef5b7f1fb03f0959ded529a282f9482e73f330bc7b5736680df
Opcode Fuzzy Hash: 3e7baca1515f90e8d303ecbf9aef76bbcd7f252995a4fb27d184e979065359d7
Instruction Fuzzy Hash: 341104B1600304AFEB61CF69DC44B6AFBA8EF04720F14846AED45CB641D674E408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 010CBDED, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 010CBE5B

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: e1630e26c085e41aff622bc8e8d4696a57ec9264f1344ad15c28f0157df46f52
Instruction ID: 3711d0dfd9f06b432c1529d4a086c266e9b7fd6b5a3918d4c9a219574d8fe233
Opcode Fuzzy Hash: e1630e26c085e41aff622bc8e8d4696a57ec9264f1344ad15c28f0157df46f52
Instruction Fuzzy Hash: 1621A5715093845FD7528B25DC45B52BFE4EF02710F0980DEE9858F263D235A808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06C7089F, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 06C70904

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 739f6687eaac7cdf4f91785c7cfc3dea841147874fa5d6011769cf9ec03f0a26
Instruction ID: 39895fab9a842748364adf67b2940073837df45f5a5e89ec30f77d6d3a8f514e
Opcode Fuzzy Hash: 739f6687eaac7cdf4f91785c7cfc3dea841147874fa5d6011769cf9ec03f0a26
Instruction Fuzzy Hash: AC1193B55093C09FD7128B25DC94B56BFB4EF06224F0980DBED85CF693D279A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010CA5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CA666

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d6aa2e8477415e195068b17dcbbf6464cefd948c868e1989dba5939193914a81
Instruction ID: 781b7cb7b28a93de52a3df5a5a170fc8a476db5a1ec55b2a7a86885f6aaf8ae1
Opcode Fuzzy Hash: d6aa2e8477415e195068b17dcbbf6464cefd948c868e1989dba5939193914a81
Instruction Fuzzy Hash: AB11A271409380AFDB238F55DD44A62FFF4EF4A210F0884DEED858B553D235A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 06C707F6, Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 06C70858

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8f22be91850e6dd3d0c1a76b32a6f0605a50ea1f37b6a93e6217caaacdea76af
Instruction ID: 4eb49a6140aeef3076f64414c73d1bb2e2f79e7e30025e7f3cb3716dadf8779e
Opcode Fuzzy Hash: 8f22be91850e6dd3d0c1a76b32a6f0605a50ea1f37b6a93e6217caaacdea76af
Instruction Fuzzy Hash: 301181719093C09FD762CB25DC85792BFE8DF06220F0984EBEC85CF652D264A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06C70386, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06C703FD

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b9d66a492db86625762657547fa9de8c0bff151b57a6cfaa99666c62a6775e18
Instruction ID: fa29cf196d486c73c2b55e91839c2cf137fd4628e44f1ee0823f04e729d2a355
Opcode Fuzzy Hash: b9d66a492db86625762657547fa9de8c0bff151b57a6cfaa99666c62a6775e18
Instruction Fuzzy Hash: EA21CD724093C09FDB228B21DC50AA2BFB0EF17220F0D84CAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 06C7210B, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06C72175

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 61d4e956c37d4708812fc505d7d83fe4c69b1ae0730ecc4e2a805beccf32a6cd
Instruction ID: f15800a6e57ee17831affabe2f607a62c9116e64a428e8914b5b91e279969f60
Opcode Fuzzy Hash: 61d4e956c37d4708812fc505d7d83fe4c69b1ae0730ecc4e2a805beccf32a6cd
Instruction Fuzzy Hash: 181190724093849FDB228F15DC45B62FFB4EF46224F08C49EED858B563C275A958CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010CA97B, Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 010CA9DC

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a12674e14957bd885c7bcdf7944c31368bb651431ba4ab3763965e2cdd5ba1e1
Instruction ID: c758b31c9071039c79f016b855092bc801e6afc932ae1890c7ce7ed92f0e6ffb
Opcode Fuzzy Hash: a12674e14957bd885c7bcdf7944c31368bb651431ba4ab3763965e2cdd5ba1e1
Instruction Fuzzy Hash: FC11BF714093C4AFD7228F15DD84B56BFB4EF06224F0884DBED858F253D275A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06C7097E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 06C709C6

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 67a73b73e80c75a22400808066774460702a5be05fee04d07d9f256471d33149
Instruction ID: 3f4764e60086accd105ded6f8a9fa42103fd1a9d722105c68ffd12c21872a1db
Opcode Fuzzy Hash: 67a73b73e80c75a22400808066774460702a5be05fee04d07d9f256471d33149
Instruction Fuzzy Hash: 8D1152B1A003449FE7A0DF6AD845766FBE8EF14220F08C46EED49CB646E674E904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06C71B62, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,CDD40DBE,00000000,00000000,00000000,00000000), ref: 06C71BB5

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 222064b6af9e1f5125690b9f76539bc5f6c9b6e0a27959442a8a3b941784060f
Instruction ID: 10390d56f4c470d5134a6ca8c40c30764ce2411c7d5c3485d14afad79c09d3ef
Opcode Fuzzy Hash: 222064b6af9e1f5125690b9f76539bc5f6c9b6e0a27959442a8a3b941784060f
Instruction Fuzzy Hash: 8301D6B1504304AFE761CF16DD45BA6FB9CEF04720F18C09AED449B646D274F508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 010CBCAA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 010CBCF5

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: 1007a552c96a0e1daaffe9d6cfe22002758638952dcf1e1f33a59b3a1c69cde8
Instruction ID: 64422ad025b7613436a455b1ff27948be172777c902500ebbd9cf2e51be4638d
Opcode Fuzzy Hash: 1007a552c96a0e1daaffe9d6cfe22002758638952dcf1e1f33a59b3a1c69cde8
Instruction Fuzzy Hash: 211170755003448FEB60CF1AD885B6AFBE4EF04620F08C4AADD848B606E734E404CE62

Uniqueness

Uniqueness Score: -1.00%

Function 010CA42A, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 010CA480

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 07d172a821374a4b6c802074f76c8845646909e8d515d4bf67e2ffe0a6084e0e
Instruction ID: 9aa975d0e7105454a646420b3f7bfa2b46902a8628ec31c43d39103713282892
Opcode Fuzzy Hash: 07d172a821374a4b6c802074f76c8845646909e8d515d4bf67e2ffe0a6084e0e
Instruction Fuzzy Hash: B0016D75509384AFD7228B15DD84B62FFA8EF46624F08C0DAED858B253D275A808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 010CAAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 010CAB46

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d09d462f7dbc21a4856869df1c06ead3775507a15d376cca50c606ad351f21a2
Instruction ID: 5c4019c171084d85181c61d237b4e639f505e28a2895086b70e389c98aafce5b
Opcode Fuzzy Hash: d09d462f7dbc21a4856869df1c06ead3775507a15d376cca50c606ad351f21a2
Instruction Fuzzy Hash: 9B11AC314097849FC7228F15DC84A52FFF4EF06620F08C4DAED858B263D375A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06C70ECE, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 06C70F1E

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: e40bb82b9d39b02669a325f76ff284280490b73898d6fef496c9b5a3445bd76f
Instruction ID: a705c8d403722ae76c7b54a84398bd1049c11056454a0d1e5c540cd918a9f333
Opcode Fuzzy Hash: e40bb82b9d39b02669a325f76ff284280490b73898d6fef496c9b5a3445bd76f
Instruction Fuzzy Hash: 0B017171900600ABD714DF1ADC85B76FBA8EF89B20F14C56AED089B641D231B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C7081E, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 06C70858

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c69c92a026f3d7a05e87d74aa139a2e3251c8dd88792bbae24076443c48fba0f
Instruction ID: 55751a51388af2435237443fd6b25b8ef9476d0eacc665d18f316e9a3225e25d
Opcode Fuzzy Hash: c69c92a026f3d7a05e87d74aa139a2e3251c8dd88792bbae24076443c48fba0f
Instruction Fuzzy Hash: D60152B1A043408FDBA0DF6AD885766FB98DF04220F18C4AFDD49CF646D674E544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010CB45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 010CB4A9

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 139d6d3dee500782a7a2c74f8113bdaa337399a4afea2da0c23b9176f5666951
Instruction ID: 588ee318ac1e39246e293e5ff8eddfa9aa694e13f8cb8224f74133e3c2ebfd91
Opcode Fuzzy Hash: 139d6d3dee500782a7a2c74f8113bdaa337399a4afea2da0c23b9176f5666951
Instruction Fuzzy Hash: 24016D715042008FDB60CF1AD846B6AFBE8EF04A60F08849DED898B646E775E408CE72

Uniqueness

Uniqueness Score: -1.00%

Function 010CA622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CA666

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9d3773b5246730c5fd2e5d2ed52f18235a85ca272d94bb97b12f0bf0e3404054
Instruction ID: 26919e599e5e2b384dddb2b2e76585123d230566d837a0cff4980501b1ca759d
Opcode Fuzzy Hash: 9d3773b5246730c5fd2e5d2ed52f18235a85ca272d94bb97b12f0bf0e3404054
Instruction Fuzzy Hash: B4013931900704DFDB628F55D944B6AFBE4EF48620F08C8AAED894B656E275A418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 010CBE1E, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 010CBE5B

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: e9cef6599249eff5f5b467c6d3d179d627b9a46ec3d017aa1967a8faf9383e6f
Instruction ID: 68aafc2fc5563d8a0fac4750ed76062d23288415920022b8a55ff9a8cae52481
Opcode Fuzzy Hash: e9cef6599249eff5f5b467c6d3d179d627b9a46ec3d017aa1967a8faf9383e6f
Instruction Fuzzy Hash: F0017575A007448FD7608F5AD94576AFBD4DF04B20F08C09EDE458B756D275E448CE72

Uniqueness

Uniqueness Score: -1.00%

Function 010CAE76, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E2C,?,?), ref: 010CAEC6

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 19d77bc5797cfab883c9cb629ec956747f897e37eb098753e37940857d0bc906
Instruction ID: d6fdba6c8f7f3d07d3b251d8addec39969c1b317d0b3f65d87963eb97599fbe2
Opcode Fuzzy Hash: 19d77bc5797cfab883c9cb629ec956747f897e37eb098753e37940857d0bc906
Instruction Fuzzy Hash: BD01A271500600ABD224DF1ADC82B36FBA8FF89B20F14C11AED084B741D231F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 010CBD72, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 010CBDA4

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a054b01c0cc4943b56a33ff7a0031722801a7fcda9b82ec15d15cec113e090bd
Instruction ID: 9741cad87457946241059e7b5ceaafab22b99f4d34a33430774c79cd66332dee
Opcode Fuzzy Hash: a054b01c0cc4943b56a33ff7a0031722801a7fcda9b82ec15d15cec113e090bd
Instruction Fuzzy Hash: 4E01B1755043448FDB609F29D98576AFBA4DF00620F08C0AADC898F646E674E408CE72

Uniqueness

Uniqueness Score: -1.00%

Function 010CA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 010CA346

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5fa6c96972b75778212da3e111d08c2aa3ec393a87779a9a7a25186c9ce056e1
Instruction ID: e7fe16e77b7dd0f4a7e8ab14233e1a358f101ee05b0daee30d647954cd8f191f
Opcode Fuzzy Hash: 5fa6c96972b75778212da3e111d08c2aa3ec393a87779a9a7a25186c9ce056e1
Instruction Fuzzy Hash: 4801A271500600ABD224DF1ADC82B36FBA8FF89B20F14C15AED084B741D231F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 06C708D2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 06C70904

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3410d371e46752b6fed9fd0923d60f31691455dfde6b6e39daa7b58cc3346503
Instruction ID: f9de928c07096a2aae9b8b153d3c4f2d5123671297a3c1f4832c4628f00a678a
Opcode Fuzzy Hash: 3410d371e46752b6fed9fd0923d60f31691455dfde6b6e39daa7b58cc3346503
Instruction Fuzzy Hash: 130184B1A003409FEB508F2AD984766FB94DF04220F08C4ABDD498F646D274E448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06C711AA, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 06C711FA

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 3466080db47a8be99f063dd5dee0168419f743bc27a3d8e64d4ce6acb0590a4d
Instruction ID: 2d7fdb896be9d2df43a82d4998c7e5b6dd0009829961bbabfe8a8e88c0ed15c2
Opcode Fuzzy Hash: 3466080db47a8be99f063dd5dee0168419f743bc27a3d8e64d4ce6acb0590a4d
Instruction Fuzzy Hash: C7018F71500604ABD224DF1ADC82B36FBA8EB89B20F14C11AED084B641D231B516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 06C7126E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 06C712BE

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f3eec034dfe81eb1ae1210f132792e16ab5809464d32c6cbea7d3c6020f640f2
Instruction ID: 2133d9ece0f98ea9201588ec6e1ef43d617703a796701945d57d8cb2a2ad0b1c
Opcode Fuzzy Hash: f3eec034dfe81eb1ae1210f132792e16ab5809464d32c6cbea7d3c6020f640f2
Instruction Fuzzy Hash: 63018F71500604ABD224DF1ADC82B36FBA8EB89B20F14C11AED084B641D271B516CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C7213A, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06C72175

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1432c71f5ac4e6ca09d1d02253ff8c762ec4639bb0b15f1e17b535a4394cca92
Instruction ID: 99e4705732eea7660d305bc503a51d9da789b2c4b190b9c019ea53cb410d5368
Opcode Fuzzy Hash: 1432c71f5ac4e6ca09d1d02253ff8c762ec4639bb0b15f1e17b535a4394cca92
Instruction Fuzzy Hash: C201D8319003009FDB608F16D844B65FBA0FF04320F08C05EDE454B655D775E558CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010CA9AA, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 010CA9DC

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 528d66348f5ba3fbc566b33c792f095146bab2d11e34ab2da1ed16d01b077ed9
Instruction ID: bf5b00eaf741135df10e26ce227d6b8c28da6cc54635eac6a7320b47da63ad07
Opcode Fuzzy Hash: 528d66348f5ba3fbc566b33c792f095146bab2d11e34ab2da1ed16d01b077ed9
Instruction Fuzzy Hash: 01018F74900344DFDB60CF59D9857A9FBA4EF04620F08C4AADD898F606E378A448CE62

Uniqueness

Uniqueness Score: -1.00%

Function 06C703C2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06C703FD

Memory Dump Source

Source File: 00000004.00000002.759670528.0000000006C70000.00000040.00000001.sdmp, Offset: 06C70000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 613e774d5af73a831cfa0209eac7c5dd0eef8dc6c255f0cd32b331824f7fad1e
Instruction ID: cc61e3cf03ee3f1ec4fea151deeb43a9fb48073740f6584a674c8e2cd3f6e369
Opcode Fuzzy Hash: 613e774d5af73a831cfa0209eac7c5dd0eef8dc6c255f0cd32b331824f7fad1e
Instruction Fuzzy Hash: B8018B71A00300DFDB608F46D984B65FBA0EF18320F08C49EED894BA16D375E458DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010CAB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 010CAB46

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4da38ab1857e6d18213a09b26545014f15efb5e03e3c7da9b3dcf3bf5098f0ac
Instruction ID: f674ce481e3edb1b5d482b6b7981309f1cb0b2576693eea40d183fdda8b834f7
Opcode Fuzzy Hash: 4da38ab1857e6d18213a09b26545014f15efb5e03e3c7da9b3dcf3bf5098f0ac
Instruction Fuzzy Hash: CF01A231500704CFDB608F45D984769FBA0EF04720F08C49ADD854B657D375A408CF72

Uniqueness

Uniqueness Score: -1.00%

Function 010CA44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 010CA480

Memory Dump Source

Source File: 00000004.00000002.755008560.00000000010CA000.00000040.00000001.sdmp, Offset: 010CA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b1aacbebe411b099969991b020e3179c4069f124f83ac4ca4d0f1f5a29bf773e
Instruction ID: 5e42bb910e63e9320baf6bb9460aa1bacfbe094f4353d7b1b85d14595c3c28aa
Opcode Fuzzy Hash: b1aacbebe411b099969991b020e3179c4069f124f83ac4ca4d0f1f5a29bf773e
Instruction Fuzzy Hash: 1EF0A435A04348CFD7608F0AD988769FBA4DF44730F08C0AEDD854F656E779A448CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 05127189, Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

(, xrefs: 05127047

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: eb90ea7586da35728ec8d41e04fa9688b1672cc8d07d4b0c9492d3dba79fea1e
Instruction ID: 6c7188cee333adbead9036b8913b3bfe1a762a1b50725fd293dff97c6fbc4133
Opcode Fuzzy Hash: eb90ea7586da35728ec8d41e04fa9688b1672cc8d07d4b0c9492d3dba79fea1e
Instruction Fuzzy Hash: 2851E735B001449FDB44DB98C891A6EF7B6FB88304F24C159E9199B389CB36EC13CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05127058, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

>_kq, xrefs: 0512712D

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: 07604b70ca45b63b9ed1d081ba1eeb47c147ca747711eebc35ebea4f12408249
Instruction ID: 599e82d8e0fdec69b2cd058d87d1d7cb059da2019c845d05021a8453b98f9cc0
Opcode Fuzzy Hash: 07604b70ca45b63b9ed1d081ba1eeb47c147ca747711eebc35ebea4f12408249
Instruction Fuzzy Hash: F341AF35700215AFD718DB68D850B6EB7B2FB89314F24846AD816DB3D5DB76EC12CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05121D90, Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

Dlq, xrefs: 05121E45

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID: Dlq
API String ID: 0-1337854601
Opcode ID: bfb94d8a9636b81279df921403ff86430330622bbf7044c6f4a39321f439eab6
Instruction ID: 44a84f22c60209c20c9b18eed5915973f7e79a72edc7771ed989098dca9ecf51
Opcode Fuzzy Hash: bfb94d8a9636b81279df921403ff86430330622bbf7044c6f4a39321f439eab6
Instruction Fuzzy Hash: B741CD31F0520A8FCB14DBB9D8146EEBBF2FFC9210F14806AE505EB258EB359905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05121E18, Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Dlq, xrefs: 05121E45

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID: Dlq
API String ID: 0-1337854601
Opcode ID: 3f9758c60bd456fda3f5a48ee869cfb5e15fa2d1e4497b4d0bd97759ed2a934f
Instruction ID: 51bf380aea62c8eab5350943d4a08b5ac2fff8d817970723330a78485e161e69
Opcode Fuzzy Hash: 3f9758c60bd456fda3f5a48ee869cfb5e15fa2d1e4497b4d0bd97759ed2a934f
Instruction Fuzzy Hash: 21413930F401199BCB14DFAAD854AEEBBF6BF88710F148069E915BB244DB759C44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05120006, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

>_kq, xrefs: 0512007A

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: acca56819aa4af0436117347e82c90b8ff657b687ddcb33f6dd1944571a6a799
Instruction ID: ee544b43e094cc513d4858591491088f2e71de844805668544edb74f46961945
Opcode Fuzzy Hash: acca56819aa4af0436117347e82c90b8ff657b687ddcb33f6dd1944571a6a799
Instruction Fuzzy Hash: 4C21E13140E3C14FD343AB30AC246953FB2BF87210B1A41EBD9C18B697DA6C4D68D362

Uniqueness

Uniqueness Score: -1.00%

Function 05122538, Relevance: .7, Instructions: 686COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9eabe9b486e5b41d5dd4b431a1d59ab66c05a3d01251ff8eaff719ef58748d0
Instruction ID: 75aa478e800a00fc155d5c33f447c34a1197e36cf3779cc67d4e0d8f42f4a237
Opcode Fuzzy Hash: e9eabe9b486e5b41d5dd4b431a1d59ab66c05a3d01251ff8eaff719ef58748d0
Instruction Fuzzy Hash: 7B526B35B012158FCB18EB79E45466EB7B3BB88340F24C52AC41A9B399DF359D66CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05123700, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341269ca9deec53b38eb1103b106e2389502272831e7b89276511fbe5c29ccad
Instruction ID: bd53ae25b9af0dc332b97bafd2bafc718f65fcafb72923aefb69f86b84a9216d
Opcode Fuzzy Hash: 341269ca9deec53b38eb1103b106e2389502272831e7b89276511fbe5c29ccad
Instruction Fuzzy Hash: BAB1C370B00228DFDB24DFA8D454BADBBB3BB45701F25896AE416AF385CB78CC518B41

Uniqueness

Uniqueness Score: -1.00%

Function 05123753, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dffeaa4a4aceb5c9d927a0f3415eb266af34d7a6d8b0393d93e2db6756ddd92f
Instruction ID: 66c7808b232786c17c9661c90503fb2a196f02245fb57c291c2c22fa2cb2e071
Opcode Fuzzy Hash: dffeaa4a4aceb5c9d927a0f3415eb266af34d7a6d8b0393d93e2db6756ddd92f
Instruction Fuzzy Hash: 01B1C230B00228DBDB14DFA8D454BADBBB3BB84701F24896AE416AF385CB78DD50CB41

Uniqueness

Uniqueness Score: -1.00%

Function 051233A8, Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e138e3d3ef6163d3996873107f32f8d7f773fe91a3ad20dae55ffcd4557bac8a
Instruction ID: 2395711b2d550c4b933b0be37bce9a7ef922f2f513eb31cadf20a4da3d90e110
Opcode Fuzzy Hash: e138e3d3ef6163d3996873107f32f8d7f773fe91a3ad20dae55ffcd4557bac8a
Instruction Fuzzy Hash: 3F919F31B002158FCB58EBB9D4546AEB7E3BFC9700B25846DE806EB395EE35CC158B91

Uniqueness

Uniqueness Score: -1.00%

Function 05121A60, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec01d76b8cb2cdec490c3f30c1b6a3c2a135e986bb39bab8b9f68d52b5f3acf
Instruction ID: e7011b6864b0d513820d9c960d980604937890fae08b0cb164f6daaa5ea61e17
Opcode Fuzzy Hash: 7ec01d76b8cb2cdec490c3f30c1b6a3c2a135e986bb39bab8b9f68d52b5f3acf
Instruction Fuzzy Hash: AD513934B012089FDB54EB79C458B6DBBF3BF88700F25806AE906EB7A5DE759C018B51

Uniqueness

Uniqueness Score: -1.00%

Function 05121A70, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9730bf9109dcb4dc3d2536a5f0f5ff1ca1dcb756198281a28666663854bd26c7
Instruction ID: 0206babfc659db729cd938dd4740b8413c11ea121028803efe6a9ce6aded1466
Opcode Fuzzy Hash: 9730bf9109dcb4dc3d2536a5f0f5ff1ca1dcb756198281a28666663854bd26c7
Instruction Fuzzy Hash: 8F513A34B012189FDB14AB79C458B6DBBF3BF88700F25806AE906EB7A5DE759C01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05124F10, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7266f3d491ca843467c82835f475de161b712734909eeaba6186e842d99419
Instruction ID: 8682c4d6a2f5adc318030ba118a9e6bbc3f1d25e56fd2d01294990ef36966091
Opcode Fuzzy Hash: 4b7266f3d491ca843467c82835f475de161b712734909eeaba6186e842d99419
Instruction Fuzzy Hash: 0D518E31A11114DFCB18DFA8D894AADBBF3FF88310B158169E516AB3A4CB71E841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05124F0B, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2e223d0afba00a0740233b35e56d6041c2ae24b1280d49f3e818ef8b71c3b1
Instruction ID: e2508714b1a0833b7ce81cf1b2356cf2d2af8219da2e78ec85b8b16804790699
Opcode Fuzzy Hash: ed2e223d0afba00a0740233b35e56d6041c2ae24b1280d49f3e818ef8b71c3b1
Instruction Fuzzy Hash: 39516D31A11214DFCB14DFA8D894AADBBF3FF89310B158169E516AB3A4CB31E851CB91

Uniqueness

Uniqueness Score: -1.00%

Function 051264B0, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7647502d95dc260fb5deb8307b767824cca2c0ed51f5015cc1ad4a4fd0bcc4d
Instruction ID: 7739a44cb8ddb972ee0d0f679d6a2d50b28453abd95ec49dc79293aa5d281c1e
Opcode Fuzzy Hash: c7647502d95dc260fb5deb8307b767824cca2c0ed51f5015cc1ad4a4fd0bcc4d
Instruction Fuzzy Hash: 8751C2B491A3418FC750AF70E45C85EBBE2FB88755B50C91AE98193309EFB9C842CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05126211, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3733ef0503ed1176925714e0d0ae5da11742879cdad421dba123bfeb1e0a5e9f
Instruction ID: a3c61e83407eb4c5de0dbcda17ebc2973a110873393347b1745e0ccb0e2cfa31
Opcode Fuzzy Hash: 3733ef0503ed1176925714e0d0ae5da11742879cdad421dba123bfeb1e0a5e9f
Instruction Fuzzy Hash: 45418231701222ABC758EB78E994A3E73A3ABC5350710C92AD917873D8DF34DC26CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05124F5E, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f451d006bc94abe9f03d0d13e09e3f7f7e2259b95ce12b02634daf544720c1b5
Instruction ID: 286eed3dface2c86ec1ee93a27312fd96c8d4b4ed2d9d6aecb9861c5dd3c0b4a
Opcode Fuzzy Hash: f451d006bc94abe9f03d0d13e09e3f7f7e2259b95ce12b02634daf544720c1b5
Instruction Fuzzy Hash: FD416831A01114DFCB04DFA8D894AADBBF3FF88310B2581A9E506AB364CB31EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05120798, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71fc7e5360cfe0d558a98396bca20886eab4c58f1ef201e31db560bae3c95497
Instruction ID: c6d4b12b1a586cd5969119230cfb9351b1368ac7bb4210e60a4d6b6a8bbdcdeb
Opcode Fuzzy Hash: 71fc7e5360cfe0d558a98396bca20886eab4c58f1ef201e31db560bae3c95497
Instruction Fuzzy Hash: 9D31F3317403109FE7546B28DC0E77D7692EB88B04F44826EF586DB2C9DF798855CB81

Uniqueness

Uniqueness Score: -1.00%

Function 051250D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3146fc2383b552532e85f2335ab8d952730517a36df8fd55d841c027c5454b
Instruction ID: 457e78a5dcb4558d5301566f4a394b9a41ea036311594987b40ae07ef43c58cc
Opcode Fuzzy Hash: be3146fc2383b552532e85f2335ab8d952730517a36df8fd55d841c027c5454b
Instruction Fuzzy Hash: 79411930B102149FDB08DB69C458BADBBE7AF89704F25406AE406DB7A5EF759C048B81

Uniqueness

Uniqueness Score: -1.00%

Function 051230F8, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4697f8559b7e6eec3c3e697f8612b4e273a4d57d21b63bc0bc96282ef1ce125f
Instruction ID: 285de2b6ad823f2853d22ea276acb0ff24cfbe62d18f040b33c3848ca91af5b5
Opcode Fuzzy Hash: 4697f8559b7e6eec3c3e697f8612b4e273a4d57d21b63bc0bc96282ef1ce125f
Instruction Fuzzy Hash: D3410630A093468FC718EF79D45462E7BE2FBC4704F50882EE49A97398DB34D91A8B52

Uniqueness

Uniqueness Score: -1.00%

Function 05124AC1, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc35e9df9d57915cdcd25ac77865fc7092f3e20d9d49167292cac9fc4166f56
Instruction ID: 805b48be80cd4d47a8ee84f6fd172c99ee25ed2cde02502899978304444b1266
Opcode Fuzzy Hash: 9dc35e9df9d57915cdcd25ac77865fc7092f3e20d9d49167292cac9fc4166f56
Instruction Fuzzy Hash: F1319030B08635CFCF75CB68C4907BAB7F1BF45215F19856AE066CA291C3B5D524CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 010DA5FC, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1802d3a198b4e881c66a49ed9a3b25e9757d65b51fcd00a20a698f3fc23c76
Instruction ID: f993f7fbc33affdd98b0aba2b6c7703c57fc18d8616140f52e23c49318b0dc48
Opcode Fuzzy Hash: 1e1802d3a198b4e881c66a49ed9a3b25e9757d65b51fcd00a20a698f3fc23c76
Instruction Fuzzy Hash: 4B316FB55093809FD301CF29C844956FFF4EF8A624F09899EF888DB212D230E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05121810, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823771ea98617d0e22a87befa6ed0fc2bc28dbf625bb04c889833ee2c67880b7
Instruction ID: d2fbcf4903ed090f847f6578490be68802c8b38f83aa9a52158e0845aed2d757
Opcode Fuzzy Hash: 823771ea98617d0e22a87befa6ed0fc2bc28dbf625bb04c889833ee2c67880b7
Instruction Fuzzy Hash: 10210335A88264EBD729CA7CD8C07BAB7E6EF45310F05453BE563C6A80C334D525C691

Uniqueness

Uniqueness Score: -1.00%

Function 051249A6, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d6bcbdac5ff4e21c57d060de7efbb47de33b39d9a86e56b75a4539a5f164e0
Instruction ID: 9caf5c05ea53474c7f8e083d21ca9d0cac581a5dc13be89e61c7a7b1a5fd6476
Opcode Fuzzy Hash: 34d6bcbdac5ff4e21c57d060de7efbb47de33b39d9a86e56b75a4539a5f164e0
Instruction Fuzzy Hash: EF21BF31A04621CFCF24CB79D9517BAB3E2FB48325F15822BA0BADB2D1C3B8D564C655

Uniqueness

Uniqueness Score: -1.00%

Function 05120638, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8a6de3802a985ebbd227347565ebeac78ad27c5ceaab01cd9ac3bc48057c9d
Instruction ID: a2d6b8fa7294ded89171ff9842f322d4ba468d09c73e2a46bd48e8e87352f8ac
Opcode Fuzzy Hash: 8f8a6de3802a985ebbd227347565ebeac78ad27c5ceaab01cd9ac3bc48057c9d
Instruction Fuzzy Hash: 50214C716081268FD728CB6AD84DBBAFBB2FB89300F058727E091D7691D3749960C751

Uniqueness

Uniqueness Score: -1.00%

Function 05121800, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a376e6575787d2ff280aec96e97b6a31a466120a26bdf69da2f2e0c86cad557
Instruction ID: 50a2073245d45ba510c4de42c32166f369c2cfa18557983fa1bc65fc25ebb660
Opcode Fuzzy Hash: 3a376e6575787d2ff280aec96e97b6a31a466120a26bdf69da2f2e0c86cad557
Instruction Fuzzy Hash: DC21D535A84168ABDB29CB78DCC07FB77B6FB45310F15413BE512C6A80D334D925C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 05126718, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09174fe3d428f6b1728e74a7d3a0a4d83288b90dd9fdf0fb2d9cca6b799956c6
Instruction ID: 4d03b04541048eb57983253fab6a88ad7447cd70228fa3591effb068764fe2ec
Opcode Fuzzy Hash: 09174fe3d428f6b1728e74a7d3a0a4d83288b90dd9fdf0fb2d9cca6b799956c6
Instruction Fuzzy Hash: 7C215170B00219CBDB28EF75D458AAE7EF6BB48A54F140429E502EB394DF799851CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05126420, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2f6e86abc036f0ca8d0ef827ee5e32687e358b8958edd3727c853a3d919f84
Instruction ID: 87d3f37ada362a6e48c9a40f72dc72adf50d0e8c06fee0a340c7595aa72646a8
Opcode Fuzzy Hash: 3e2f6e86abc036f0ca8d0ef827ee5e32687e358b8958edd3727c853a3d919f84
Instruction Fuzzy Hash: 9111EF32F003129FCB649AB99855A6E77E6FB84250F20803ED505C7385EF32C812C790

Uniqueness

Uniqueness Score: -1.00%

Function 051269F8, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6da310a79c7ba91af85e5e904245f3fbfa2cac63fa25efd8453e7c49aefb06e
Instruction ID: 6358f05412632da6bfe19db228967e8a1d03fec0dd4ee0339a1d70bc1710bdff
Opcode Fuzzy Hash: a6da310a79c7ba91af85e5e904245f3fbfa2cac63fa25efd8453e7c49aefb06e
Instruction Fuzzy Hash: 3E215170B00219CFCF28DF75C5586AE7AF6BB48650F209428E502EB394EF799851CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010DAA18, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51dfdc2ea227d1fd6aa82eea7f696ffb550096f86b1a2b7432efd78b6434385
Instruction ID: 2c3a6f1c279138ce52ca4a4edc57a16465d3d98a5b86a12ff0650f7641002bb3
Opcode Fuzzy Hash: f51dfdc2ea227d1fd6aa82eea7f696ffb550096f86b1a2b7432efd78b6434385
Instruction Fuzzy Hash: 06218EB150D3806FD302CF25DC50956BFF4EF86620F0988DAF8888B213D234A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010DA960, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0254ade05dbcbb9447e6587d5ad1f0214af74c55190fd910c016627c3d77afcc
Instruction ID: b80443f73130c8cd6eae1d9a4775b7b577a32a42b514b451d1858007d5a72256
Opcode Fuzzy Hash: 0254ade05dbcbb9447e6587d5ad1f0214af74c55190fd910c016627c3d77afcc
Instruction Fuzzy Hash: D4215EB550D3806FD312CF15DC51957FFE5EF86620F09889AF8889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05121658, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc2fc571391fa426b33acbc4bb865b29a68165887a9fa0b41d988d941812428d
Instruction ID: 20f0653f4db44a9956b31071620b3fed300999ff3451b79bd4742f8d8bcf8912
Opcode Fuzzy Hash: bc2fc571391fa426b33acbc4bb865b29a68165887a9fa0b41d988d941812428d
Instruction Fuzzy Hash: 24110432A052158FC314EF58E858AAE7BE6FB81310F55C47ED9488F705D7BA8855CB50

Uniqueness

Uniqueness Score: -1.00%

Function 051232E0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f6d4434e1b68a1cc7de56072db0ba0f668cdcf9f4c25afd17e498bbf0ff21d
Instruction ID: b9ffa190ad8e9f12126a62241936a286594879b8700c20d3ca8ca5e203d6bd9c
Opcode Fuzzy Hash: 77f6d4434e1b68a1cc7de56072db0ba0f668cdcf9f4c25afd17e498bbf0ff21d
Instruction Fuzzy Hash: 96216D71905358EFCB109F6AD844BDDBFB8FB09320F248419E819AB740C7796994CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0512523D, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2975eaa3fb5915ae7cb1af3d1b3349e4140a8b620feb9970dc981a6732720506
Instruction ID: 9ffe3709add74e53f1f7d22c21c18eac725791f7a656949ad932f4f41b597d84
Opcode Fuzzy Hash: 2975eaa3fb5915ae7cb1af3d1b3349e4140a8b620feb9970dc981a6732720506
Instruction Fuzzy Hash: 47116D30B44214DFCB15DB65D998B6DBBF3BF45304F5A01AAE106DF2A2CBB65C058B01

Uniqueness

Uniqueness Score: -1.00%

Function 05121961, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41389da97298f24d5597aab6d99d30482f13f5b7d02eab36bd4c00d24215a08e
Instruction ID: c1ea66f10b4cc9b5dd715b5e0dd085b5c7316e8dea6684846bc8157f90978fa2
Opcode Fuzzy Hash: 41389da97298f24d5597aab6d99d30482f13f5b7d02eab36bd4c00d24215a08e
Instruction Fuzzy Hash: D521A1315053498FC704EB28E84C7893B62FF81705F55C6AAD0444B32DEFB8D819CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05126CBB, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f97f4c1927bfe4775f5ebdaffc40fdfad2daf8bc703932d3c52262933fce1b
Instruction ID: 1147901cccf0bb56bf4f5b441616a8725c8d42f90e30d3c922ebbff2b7219ddf
Opcode Fuzzy Hash: 00f97f4c1927bfe4775f5ebdaffc40fdfad2daf8bc703932d3c52262933fce1b
Instruction Fuzzy Hash: A21129366041389FD764DF68EC006AA77B5FB84334B114A27E919C21C0DF7198358761

Uniqueness

Uniqueness Score: -1.00%

Function 011107AC, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755162444.0000000001110000.00000040.00000040.sdmp, Offset: 01110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb451c583df2d62c08267d7121417fb50d05b7138bf18b128503dd269b8ef3eb
Instruction ID: d18e59ee755132607d3e7cc0ebd9a3541c6bbf626d95ff6f7803e3604e1798ce
Opcode Fuzzy Hash: cb451c583df2d62c08267d7121417fb50d05b7138bf18b128503dd269b8ef3eb
Instruction Fuzzy Hash: EC11A230A08744DFD319DB18D940B26FBA1AB88708F24C9BCF9490B657C77BD843CA91

Uniqueness

Uniqueness Score: -1.00%

Function 051269E8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87b00952a5ca6575c1bee56cbb839ec434c06f007b9ea8a118f8591cf2d2eeb
Instruction ID: 5b213741a59bfc2ceec016095105e3d262c41e517be6643b2232d8b66a934b94
Opcode Fuzzy Hash: c87b00952a5ca6575c1bee56cbb839ec434c06f007b9ea8a118f8591cf2d2eeb
Instruction Fuzzy Hash: 58116070A05215CFCF28DB74D5546AE7AB2BF88650F245468E502EB394EF39C851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01110776, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755162444.0000000001110000.00000040.00000040.sdmp, Offset: 01110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45846fdde6569a168f9955bcbc7fabdebd1c911724c2c0c2b66bc0f01ba11a3a
Instruction ID: c2d9d14e0758832409e8516a07e768d13a6ab0897a372a3576815fcc27ee52cb
Opcode Fuzzy Hash: 45846fdde6569a168f9955bcbc7fabdebd1c911724c2c0c2b66bc0f01ba11a3a
Instruction Fuzzy Hash: 2221493590D3C08FD7178B20D850B55BFB1AF4A318F2985EED8848F663C33A8846CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05126707, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6d3942ab4cf6bbf47fc22201982249312a906fa03fd1adba1f9187929f9fd2
Instruction ID: 7d3174b42636103a9eda2f1285d5d96eecf2c3106105fc6c155f6e4764070248
Opcode Fuzzy Hash: fe6d3942ab4cf6bbf47fc22201982249312a906fa03fd1adba1f9187929f9fd2
Instruction Fuzzy Hash: BF116D70A00215CBCB28EFB5E4586AE7FF2BB48610F140429E502EB394EF798891CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0512059F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d481362579d09c500734f97c24fd0f46cb8bed7673af2f988330e521d4c239
Instruction ID: 8b3572f1233206d3d848132b8e4e609aae75f0a071ec3b1c3a697cb9df44886f
Opcode Fuzzy Hash: 25d481362579d09c500734f97c24fd0f46cb8bed7673af2f988330e521d4c239
Instruction Fuzzy Hash: F1114E6251C531CAE72CC63D984937577F2BB89325F09877BD466C80F5D76CC0629214

Uniqueness

Uniqueness Score: -1.00%

Function 05121391, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0916f373425c4e8f4682c7306902a0bae6169b0ddd79a87bcb0ced2ea7a0e4fd
Instruction ID: 1ad72721d241a869873875166761fe65180fa928d8910400418ce276fe481f77
Opcode Fuzzy Hash: 0916f373425c4e8f4682c7306902a0bae6169b0ddd79a87bcb0ced2ea7a0e4fd
Instruction Fuzzy Hash: BA018F32B585706AE328C52E9D40B77B69BF785235F058333A4AAC6680FB69D9608690

Uniqueness

Uniqueness Score: -1.00%

Function 051213A0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f148fcb4f2f8163fbafa4bc9b4ae8000e1fac71212c8fb7b3f2d709ede86c84
Instruction ID: 37702f2f3bd7e9a6daf88006a24a5335c96664e934bbc92a4a95cb3876288da7
Opcode Fuzzy Hash: 4f148fcb4f2f8163fbafa4bc9b4ae8000e1fac71212c8fb7b3f2d709ede86c84
Instruction Fuzzy Hash: 87016222B9807466E328C42ED940B7B718BF784235F158333B09AC6684F769DDA0C691

Uniqueness

Uniqueness Score: -1.00%

Function 010DA834, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ebadc633ab68a77ff78d491190539f9e74d660dbc4562b52a781acf0c10975
Instruction ID: 8cecbe6cb3baabbc00e1c1e066b5f1be9db951da6d0d7aa477a53938a7932d97
Opcode Fuzzy Hash: 90ebadc633ab68a77ff78d491190539f9e74d660dbc4562b52a781acf0c10975
Instruction Fuzzy Hash: 01010CB5644301AFD310CF09DC41E67FBE9EB88A60F14C96EFD5997311E271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 011105D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755162444.0000000001110000.00000040.00000040.sdmp, Offset: 01110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7a3f6b83a1398dcf5da88ac80e39c997b8486bc973c048f1650a1541f9acd6
Instruction ID: 7e09986c510259934c04d68de5dc3fc297921fb57d47997d841cbd66db8029f3
Opcode Fuzzy Hash: af7a3f6b83a1398dcf5da88ac80e39c997b8486bc973c048f1650a1541f9acd6
Instruction Fuzzy Hash: 4F0186765097806FD7128F16DC54872FFB8EF86620709C59FEC49CB612D225B909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05122200, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb729923341e8fe2b52d3cb00b8e1d5c58709872a125097e7a05c858e0b673f7
Instruction ID: c4343380a8f55d052fa7baba6cdb75fc8281877bf246117e53581c42f76dc60b
Opcode Fuzzy Hash: eb729923341e8fe2b52d3cb00b8e1d5c58709872a125097e7a05c858e0b673f7
Instruction Fuzzy Hash: 8FF0DD3170A3404FC72457B8B8143AE3FA2AF82310724807FE545C719ADB368C028751

Uniqueness

Uniqueness Score: -1.00%

Function 010DA790, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de38781795f9a16e19bb18dd4a3de2919b003ca90016bf25d4f9005feceb34f
Instruction ID: 5f853f7caf632618ca4df8056e920d7ec6a968fa99076b6a7c78377c873843cd
Opcode Fuzzy Hash: 2de38781795f9a16e19bb18dd4a3de2919b003ca90016bf25d4f9005feceb34f
Instruction Fuzzy Hash: A2F081B26443007BD7108E05DC41E63FBE8EB84A60F14C96AFD4957211D271E9048AA2

Uniqueness

Uniqueness Score: -1.00%

Function 010DA8E8, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf694c9d54fcab0c298f003393b31f00e4c24a41f3ae8652b4e128c6fa8fa736
Instruction ID: 2324f82efcdeb9745ee07ada2b9b59cf16d8b6a775318e254b4fb1f8f168309d
Opcode Fuzzy Hash: bf694c9d54fcab0c298f003393b31f00e4c24a41f3ae8652b4e128c6fa8fa736
Instruction Fuzzy Hash: C3F081B66043007BD3108E05DC41E63FBE8EB84A60F14C96AFD4957211D271E9048AA6

Uniqueness

Uniqueness Score: -1.00%

Function 05127310, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4923f6e81ef41318827bc03cb807ecac838b547732ccadb4decd4ea12d6ca7f5
Instruction ID: 199fa817491f8ae0ee25312dc9a071e87e5ec88fab253628e53688e4353da080
Opcode Fuzzy Hash: 4923f6e81ef41318827bc03cb807ecac838b547732ccadb4decd4ea12d6ca7f5
Instruction Fuzzy Hash: 75F0C835319511DBC338861DD854F7B3692EB86311F1940B6E85ACB7C6C7368C66C781

Uniqueness

Uniqueness Score: -1.00%

Function 05121648, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfe7eabd361c09456b86160762f87dc5457a592c640dcf3b73445e89bcd70a6
Instruction ID: ae81f6a6dc80a46d8c6dd293fa3002c31f04511991b67a37ccd477119e8aea51
Opcode Fuzzy Hash: fcfe7eabd361c09456b86160762f87dc5457a592c640dcf3b73445e89bcd70a6
Instruction Fuzzy Hash: 2D01D132B06210DFD304DB58E458ABA7BE5FB41304F49C4BAE9488F252D3BA8C59CB10

Uniqueness

Uniqueness Score: -1.00%

Function 05125E28, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2aa64355eea4f1660c3f94e0e7c3e76b0b99551aad5056390d78fa2fa2d4f8
Instruction ID: ab25562ced711e6cc3d9bea64f5fc501be6e22510cb1c85577a0b53414bc73b3
Opcode Fuzzy Hash: 3a2aa64355eea4f1660c3f94e0e7c3e76b0b99551aad5056390d78fa2fa2d4f8
Instruction Fuzzy Hash: 5DE09B313102116BD724667A9C41FAE769BEBC9B10F25412AF605DF380CEA0DC5083A8

Uniqueness

Uniqueness Score: -1.00%

Function 01110868, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755162444.0000000001110000.00000040.00000040.sdmp, Offset: 01110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: b568bb973c78ffc24b524ff57230af5a38a328dbbd7e94a4f087ed63e5fdfb64
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: E7F04635608644DFC206CF04D940B26FBA2EB89718F24C6ADE9880B766C337E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 05120299, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a768586089ea8c96f7618d4791f03bddf5da4207d9715f4e8921d7c68d78a25
Instruction ID: acb518beca1957ec6d62e3fbed8547a60f62ca04b7847b841421e96b37b2ff1a
Opcode Fuzzy Hash: 4a768586089ea8c96f7618d4791f03bddf5da4207d9715f4e8921d7c68d78a25
Instruction Fuzzy Hash: 41F0E5313112215BDB256778E81936E3759DB49750F81043BE547CA685EF2FE9114B81

Uniqueness

Uniqueness Score: -1.00%

Function 051214B0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808a977353d6b76ee2c584962f8bc2973514d3afb0cdd76b20ae1bc71f018282
Instruction ID: dd8b25b301948df10ac1a11bf8eda523ea4e4c97a28f4f04ca5c228a96cdc1ea
Opcode Fuzzy Hash: 808a977353d6b76ee2c584962f8bc2973514d3afb0cdd76b20ae1bc71f018282
Instruction Fuzzy Hash: 58F0A7393013508FDB21AB78E91CA593FF2AFC935670500EAE586CB2E5DA758C05CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0512145B, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce3ea8e40cd253be9ca01f94eaa60491d854088a03fb2162febfea88741c648
Instruction ID: b4b092544b3414683fc175c2cc0b5e5ba4b6e8b5a346a5dc37b4de5d6ec66143
Opcode Fuzzy Hash: 2ce3ea8e40cd253be9ca01f94eaa60491d854088a03fb2162febfea88741c648
Instruction Fuzzy Hash: 8DE09B717012046FD744EBA5CC5179EB7FAEB44210F54416EE849D7341DE335D02C794

Uniqueness

Uniqueness Score: -1.00%

Function 011105F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755162444.0000000001110000.00000040.00000040.sdmp, Offset: 01110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2ba127c2b6730e43543f7aa864c0483fbb2eee942fcb76464b5bf99d8afe2e
Instruction ID: 74fc3437426f9ea7439e4353219b6f58e58842d2d5c2ff798f1e7abbce67ee26
Opcode Fuzzy Hash: 7b2ba127c2b6730e43543f7aa864c0483fbb2eee942fcb76464b5bf99d8afe2e
Instruction Fuzzy Hash: 51E09276A007045BD650CF0AEC41462FBE8EB84630718C07FEC0D8B701E635F508CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 051202A8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fabd6debd43c15a136b396e8a6cf2443a07c8186177fd221946fe9c2febf9228
Instruction ID: ebdf20fdce5e914d2e9223987b5ce66aa9e1283d5be3e288bfb0d652fd21952c
Opcode Fuzzy Hash: fabd6debd43c15a136b396e8a6cf2443a07c8186177fd221946fe9c2febf9228
Instruction Fuzzy Hash: F6E022303102205BDA25A378E41D36E3249DB88300F40043BE107CB288DF2BE8104B82

Uniqueness

Uniqueness Score: -1.00%

Function 010DA90F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d465bbca43393e43a2e0403dbabc97f26881c4c26022e639817bf1baa11134b6
Instruction ID: 62a4735980ab1cbb3affbe73bdc6b5945be6af03df3c0abf1a454b67d1a4edd6
Opcode Fuzzy Hash: d465bbca43393e43a2e0403dbabc97f26881c4c26022e639817bf1baa11134b6
Instruction Fuzzy Hash: 89E04875A4130467D2609E06DC46B62FB98DB44930F54C567FD085B701E175B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 010DA697, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547b12d4c634965db1202a9ebf7a03c9d7785720f388ed22ce3296b7095bce99
Instruction ID: 53cc93dc87f33551c21e03cd18a355fc64d6fd7b3d05354c3ed52ebb10ef2a14
Opcode Fuzzy Hash: 547b12d4c634965db1202a9ebf7a03c9d7785720f388ed22ce3296b7095bce99
Instruction Fuzzy Hash: 8FE0D8B2A403046BD3209E069C82F63FB98DB84A30F04C567FD085F702E171B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 010DA7B7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c994a9d0d9803ebe258542e639c2ef95768c767b49d3f3deb4479cfe83a225ad
Instruction ID: 4a4536f68db65ee8934cd8f61ba295255ba15839285e45fca28d38b9b0dfbbde
Opcode Fuzzy Hash: c994a9d0d9803ebe258542e639c2ef95768c767b49d3f3deb4479cfe83a225ad
Instruction Fuzzy Hash: 6DE04871A4130467D6609E069D86B62FB98DB44930F54C567FD085B702E175B5048AE6

Uniqueness

Uniqueness Score: -1.00%

Function 010DA9C3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd9bab919c4f3c00ba67a0d4a61ef8e45cec3466c69af010abcac718d8dafc8
Instruction ID: f0addd1c0e9b09e9a203ce91b354768dc548b03917781d0c5f33ecbd23aa0822
Opcode Fuzzy Hash: 8bd9bab919c4f3c00ba67a0d4a61ef8e45cec3466c69af010abcac718d8dafc8
Instruction Fuzzy Hash: 78E0D872A4130467D2208F0ADC42F63FB98DB40A30F08C46BFD085B701E171B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 010DAA7B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0e29b37208bc24e99b22bcc78bf8a5d67e5936296d65b1b8f200937a440ead
Instruction ID: e6794be03334180c95fa636218cc463483eb26563576b618b11295d9f20f7e5e
Opcode Fuzzy Hash: 9c0e29b37208bc24e99b22bcc78bf8a5d67e5936296d65b1b8f200937a440ead
Instruction Fuzzy Hash: B0E04872A4130467D2609F069C46F63FB9CDB54A30F14C56BFD095B702E175B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 010DA873, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755024141.00000000010D2000.00000040.00000001.sdmp, Offset: 010D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4f7f777c1c79ba914e23e74d6993827e97a7f4e4d49f815bbae1594216dfcf
Instruction ID: 5f46cb6c6d2fc00d1b58877e79faedb910c99a910a07fd82a09c65d8b72c3b91
Opcode Fuzzy Hash: 0e4f7f777c1c79ba914e23e74d6993827e97a7f4e4d49f815bbae1594216dfcf
Instruction Fuzzy Hash: 2AE0D872A4030467D2209F069C42F72FB98DB50A30F04C46BFD085B701E171B5048AE6

Uniqueness

Uniqueness Score: -1.00%

Function 05121468, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1a062343580b46e23b81fc00498fc6ff71ca4b4a3cd30dd9131f29d80c5678
Instruction ID: a1da8538e8927c43c76a3fadfdd99534f74245ffb18d52d93f0d3148d00d0134
Opcode Fuzzy Hash: 4b1a062343580b46e23b81fc00498fc6ff71ca4b4a3cd30dd9131f29d80c5678
Instruction Fuzzy Hash: EBE048717002186FD744EBA9C850A9EBBEAEB84510F50815DE449E7341DE325D02C794

Uniqueness

Uniqueness Score: -1.00%

Function 05120751, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fc42b815748adb96237039f64ee415ff2ffc40f48c5c4c579b0635db57c90b
Instruction ID: 8ed398408006b8b911fe4df6a7546cf70927328eb43fb4d2ae87bf5ae9218b0d
Opcode Fuzzy Hash: b8fc42b815748adb96237039f64ee415ff2ffc40f48c5c4c579b0635db57c90b
Instruction Fuzzy Hash: E8D01231A023215BDA5567A8BC143D872A9B746554F88422BEC8891117EF5E9D018789

Uniqueness

Uniqueness Score: -1.00%

Function 010C23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755001652.00000000010C2000.00000040.00000001.sdmp, Offset: 010C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd41d77928a72a0fc99c27d661fa9cd76e838e2935a044fb20c6ed4976b95bb9
Instruction ID: 84bcd7c6b649e965548ad93fc71b351eba5103b1c6d165b4c34908efe825e250
Opcode Fuzzy Hash: dd41d77928a72a0fc99c27d661fa9cd76e838e2935a044fb20c6ed4976b95bb9
Instruction Fuzzy Hash: 7ED05E79205A914FE3268B1CC1A8B9D7FE4AB51B04F4644FDE8408BA67C769D6D1D600

Uniqueness

Uniqueness Score: -1.00%

Function 010C23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.755001652.00000000010C2000.00000040.00000001.sdmp, Offset: 010C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ad0838c4edc95c601ca70e588b2f5f566b907f7663f0df24cf24d8e951925f
Instruction ID: ffcbff4d1df9463e7cea1ba5560517383d7c646b01bb055a348407af72a117dd
Opcode Fuzzy Hash: c8ad0838c4edc95c601ca70e588b2f5f566b907f7663f0df24cf24d8e951925f
Instruction Fuzzy Hash: D3D05E343002814BD715DB0CC194F5D3BD4AB41B00F0684ECAD408B666C7A4D881CA00

Uniqueness

Uniqueness Score: -1.00%

Function 05120780, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29feb42b463c0d420f3bd06edc9f2de830dcba6d5640648e91fd3ebf12a5eb1
Instruction ID: 34e6e21bb3e0003fd6b4784e17985f2915d18dc6c2a34c8cc12fcedf933b05bd
Opcode Fuzzy Hash: e29feb42b463c0d420f3bd06edc9f2de830dcba6d5640648e91fd3ebf12a5eb1
Instruction Fuzzy Hash: C4B0122234563913280D31AD38118EDB38DC9D7875280106FF54ED7340CD893D0243DE

Uniqueness

Uniqueness Score: -1.00%

Function 05121369, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25eaaf8cf47f6bbc9046f4fc62e7d317e12500a196d7dd53ef6a412163885b79
Instruction ID: 6daffe15307e6a257b8f66759e8cf5f9993127cd2dc25670874b0184cb567688
Opcode Fuzzy Hash: 25eaaf8cf47f6bbc9046f4fc62e7d317e12500a196d7dd53ef6a412163885b79
Instruction Fuzzy Hash: 32C08C329467806AE3224220ED027223620F720345FD640639DC4891CEEAE98C028B1A

Uniqueness

Uniqueness Score: -1.00%

Function 051224E9, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7822b6b5a927aefc5711b0b76fe0d2e84bb11bc18921a7b50ea48d74e2746c48
Instruction ID: 7bdfec077be5e79fa24aac9e4fb8ee3804927b7d00df80507d8bc12a5614f252
Opcode Fuzzy Hash: 7822b6b5a927aefc5711b0b76fe0d2e84bb11bc18921a7b50ea48d74e2746c48
Instruction Fuzzy Hash: C5C04C355022408FD3A4EB50F9497F633B1F744350F948557C805C2A19E7345D71CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05122519, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83ceac2bb752d1629be0f907e020782c7611828a6a10c6fc107084d70ba18d0
Instruction ID: 2be92325bf27fc3c06f7ff9bc2644a6f225ef945f637783b93eba7cc8dff1a2d
Opcode Fuzzy Hash: d83ceac2bb752d1629be0f907e020782c7611828a6a10c6fc107084d70ba18d0
Instruction Fuzzy Hash: 25B092352022008FC2D8EB10F746AA53366B384300380C416C88283729E6285C32CB80

Uniqueness

Uniqueness Score: -1.00%

Function 051200F0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.756975336.0000000005120000.00000040.00000001.sdmp, Offset: 05120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87dd99b1c2b63b0352bb3dd6bb0a580e9e1d291dfcb6ff026fa04d5dab8672c8
Instruction ID: cada8daf6567abc9afe5c271780e0fe93f67883870f983b74b95913e33416a5a
Opcode Fuzzy Hash: 87dd99b1c2b63b0352bb3dd6bb0a580e9e1d291dfcb6ff026fa04d5dab8672c8
Instruction Fuzzy Hash: 4EB092308072438BCF508B71EE087443BB0AB00200F08416BD88180007D7AE0514CB40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: fullview.exe PID: 7080 Parent PID: 5616 fullview.exeCOMMON

Executed Functions

Function 03182567, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 031825E7

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: c19de76c6c30126715a69bd7e611ee99f644cda34d152d1023f4a649531479fa
Instruction ID: 120389aac85583f267d381750eb6e8d3009c698c516d3d967261a7a9147b69c8
Opcode Fuzzy Hash: c19de76c6c30126715a69bd7e611ee99f644cda34d152d1023f4a649531479fa
Instruction Fuzzy Hash: DD218D765097809FEB238F25DC40B52BFA8EF06210F0885DAE9858B563D3709908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0318259E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 031825E7

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: a51be2234a7f26313778ba1cb857285f80f96a35c4308d5bef98723f29e1741a
Instruction ID: b1f3f7933a13de77dc1ddc57b1c0df5c7e88e5c4adaa086d98a88c3ad7e21de2
Opcode Fuzzy Hash: a51be2234a7f26313778ba1cb857285f80f96a35c4308d5bef98723f29e1741a
Instruction Fuzzy Hash: BD115E755003009FDB21DF56D844B66FBE8EF08220F18C8AADD458B652D775E454DF71

Uniqueness

Uniqueness Score: -1.00%

Function 03182072, Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 03182139

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d5cd4508e6a1b3716c7498dbcaab431b8b8ea341592797468b8c91534516b006
Instruction ID: ee4c9e065659c1de126203157f6fb5889c529b02a3185369998fc799e567933c
Opcode Fuzzy Hash: d5cd4508e6a1b3716c7498dbcaab431b8b8ea341592797468b8c91534516b006
Instruction Fuzzy Hash: 86316DB2104744AFE722CB25CC84F66BFECEF09310F18899AE9858B152D324E905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03180D54, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 03180E1B

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 14ccee67204e6c9a6bbeba26506734c5fdfa9fc742e1e9f4b9aa665be1c975a3
Instruction ID: e134d1ed34ec66e32ca12456a25ed336c7d30120ae8a4330b5eb2ee40242711d
Opcode Fuzzy Hash: 14ccee67204e6c9a6bbeba26506734c5fdfa9fc742e1e9f4b9aa665be1c975a3
Instruction Fuzzy Hash: 6931B3B2104344AFEB31DB14DC84FA7FBACEF04710F14889AF9459A182D374A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 03182986, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.KERNELBASE(?,00000E2C,?,?), ref: 03182A3E

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: f08f779a02dd09023ef3af0254ff412292d00098d3a6d1f33ccb27a23c3d5dfa
Instruction ID: 87d254b57fbc881b72a4198aade284a40f19a1f0bb5a7b5abeba9d7d473f8182
Opcode Fuzzy Hash: f08f779a02dd09023ef3af0254ff412292d00098d3a6d1f33ccb27a23c3d5dfa
Instruction Fuzzy Hash: 4931B47550D3C06FD3138B25DC51A62BFB4EF47614F1E84CBE8848B6A3D125A90AD7B2

Uniqueness

Uniqueness Score: -1.00%

Function 03180548, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 031805DF

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 95b8fefa131f91987b8145bf0b35df0015174fc38c283af79f5ff09d02bcbb8a
Instruction ID: b051288dff05b4ed31cd90263151c72c7805e3c56a4906642aff091a9425e116
Opcode Fuzzy Hash: 95b8fefa131f91987b8145bf0b35df0015174fc38c283af79f5ff09d02bcbb8a
Instruction Fuzzy Hash: 1D3181725043456FEB22DF25DC45F67BFACEF05320F0884AAE984CB152D324E909CB65

Uniqueness

Uniqueness Score: -1.00%

Function 03180C4C, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 03180CE9

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 8f76a4f3d26f4caf830a05d41dbf74302e8065108a3fbdfc752cb94b5509b832
Instruction ID: 0fa33be1defef44605d31c3ce5199f10292f978bbbb5b1b9651e32a1170c1813
Opcode Fuzzy Hash: 8f76a4f3d26f4caf830a05d41dbf74302e8065108a3fbdfc752cb94b5509b832
Instruction Fuzzy Hash: B331C5B25093846FE7228F24DC45B96BFB8EF06320F0884EAE985DB153D324A509CB65

Uniqueness

Uniqueness Score: -1.00%

Function 031807E0, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 03180892

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: e63e601967f81ccec66cab9302153274798a5a1fb29d4cc0c5615512c25244ba
Instruction ID: 3a243ba66fc7c865977657abce9a5502a1272dbf5ce5fe748e97326f2ff2dec1
Opcode Fuzzy Hash: e63e601967f81ccec66cab9302153274798a5a1fb29d4cc0c5615512c25244ba
Instruction Fuzzy Hash: 0D31D1B2404780AFE722CB25DC44F56FFF8EF0A320F08859EE9848B152D365A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0318209E, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 03182139

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 54ba45ec3b723e496494d5a8ae1403da0fadba6ca1e026ce9689087addd89182
Instruction ID: e7f775cf688d46c46196ec6172b41891281e0fd21850b5c1cdbd40f38f87184c
Opcode Fuzzy Hash: 54ba45ec3b723e496494d5a8ae1403da0fadba6ca1e026ce9689087addd89182
Instruction Fuzzy Hash: 08218CB2600704AFEB22DF25CC84F67FBECEF08720F18895AE945C6651D734E5058A65

Uniqueness

Uniqueness Score: -1.00%

Function 03180D76, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 03180E1B

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: e6e5499afce719f303972f5f4d2b4b0e6eb9aebaaed214495e3cc32ba71bdaad
Instruction ID: 657b9cf28f007c94299ad28f7007b7976a77720e05d7a370776a77f05787932d
Opcode Fuzzy Hash: e6e5499afce719f303972f5f4d2b4b0e6eb9aebaaed214495e3cc32ba71bdaad
Instruction Fuzzy Hash: 6721A071100308AFEB31DB55DC84FAAFBACEF08710F14885AEA459A181D674A549CB75

Uniqueness

Uniqueness Score: -1.00%

Function 031810C8, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E2C,?,?), ref: 0318116E

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 82acb27f145414a0a2d63c011e698e9d8dd6f5b10d27ad52248dd8218cdc65f8
Instruction ID: 9cae713b47de4253cd3c8fb064bc328cc9b68c3bbf12566c52b1c37f751d7630
Opcode Fuzzy Hash: 82acb27f145414a0a2d63c011e698e9d8dd6f5b10d27ad52248dd8218cdc65f8
Instruction Fuzzy Hash: 27319E7140D3C16FD3138B258C51B62BFB8EF47610F0981DBE884CF5A3D225A949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 03182311, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 031823A0

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: aabe84adf57766982cac06b1bcb39aee8a518117295601fd8f6030c01e3f9c7b
Instruction ID: 21e949e32ced04d9c4641fbe25d7b2053d094cde13c44f84fca002854736bb6f
Opcode Fuzzy Hash: aabe84adf57766982cac06b1bcb39aee8a518117295601fd8f6030c01e3f9c7b
Instruction Fuzzy Hash: FF2139755093849FDB22CF25D854B52BFE8EF0A214F0988DAED84CB162D374A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03180007, Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0318009E

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 347d6dc1360a38759cc537c8dca8012f7418c9ec34b626c22ff9360127c68452
Instruction ID: 079c60581ba90883e73a82b77152f91adac2f7468cc1171485fedf89cdce5fe5
Opcode Fuzzy Hash: 347d6dc1360a38759cc537c8dca8012f7418c9ec34b626c22ff9360127c68452
Instruction Fuzzy Hash: 35318E71509784AFE722CF65DC44F56FFB8EF0A210F08859EE9859B292C375A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031826E9, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 03182770

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 387ac7b9895a28e3ea74d2fa7250718e944df56dea77a329361be1e8fa8fc2c4
Instruction ID: 0d7d82d1dbfbe5d865ae234227dd2141f452abd95b72e9263fd13025f8f8a203
Opcode Fuzzy Hash: 387ac7b9895a28e3ea74d2fa7250718e944df56dea77a329361be1e8fa8fc2c4
Instruction Fuzzy Hash: B421A4B15093846FE712CB25DC45B96BFB8EF06320F1884EBE944DF193D264A908CB75

Uniqueness

Uniqueness Score: -1.00%

Function 031806FE, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 03180789

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: bc5dfe17c711b3e82e06c024592dcdc44a4bec5c570b826c4bad0e1842969935
Instruction ID: 815e3c41cbd7e289b41d2aceafe959847593a280e364d97369d386bced507fa5
Opcode Fuzzy Hash: bc5dfe17c711b3e82e06c024592dcdc44a4bec5c570b826c4bad0e1842969935
Instruction Fuzzy Hash: 3E2180B1509384AFE721DB25DC44F66FFA8EF09220F08849EE9858B252D375E809CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0318056E, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 031805DF

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: fc8c426db3aba4f588169d645e4727e7c7a6ea31d95999c5af7a6210dc3f3545
Instruction ID: abe81a135e41e9dea46f0a074607a65aac703ab817400ce3befc64731371f65c
Opcode Fuzzy Hash: fc8c426db3aba4f588169d645e4727e7c7a6ea31d95999c5af7a6210dc3f3545
Instruction Fuzzy Hash: 432195B1500304AFEB20DF29DC45B6AFB9CEF08720F18846AED45DB141D774E5498A75

Uniqueness

Uniqueness Score: -1.00%

Function 031823E0, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 03182466

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 41fb160df6e83657a3504607d8e343ab5e0e09deb056cb02c1c261cfdd180455
Instruction ID: 0064747dc80f58e5b8c7dac8323088a1206cc80b8a6d677d55a487a223a82228
Opcode Fuzzy Hash: 41fb160df6e83657a3504607d8e343ab5e0e09deb056cb02c1c261cfdd180455
Instruction Fuzzy Hash: 2A217FB25093805FE713CB25DC50B52BFA8AF46224F1C84DAED89CB253D335A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 03180462, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 031804F4

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bd57d4d4c8d3e65ff856a557c58d22df13b44b6b481709188e602b5d4372add8
Instruction ID: 4f5f2ab7ad713906f167c69ca75d296bcfa9f0d423a23ae1ee97fb41c1f742c0
Opcode Fuzzy Hash: bd57d4d4c8d3e65ff856a557c58d22df13b44b6b481709188e602b5d4372add8
Instruction Fuzzy Hash: 8F214AB2509384AFE722CF15DC44F66BFA8EF09720F08849AE9859B252D364E548CB75

Uniqueness

Uniqueness Score: -1.00%

Function 031828B7, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 03182933

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: f4f818d249f16f7eba8e1f5aa5725fa32a7ec4454c74abe487c62cf83468f83d
Instruction ID: 5f7960601ecb33aedc906aca303c4716197b4c82029393f965a33f05c86efa36
Opcode Fuzzy Hash: f4f818d249f16f7eba8e1f5aa5725fa32a7ec4454c74abe487c62cf83468f83d
Instruction Fuzzy Hash: 062180B25093846FEB22CF25DC45B56BFA8EF45220F0884AAE9449B152D274A904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 031827D3, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 0318284F

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: f4f818d249f16f7eba8e1f5aa5725fa32a7ec4454c74abe487c62cf83468f83d
Instruction ID: 553b26c210e8580d0714515287478ae6e09d13f2c511f6e7b74ff057bd0883ef
Opcode Fuzzy Hash: f4f818d249f16f7eba8e1f5aa5725fa32a7ec4454c74abe487c62cf83468f83d
Instruction Fuzzy Hash: 912180B15093846FEB22CF25DC45B56BFA8EF46220F0888AAE9449B152D274A804CB65

Uniqueness

Uniqueness Score: -1.00%

Function 03180A95, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 03180B18

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 07937b97a327103725478831c7534b620f1b5444bd036ba184904cbb37502a45
Instruction ID: 45ec5768c4a5558f53fea84931b56ccad4fe69772d18fc7ae32eaa3e949f2890
Opcode Fuzzy Hash: 07937b97a327103725478831c7534b620f1b5444bd036ba184904cbb37502a45
Instruction Fuzzy Hash: 652183B1409384AFE712CF25DC44B56BFA8EF46224F0884EBE9849F153C364A548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0318224B, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 031822C7

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: d35e8427ca215da8ebeb577bca811d21e74e59e5c084bed0b5d89e8b8fae13ff
Instruction ID: ec1f5f31151658bef4e1ef503302d6ef8f221abd7387d514b9a8f3ca6f24d1ab
Opcode Fuzzy Hash: d35e8427ca215da8ebeb577bca811d21e74e59e5c084bed0b5d89e8b8fae13ff
Instruction Fuzzy Hash: BC2181B14093846FEB22CF25DC84F56BFA8EF45320F0888ABED849B152D374A508CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0318071E, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 03180789

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: da2bc0d5ac1d74416c6762760f82602d1036f5480b266610e8803f2fe5718844
Instruction ID: 58fa01a3781be07919b63ca56a89bc398859a37c5e71d7fa187582664434e34b
Opcode Fuzzy Hash: da2bc0d5ac1d74416c6762760f82602d1036f5480b266610e8803f2fe5718844
Instruction Fuzzy Hash: 2D219DB1504244AFE721EF69DC85B66FBA8EF08320F18846AED858B642D375E409CE75

Uniqueness

Uniqueness Score: -1.00%

Function 03182634, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 031826A0

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: eba9092aa055ec5fd522bc62b9e1a5ca8c47b7934b8fcb1b203f82b7f23b1282
Instruction ID: 809366cf7acd44191120e99c07f973b73f7d30074d5930a102760ff490f9fa46
Opcode Fuzzy Hash: eba9092aa055ec5fd522bc62b9e1a5ca8c47b7934b8fcb1b203f82b7f23b1282
Instruction Fuzzy Hash: D4219FB25093C05FEB12CB25DC94692BFA4AF07224F1D84DAEC858F663D2749908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0318081E, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 03180892

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 110d0d2dfa8dd21d19dd8bc31f424754a8dc74d3e9ef6d75293e030a0a7cd44b
Instruction ID: f3a796ec1682953a499795bf763146be30e2a47332ef9038fd859b4446cf49a9
Opcode Fuzzy Hash: 110d0d2dfa8dd21d19dd8bc31f424754a8dc74d3e9ef6d75293e030a0a7cd44b
Instruction Fuzzy Hash: B921CD71500344AFE721DF55DC84F66FBE8EF08320F04885EE9858B641D375A548CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 03180032, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0318009E

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: d289a8d310afbf0bb62a253911eeb987f15d605655808327f83f2ca4e2dd23ef
Instruction ID: f336e3e3784d083d1e61cd0ba7096a64752f128539afc71169fcdf2ae58e9399
Opcode Fuzzy Hash: d289a8d310afbf0bb62a253911eeb987f15d605655808327f83f2ca4e2dd23ef
Instruction Fuzzy Hash: 3421D171500744AFEB21DF65DC44B6AFBE8EF08320F04886EED858B641D375A408CB75

Uniqueness

Uniqueness Score: -1.00%

Function 03180F26, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 03180FA2

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: f13c1b1e8dbb8abd9af53ae83ca360558760e447bd357c51e999cf84b1dc6989
Instruction ID: aebb7a22417853d4cb35fbbaad31e59dfeee2ffc45854823e491aee44e0c2dc1
Opcode Fuzzy Hash: f13c1b1e8dbb8abd9af53ae83ca360558760e447bd357c51e999cf84b1dc6989
Instruction Fuzzy Hash: 99215E71408384AFDB22CF55DC44B62FFB8EF0A210F0885DAED858B162D375A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0318138A, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 03181413

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ec79d2b637e070f288dc44d1d8dc8333190406b9315ddb11889756b3fbf1ccf1
Instruction ID: b652c4214f26e1256dcd78ab3b1ee7a57e2db4de2aedde4f57e6bfd7735dd6eb
Opcode Fuzzy Hash: ec79d2b637e070f288dc44d1d8dc8333190406b9315ddb11889756b3fbf1ccf1
Instruction Fuzzy Hash: A911E4711453406FE722CB15DC85FA6FFA8EF05320F18849AED449B192C364A948CB66

Uniqueness

Uniqueness Score: -1.00%

Function 03180482, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 031804F4

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a25dbded9ab2823561f65d1b9e3679d6dbc55fa2bc2bca5f33aa55dd33200d36
Instruction ID: e6aa7bf56dcb9d2b60dcc62140bbe340d6c3f33218bf92ef52f22f7677a112a8
Opcode Fuzzy Hash: a25dbded9ab2823561f65d1b9e3679d6dbc55fa2bc2bca5f33aa55dd33200d36
Instruction Fuzzy Hash: E211ACB2600304AFEB21DF16DC85F66FBECEF08720F08846AED459B652D764E448CA75

Uniqueness

Uniqueness Score: -1.00%

Function 03180C8A, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 03180CE9

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 469f7b0ff2f48c5623e8eb1c46812a46dcfdfe1e5dec3f70e92c09ed19fd4573
Instruction ID: c42a26e207665e95d3a20de3a7144dc6e6b537f7c9c36d55514ddb9279932083
Opcode Fuzzy Hash: 469f7b0ff2f48c5623e8eb1c46812a46dcfdfe1e5dec3f70e92c09ed19fd4573
Instruction Fuzzy Hash: 40119072500304AFEB21DF65DC45B6BFBA8EF08320F1888AAED458B655D774E448CB75

Uniqueness

Uniqueness Score: -1.00%

Function 031803BE, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E2C,?,?), ref: 0318043A

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 9ebbcf236c71a2a39564265255b8740d16d0b210202009eecbbabfb407d9cc9b
Instruction ID: 9071a5822fc86cd64b620d5f234065a68dd937c7e46f63d42bf4e7d54242e7b2
Opcode Fuzzy Hash: 9ebbcf236c71a2a39564265255b8740d16d0b210202009eecbbabfb407d9cc9b
Instruction Fuzzy Hash: C511C8715043846FD3219B16DC41F36FFB8EF86720F15819EED448B642D225B915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 031828DA, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 03182933

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: ebe4de135808057b3ee83b8315389a099853a4eb3bcf91259c081c2469aed862
Instruction ID: 4b729ec8edb5a368e4b1c42cba529d5e5d15b5c0fc3c51ef610497341d089b79
Opcode Fuzzy Hash: ebe4de135808057b3ee83b8315389a099853a4eb3bcf91259c081c2469aed862
Instruction Fuzzy Hash: 9111B2B1500304AFEB22DF65DC85B6ABB9CEF04320F18886AED459B255D774E405CB75

Uniqueness

Uniqueness Score: -1.00%

Function 031827F6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 0318284F

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: ebe4de135808057b3ee83b8315389a099853a4eb3bcf91259c081c2469aed862
Instruction ID: 3d9adb36da0531168573301f1a71df86b19e5a01744b8fa7773452e8852273eb
Opcode Fuzzy Hash: ebe4de135808057b3ee83b8315389a099853a4eb3bcf91259c081c2469aed862
Instruction Fuzzy Hash: 2711B2B1600300AFEB21DF65DC85B66BB98EF05320F18886AED459B245D774E445CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0318271A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 03182770

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 1092de29a774f00c4cc06acbe873a07a1269aa9400837f7f0ed20c9b09019618
Instruction ID: cedc7efe7d8aa0a508c7655d3255f258357de4e1d42b667815fe93328c5a2245
Opcode Fuzzy Hash: 1092de29a774f00c4cc06acbe873a07a1269aa9400837f7f0ed20c9b09019618
Instruction Fuzzy Hash: 9611C471500300AFEB21DF26DC45B66BBA8DF04320F1488AAED04CB245D774E4448BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0318226E, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 031822C7

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: d3626f86cb5756b13b9cc315b84070e92ebabc6b56ac1ed2568c7db223dbed53
Instruction ID: cac104110d50d16cc251c6ffd1895c7599a3ca95be4e69ebf180d2282eb05d5d
Opcode Fuzzy Hash: d3626f86cb5756b13b9cc315b84070e92ebabc6b56ac1ed2568c7db223dbed53
Instruction Fuzzy Hash: 9711C6B1504304AFEB22DF55DC85B66FBA8EF08320F1888AAED459B246D374E405CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 03180AC2, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,F20609BC,00000000,00000000,00000000,00000000), ref: 03180B18

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 2dfa8568239c912e5e531b80925d608528bf08e0a5cfb21c1714fcb397d39132
Instruction ID: fc20e080f8860786867c10fb97f3dd287ce7832257a3959e576538258ee6beaf
Opcode Fuzzy Hash: 2dfa8568239c912e5e531b80925d608528bf08e0a5cfb21c1714fcb397d39132
Instruction Fuzzy Hash: A411C2B5500304AFEB21DF59DC84B66FB9CEF08324F1884AAED449B246D374A408CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 031813AA, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 03181413

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f83eb3e5f231daf180b4bb54c02580813c812e55228f565fd93024a4645118c0
Instruction ID: 2168592fc51b83b6f69f33fac07ff324159739405bdb7880a83c968ac5494df0
Opcode Fuzzy Hash: f83eb3e5f231daf180b4bb54c02580813c812e55228f565fd93024a4645118c0
Instruction Fuzzy Hash: F911E572540304AFF721DB15DC85FA6FB98DF08720F1484AAED445B285D3B4A549CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 0318234A, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 031823A0

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 747fbbb91a2daa7f3c55d92b205c3633527667c86544c5629e589666daf010f2
Instruction ID: 12337dee4893cef8643497c6ae83f65cbe16fbb299465b5d7014bad49a76eea4
Opcode Fuzzy Hash: 747fbbb91a2daa7f3c55d92b205c3633527667c86544c5629e589666daf010f2
Instruction Fuzzy Hash: B1113D756002049FDB21DF59D884B56FBE8EF08610F0888AADD49CB652D374E449CF75

Uniqueness

Uniqueness Score: -1.00%

Function 0318241E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 03182466

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 58ed3a7bde366e00accbe2aa7729f96fa3e6de67d441735b24f874d5b6dfb02e
Instruction ID: 2c80f95480dc6128419ca87162b9644abccfc90fbc652c6317605b75ded8abdf
Opcode Fuzzy Hash: 58ed3a7bde366e00accbe2aa7729f96fa3e6de67d441735b24f874d5b6dfb02e
Instruction Fuzzy Hash: 4D11A5716003408FEB61DF29D884766FBD8EF08220F0888AADD49CB642D374D405CE75

Uniqueness

Uniqueness Score: -1.00%

Function 03180F56, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 03180FA2

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: fa95ff1597417e1a8b1149ce8efefe815f5988d5c425cbba1626f50ad4fe1b4c
Instruction ID: a0eb2c880db56427ab1d0eb6d660e6dfb262570e447c7650e9fa7d1c87486904
Opcode Fuzzy Hash: fa95ff1597417e1a8b1149ce8efefe815f5988d5c425cbba1626f50ad4fe1b4c
Instruction Fuzzy Hash: 7F115A71500744AFDB20DF55D844B66FBE4EF08220F08C8AAED498B612D335E458CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0318111E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E2C,?,?), ref: 0318116E

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 4ba8bc0441cb8dcfd5678456c972db90caeb58a23dce07e780aea67c4d349850
Instruction ID: 867a0c90c6de851a8a0afa63508552b3940527dbd4851fa14da8ab6946e07542
Opcode Fuzzy Hash: 4ba8bc0441cb8dcfd5678456c972db90caeb58a23dce07e780aea67c4d349850
Instruction Fuzzy Hash: 42017171500604ABD714DF1ADC85B36FBA8FB89B20F14856AED089B641D231B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0318266E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 031826A0

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f7b24960f751faaa66f2086000ebd1e56967b9040d3a488417b1191718ce6f29
Instruction ID: aee9a11c12c2d9e1bd165d149c4b1c8c20419163c238a9b92465ac4064034541
Opcode Fuzzy Hash: f7b24960f751faaa66f2086000ebd1e56967b9040d3a488417b1191718ce6f29
Instruction Fuzzy Hash: BF01BC756003408FDB21DF1AE884756FBA4EF04220F28C8AADC498F646D374E848CE72

Uniqueness

Uniqueness Score: -1.00%

Function 031803EA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E2C,?,?), ref: 0318043A

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 29f6e6b31ffe4ce2e1b595496b1634134ad876a3f16e6f4d4b983afb0c02f6d9
Instruction ID: e03177124950b6240d7f98ee20ef5f7acd26da00e49c404368386b2e457cab48
Opcode Fuzzy Hash: 29f6e6b31ffe4ce2e1b595496b1634134ad876a3f16e6f4d4b983afb0c02f6d9
Instruction Fuzzy Hash: FB01A271500604ABD614DF1ADC82B36FBA8FB89B20F14815AED084B741D231F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 031829EE, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.KERNELBASE(?,00000E2C,?,?), ref: 03182A3E

Memory Dump Source

Source File: 0000000B.00000002.901821935.0000000003180000.00000040.00000001.sdmp, Offset: 03180000, based on PE: false

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: a90d4a1e345beb10ca8d53b68b81ede11f5196c1865da036d347df6752f28f85
Instruction ID: acfa6d1b92c54b4d3897569bbd603f793e67ffe3161c223ee5eb526da5a428d0
Opcode Fuzzy Hash: a90d4a1e345beb10ca8d53b68b81ede11f5196c1865da036d347df6752f28f85
Instruction Fuzzy Hash: 7C01A271500604ABD214DF1ADC82B36FBA8FB89B20F14811AED084B741D331F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02FF1647, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02FF167F

Memory Dump Source

Source File: 0000000B.00000002.901665422.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e5b14416e02c3985c22595d266c32867133a6fb26c361299231ccdb638245776
Instruction ID: 67fdac3e0cb7cdf9d962fc654d9ab7fa3995e61df38436a3f73936d5ee803db3
Opcode Fuzzy Hash: e5b14416e02c3985c22595d266c32867133a6fb26c361299231ccdb638245776
Instruction Fuzzy Hash: B0F01471E103089FCB94DFB994499EEBBF5AE88350B11816AD509E3614EB349905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02FF1658, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02FF167F

Memory Dump Source

Source File: 0000000B.00000002.901665422.0000000002FF0000.00000040.00000001.sdmp, Offset: 02FF0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1bb5d8ee3798a1dd096e600cf4ac2d43e5cf110a38a6af4613958d00ad68487d
Instruction ID: 7618af2634e125f6e5109b7397e4486742335720476155a2d724f66769417044
Opcode Fuzzy Hash: 1bb5d8ee3798a1dd096e600cf4ac2d43e5cf110a38a6af4613958d00ad68487d
Instruction Fuzzy Hash: E2F0F871E002099FCB94DF79C84899EBAF6BB88240B10856AD609E3244EB349905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05731CFC, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902886394.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0dc190dc3de6ee8f2f1554e270e5a66c7012b540db482716daee87b697006b
Instruction ID: 9d80baede9d1d01c8dbb148b37486179277399b670f959253dd0369fcd86500f
Opcode Fuzzy Hash: be0dc190dc3de6ee8f2f1554e270e5a66c7012b540db482716daee87b697006b
Instruction Fuzzy Hash: F911BAB5548341AFD350CF19D880A5BFBE4FB88664F14896EF898D7311E331E9048FA6

Uniqueness

Uniqueness Score: -1.00%

Function 03020804, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.901722194.0000000003020000.00000040.00000040.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302c54912416a599b4f56f92fdb76f681fc0699f562ed8dd5f594564204d94c4
Instruction ID: d0f6a486eff244f01b5f38ab5de2dde3c2acb925901313bdf98c4b4a5a154f4d
Opcode Fuzzy Hash: 302c54912416a599b4f56f92fdb76f681fc0699f562ed8dd5f594564204d94c4
Instruction Fuzzy Hash: D8116D312053449FD715CB14C940B2ABBE5AB88718F28C9ADE9895B653C77BD813CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0152AE60, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.901395143.000000000152A000.00000040.00000001.sdmp, Offset: 0152A000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bbd4fd672e5b8df62dc0642e75c86bf65faeebd34384380379ddcc48f81db9
Instruction ID: 39701f70a807d55b4f1607a82736e9980a27e3d34f4b7a38c7da13217f590170
Opcode Fuzzy Hash: 98bbd4fd672e5b8df62dc0642e75c86bf65faeebd34384380379ddcc48f81db9
Instruction Fuzzy Hash: 1011FEB5548301AFD350CF09DC40A5BFBE8EB88660F14891EFD5997311D231E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 05731BA0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902886394.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed688da99ed47ca2ffef3744f85129838bf4c6effbf08c2d28da0b07bd3a55f
Instruction ID: 053e9bb26b7b1d886adbaec3789e48965893aa91878aa6f75f9ea085f6d0d50e
Opcode Fuzzy Hash: eed688da99ed47ca2ffef3744f85129838bf4c6effbf08c2d28da0b07bd3a55f
Instruction Fuzzy Hash: A711FEB5508301AFD350CF09DC80A57FBE8EB88660F14891EFD5997311D331E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 030208C0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.901722194.0000000003020000.00000040.00000040.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: aecd9086f70ff1f77076d5c76a91044d4dc4d70e9466c51e67c5e08bf2ac5bbc
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: 87F0FB35104644DFC206CF00D540B26FBE6EB89718F24C6A9E9891B752C737D813DB81

Uniqueness

Uniqueness Score: -1.00%

Function 030205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.901722194.0000000003020000.00000040.00000040.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0373a08e25024a65ffcb84b0a3b733d79788317fb2eff3861d8e97062d8d6374
Instruction ID: 6bdca564d327d775e9e7a29cafe80e4cf56af53e431ffa4320a5d699db244f67
Opcode Fuzzy Hash: 0373a08e25024a65ffcb84b0a3b733d79788317fb2eff3861d8e97062d8d6374
Instruction Fuzzy Hash: 69E06DB66446005BD650DF0AEC41462FBD8EB84630718C46FDC0D8B701E635B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 0152AEAF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.901395143.000000000152A000.00000040.00000001.sdmp, Offset: 0152A000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc6c9ec3095607fe8c87f7eb332ebd8f805eb07f907dd47ec359f93be47f3a2
Instruction ID: 34998d155a2994e6cf0377df8a73a23c729d82b64205894e4eb8024ef2fa0120
Opcode Fuzzy Hash: cdc6c9ec3095607fe8c87f7eb332ebd8f805eb07f907dd47ec359f93be47f3a2
Instruction Fuzzy Hash: 14E0D8B254030467D2109E06EC41B23FB98EB50A30F18C55BED085B302E171B5049AF5

Uniqueness

Uniqueness Score: -1.00%

Function 05731D67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902886394.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95efe385a6b02af2c1878751fd971b912b2dbfddaed6a0a9d8c888f2f0acb8dd
Instruction ID: 7a24723ef41e35d01b89ce69c9d25c5d1bbab68f4e7ab09692714463f00e61df
Opcode Fuzzy Hash: 95efe385a6b02af2c1878751fd971b912b2dbfddaed6a0a9d8c888f2f0acb8dd
Instruction Fuzzy Hash: DFE0D8B25403046BD2109E0AEC81B23FF9CEB54A30F18C46BED085B302E171B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 05731613, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902886394.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b196f73671db71bf6b38f4fd0bb2fe558c82c4b03cd1832ac8b23806cda9f0
Instruction ID: aed830932698de8a756638c73160a392a5a660421118bed8e38cd21215332399
Opcode Fuzzy Hash: 52b196f73671db71bf6b38f4fd0bb2fe558c82c4b03cd1832ac8b23806cda9f0
Instruction Fuzzy Hash: 69E0D8B254030467D2109E0AEC81B23FF98EB40A30F18C45BED085B302E172B514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 05731BEF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.902886394.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01cb2b913c77acf9d6b3bb6cb438a1222e6072f51cbe0f0a48881ecbe80ff51
Instruction ID: 542de3c2fc3f3c24b3db532ba9f7189e0553c77c8de2d20e3732c110239c7c7b
Opcode Fuzzy Hash: a01cb2b913c77acf9d6b3bb6cb438a1222e6072f51cbe0f0a48881ecbe80ff51
Instruction Fuzzy Hash: EEE0D8B254030467D2509E0AEC81B23FF98EB44A30F18C45BED085B302E172B5049AF5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: fullview.exe PID: 7088 Parent PID: 3424 fullview.exeCOMMON

Executed Functions

Function 05900AC7, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05900B47

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 252adeefc2d1c0e95ca036cb74a27d6d297f6ec3b812ca424fd1e909d20db33a
Instruction ID: 6590770601290c3d12442fe5ce7dcb7768869e825212b8fca08d0e0e755da386
Opcode Fuzzy Hash: 252adeefc2d1c0e95ca036cb74a27d6d297f6ec3b812ca424fd1e909d20db33a
Instruction Fuzzy Hash: 8A21A3765097809FDB138F25DC44B62BFB8EF06314F0884DAE9858F163D271D908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05900AFE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05900B47

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 5c10423bee177a10e0c11c8fc37f9730f51733f9e8cf9c2d196bff1bb98e43fe
Instruction ID: 1b9350d025e14c0b48dc30716c214a6f27011f9a13c5251aeee61d815b247d23
Opcode Fuzzy Hash: 5c10423bee177a10e0c11c8fc37f9730f51733f9e8cf9c2d196bff1bb98e43fe
Instruction Fuzzy Hash: 64115E715003409FDB21DF55D889B66FBE8EF04724F0888AAED898B656D375E414CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05832548, Relevance: .7, Instructions: 746COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e868d0f9e54a7676abccef32a6cdd8b3289b70d2ec02da7ceb45fdc6cb85247
Instruction ID: ef89dc47ddeccc346a3386ea73abb96bbccbef8729372ebd0a98ce044e43d4df
Opcode Fuzzy Hash: 1e868d0f9e54a7676abccef32a6cdd8b3289b70d2ec02da7ceb45fdc6cb85247
Instruction Fuzzy Hash: C0626B34B00205CBDB54EBA9D85966EB7B3FB88300F28C16AC80697395DF759D56CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05836DA2, Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

(, xrefs: 05837047

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 61aae4ca902fc997ffa2dd4fbf7657f920955276f8eec34b770a4d4bbb6de90c
Instruction ID: d4fee578d588dc7c8a374720fc66261f58fed8ff3c3d8f567611f938d90276ea
Opcode Fuzzy Hash: 61aae4ca902fc997ffa2dd4fbf7657f920955276f8eec34b770a4d4bbb6de90c
Instruction Fuzzy Hash: DAE1E9747001449FEB44DB98D891B6DBBB2EB89314F28C059E919DB385CB76ED43CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05901936, Relevance: 1.6, APIs: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 059019E1

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 74978670e87ee9e898766a8338403302ff9f928f7621ce971a3c32e93f3cf23b
Instruction ID: 9b02dd034a17982ff062bfb745536e5ccf816ba51dddc1428b5cc28c78b76a53
Opcode Fuzzy Hash: 74978670e87ee9e898766a8338403302ff9f928f7621ce971a3c32e93f3cf23b
Instruction Fuzzy Hash: 39319E71504380AFE722CF65DC44F66BFE8EF05310F0889AEE9858B252D375E405DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0169AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0169ACD1

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b24ef532155c40eb5320699900fcb4aad58c4ffd7752dbcc7c9fea07ca28b348
Instruction ID: 2645daa6a3b47deacda399f48fe3abe1e4ffce05da978638c923ddfecc3c4447
Opcode Fuzzy Hash: b24ef532155c40eb5320699900fcb4aad58c4ffd7752dbcc7c9fea07ca28b348
Instruction Fuzzy Hash: 6531D6725043846FE7228F65CC45F67BFECEF06710F0884AAED808B152D224E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0169AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,42B6C6A7,00000000,00000000,00000000,00000000), ref: 0169ADD4

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ab48529108f323e303d05aa39a259f60854a5da2de39012efe4f9bcb06314532
Instruction ID: 91106a44f2f85a93e79b0659b14fdb4b92f610f26e91dfe8fa77eb2e80f59b27
Opcode Fuzzy Hash: ab48529108f323e303d05aa39a259f60854a5da2de39012efe4f9bcb06314532
Instruction Fuzzy Hash: E5316F725097845FEB22CB65CC44FA2BFE8AF06610F08849AE9858B253D364E548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05900C88, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,42B6C6A7,00000000,00000000,00000000,00000000), ref: 05900D22

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 1166228f5360344b669af7a32fdfac8fc98222b74101b3c765a6008a3c835775
Instruction ID: 684a05ba438554ca741aea4255de0a8ba4b2909660dae553636cd9b1999d0927
Opcode Fuzzy Hash: 1166228f5360344b669af7a32fdfac8fc98222b74101b3c765a6008a3c835775
Instruction Fuzzy Hash: 0321D5B25093806FE7128F24DC45F66BFB8EF06320F08849BE984DB193C224E905C771

Uniqueness

Uniqueness Score: -1.00%

Function 0169A2AC, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0169A346

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b68b162c7dd3ddfa623a0952f20946a80a89e04f11b74685454778380cfcc0f8
Instruction ID: aece680a29be4e68ea6fb390bcfcaa658da8c31ad448c875d8f78b6f323d9612
Opcode Fuzzy Hash: b68b162c7dd3ddfa623a0952f20946a80a89e04f11b74685454778380cfcc0f8
Instruction Fuzzy Hash: 7A31717140E3C06FD7138B659C55A22BFB8EF47610F0A80DBE884CB5A3D229A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 05900D81, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,42B6C6A7,00000000,00000000,00000000,00000000), ref: 05900E12

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 85d6dad2c9eb96877628220b1eb03965ad92edeead6d80760ce0623b3eacc6cb
Instruction ID: 37588a933e08b3bc461e636d66416637cb725f8c2f349358fc8f9f49601c6bc7
Opcode Fuzzy Hash: 85d6dad2c9eb96877628220b1eb03965ad92edeead6d80760ce0623b3eacc6cb
Instruction Fuzzy Hash: ED21B771509384AFE722CF25DC44F66BFBCEF45310F0888AAE985DB152D264E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05901154, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 059011FA

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 451c4b04550b40a2cf79b8fcf914eef767cfcb09a379c6850171f3e6703b550f
Instruction ID: be238481217681a46d4543adf63df99812969a6e533b143c90004dac1e0316a0
Opcode Fuzzy Hash: 451c4b04550b40a2cf79b8fcf914eef767cfcb09a379c6850171f3e6703b550f
Instruction Fuzzy Hash: C821817550E3C06FC3138B358C55A21BFB4EF87A10F1D81DFD8848B6A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05901A38, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,42B6C6A7,00000000,00000000,00000000,00000000), ref: 05901ACD

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: fe990054fc7fed033f0ce7c4ef563c4abfadbb67f91f83523ae04f8ced4f9860
Instruction ID: bf39525bd07f6d80f1fdd84d0daf7aaab6e15f7bc9b49b5ee8daccc67c727309
Opcode Fuzzy Hash: fe990054fc7fed033f0ce7c4ef563c4abfadbb67f91f83523ae04f8ced4f9860
Instruction Fuzzy Hash: D121D3B64087806FE713CB25DC40FA2BFBCEF46720F1884DAE9849B193D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0169BC64, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 0169BCF5

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: 846cf564baa1bc50579f30f786681e2bfd0a2efb60e77a27d6473cc4e93d534d
Instruction ID: e360858d7f2589b5213a95d46cbf83575c0098306f69c77736e7aeefd6072502
Opcode Fuzzy Hash: 846cf564baa1bc50579f30f786681e2bfd0a2efb60e77a27d6473cc4e93d534d
Instruction Fuzzy Hash: 892181755093C49FD7228F65DC55B62BFF8EF46214F0984DBE884CF263D2249809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05901224, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 059012BE

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4c5b19a9db58ded1b724070bb64318179cc59510f6529e29f4347878190d8bfa
Instruction ID: ccf01db585ae7326032dd6b3e67cf378eb94a1056d7cf3cc1476a6c1139b9a42
Opcode Fuzzy Hash: 4c5b19a9db58ded1b724070bb64318179cc59510f6529e29f4347878190d8bfa
Instruction Fuzzy Hash: 5A21C8755093C06FD3138B25DC51B62BFB4EF87A10F0981DBE9848B653D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05901962, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 059019E1

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1841a74643c7cb59ac38643c6fc4554b7eced66a4ebf97ff74684b631a745b75
Instruction ID: 8705f84236170f3875cf6d341c8d039bc3a42aa87f6b05f543058d1295adc597
Opcode Fuzzy Hash: 1841a74643c7cb59ac38643c6fc4554b7eced66a4ebf97ff74684b631a745b75
Instruction Fuzzy Hash: 21218E71500740AFEB21CF66DD84B66FBE8EF08710F08886AE9858B692D375E504DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0169AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0169ACD1

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 906e431d575efa60da64ffc915fa4ae7d689fb952484fe8dda97d28bb0b0443f
Instruction ID: bce20d2227f2478ee224b052e492f3686afcb295828ff933e9e34a09ac4ac0ce
Opcode Fuzzy Hash: 906e431d575efa60da64ffc915fa4ae7d689fb952484fe8dda97d28bb0b0443f
Instruction Fuzzy Hash: 7D219F72500704AFEB219FA9DC85F6AFBECEF08720F14845AED459B246D624E5098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0590094B, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 059009C6

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9facc6f6edcc70201387a4b2a30479f746eefde1bf59c196370296a5bbee8714
Instruction ID: 284b2bd9499b804c55b9075708b8ae874fde86fa122364a2f307c1b56cfa5937
Opcode Fuzzy Hash: 9facc6f6edcc70201387a4b2a30479f746eefde1bf59c196370296a5bbee8714
Instruction Fuzzy Hash: 792150765093C05FE7128B65DC89B96BFE8EF06310F0984EBE985CB293D265D818C762

Uniqueness

Uniqueness Score: -1.00%

Function 0169AE43, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E2C,?,?), ref: 0169AEC6

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 75df9e1658e21f67fe8ebbe999617126ee4dd6b51e4a5cfd675c7d230d19fe9b
Instruction ID: 4d1eaad228ba70fdbd6d6714dc96d7f20888b9af0b65aebeb4266e74527070fa
Opcode Fuzzy Hash: 75df9e1658e21f67fe8ebbe999617126ee4dd6b51e4a5cfd675c7d230d19fe9b
Instruction Fuzzy Hash: 8621E7715483806FD3128B26CC41F72BFB8EF87620F0981CBED848B652D221A915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0169AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,42B6C6A7,00000000,00000000,00000000,00000000), ref: 0169ADD4

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8f5962cd21c8f9d35e2edfa7431a2c27936090e28a7be74c8fd3361af39ca507
Instruction ID: e2b69224f58746f391bd6d367b57758e7d4745d4e2e062cc6fbd5f65519f4d48
Opcode Fuzzy Hash: 8f5962cd21c8f9d35e2edfa7431a2c27936090e28a7be74c8fd3361af39ca507
Instruction Fuzzy Hash: FA219372600704AFEB21CF59CC84FA6FBECEF04710F04845AED459B256D764E408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05900DAE, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,42B6C6A7,00000000,00000000,00000000,00000000), ref: 05900E12

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 7d9df412e89b0982163a36e45f46d8e5f7ff1de9edb30112fd1be4d3481c194e
Instruction ID: 3272b55b6fe362df0ecd62c98133a70ffd5401bae775242bd6bd4923d3030e73
Opcode Fuzzy Hash: 7d9df412e89b0982163a36e45f46d8e5f7ff1de9edb30112fd1be4d3481c194e
Instruction Fuzzy Hash: 9211AF71600300AFEB21CF65DC88F66BBACEF04720F14886AED49DB285D674E444CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0169B42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0169B4A9

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 7b7fbccedc60f22d2c706b73ef3b7cdede32705ccc0e54ce80f5bdee9d30d6db
Instruction ID: 252a80da8a0ce5299bb77c8607eb2a4a23916e6d043eaca804cb23cefc28cc5f
Opcode Fuzzy Hash: 7b7fbccedc60f22d2c706b73ef3b7cdede32705ccc0e54ce80f5bdee9d30d6db
Instruction Fuzzy Hash: 7D2190B15093805FEB228E19DC45B62BFE8EF46614F08809AED84CB257D365E808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0169BD39, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0169BDA4

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 31c1cc2d1c87bf23387d7e216f32a49e110386a3f8b649a40f7f3c391e559dba
Instruction ID: 50eaecbe156f9f5befd3b6d6f8af143118686e2510ffd8f11c5b62f9f865b63c
Opcode Fuzzy Hash: 31c1cc2d1c87bf23387d7e216f32a49e110386a3f8b649a40f7f3c391e559dba
Instruction Fuzzy Hash: B82190714093C09FDB128F25ED84B52BFB8EF42210F0984DBED858F663D264A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05900CC6, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,42B6C6A7,00000000,00000000,00000000,00000000), ref: 05900D22

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 116acd92c2ea77ef9064ebb99f896221c73832d3e504e8986dbfdb6229ecf219
Instruction ID: 90e2cc0a5a94a5af91f7b4898fb0e12240ca14cc55d83fa52ff58bdf93a6c306
Opcode Fuzzy Hash: 116acd92c2ea77ef9064ebb99f896221c73832d3e504e8986dbfdb6229ecf219
Instruction Fuzzy Hash: 3911C475500304AFEB21CF69DC45F6AFBACEF44720F14886AED458B685D674E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0169BDED, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 0169BE5B

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 3527a4d7a4aedab6930b5fcbd950439c390f4dbd8074a1e0fb1e618c82d6be6c
Instruction ID: c72116020603df8a7741e7708f475bfa3f3fde8c7a74a8f4b510d73c796cc4d8
Opcode Fuzzy Hash: 3527a4d7a4aedab6930b5fcbd950439c390f4dbd8074a1e0fb1e618c82d6be6c
Instruction Fuzzy Hash: 362184765093C49FD7128B25DC45B52BFA8EF02210F0980DAED858F263D375A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0590089F, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05900904

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4eb604a12135f1111a70adecefa8bd4ee56544156b9b9ba439d39e150845df99
Instruction ID: 7453b32f03990634117f77ff35e468eb1cb27ef5e09b7c2867ead9b7988425b1
Opcode Fuzzy Hash: 4eb604a12135f1111a70adecefa8bd4ee56544156b9b9ba439d39e150845df99
Instruction Fuzzy Hash: 7B11B4714093C09FDB128B25DC94B52BFB8EF02220F0884DBEC85CF293D2759808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0169A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0169A666

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0dff622802def30536894625ee76f1b25246d1a9184d061ea19e2dae78b032eb
Instruction ID: f0b5ae51ee55279ae38dd3d4fe62df80e630a2376d67cbc35271907ddc0a5d2d
Opcode Fuzzy Hash: 0dff622802def30536894625ee76f1b25246d1a9184d061ea19e2dae78b032eb
Instruction Fuzzy Hash: 8C117271409780AFDB238F55DD44A62FFF8EF4A210F08849AED858B552D375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05900386, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 059003FD

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 36d799c4b3de61077159c90e2e2ace1054658e9f163cf28fd1943be395ba3b5c
Instruction ID: 08cfd12da3f452d1d4511ed4581e3dc9c62a91acdb1e740932f10625f266d983
Opcode Fuzzy Hash: 36d799c4b3de61077159c90e2e2ace1054658e9f163cf28fd1943be395ba3b5c
Instruction Fuzzy Hash: F8219D724097C09FDB238B21DC54AA2BFB4EF07224F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 059007F6, Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05900858

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a912ee3d22844bddeac7c9ad6c5287ae5e4427dbf54467a23f47270ee7a00158
Instruction ID: 2edbd037462ff15d0c1954c3e449bbe31a7839251789ad34c66392ad6fcba7e6
Opcode Fuzzy Hash: a912ee3d22844bddeac7c9ad6c5287ae5e4427dbf54467a23f47270ee7a00158
Instruction Fuzzy Hash: 3B11B1715093C09FD712CB25DC84B56BFE8EF02220F0984EAED85CF252D225A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05902023, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0590208D

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: eeceda2eacf1668461a63c1ff02e22e68152f255d98ba76d805aed60fa3f5eb4
Instruction ID: d0d15e5a505e5a5ae2f93bd72d3909c4947f8c5b001c39abda85515e5d9944a2
Opcode Fuzzy Hash: eeceda2eacf1668461a63c1ff02e22e68152f255d98ba76d805aed60fa3f5eb4
Instruction Fuzzy Hash: 6E1190755097809FDB228F15DC45B62FFB4EF06324F08849EED858B663C275A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0169A97B, Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0169A9DC

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a0c70cc385d09b33914295f9be44bc72648d62279a7941aaf1a37aa00af002a7
Instruction ID: 213cdb5e4ae5fdf998be8852771cf7088613a93fbd636a6d128a9a1312848d3d
Opcode Fuzzy Hash: a0c70cc385d09b33914295f9be44bc72648d62279a7941aaf1a37aa00af002a7
Instruction Fuzzy Hash: 23118F714493C49FDB128F15DC84B52BFB4EF46224F1884DBED858F253D279A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0590097E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 059009C6

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1219679e2945f5ebc7fd99e5ce9a77217858049cc9f48e119c3dec21faf8c531
Instruction ID: dfe3929b0d4a5cc0d970f1bcbfe5dede914db12d65cbf3f0558958f3380eddff
Opcode Fuzzy Hash: 1219679e2945f5ebc7fd99e5ce9a77217858049cc9f48e119c3dec21faf8c531
Instruction Fuzzy Hash: E21165716043408FEB60CF69D849B66FBD8EF04720F18986ADD49CB686D775E414CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05901A7A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,42B6C6A7,00000000,00000000,00000000,00000000), ref: 05901ACD

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e4976084ca931714045302d9ea028f4c5c4f4f5a914c6c3745d4c530422a1838
Instruction ID: 99e97dd85bda0d90c47cdc7a81091cd94b177ce67d0f968183ae6bdb5f3cb38b
Opcode Fuzzy Hash: e4976084ca931714045302d9ea028f4c5c4f4f5a914c6c3745d4c530422a1838
Instruction Fuzzy Hash: DA012671500300AEE721CF1ACC85F66FB9CDF44720F04C45AED059B285D274E404CA72

Uniqueness

Uniqueness Score: -1.00%

Function 0169BCAA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 0169BCF5

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: efb47377586fa7f429b6f0e4a97474af44f6486a3621aa15b8103602cb0f0421
Instruction ID: 529e9fbee2cefaae366a05ff404f8427776f87b5c07bd906d666ebdb88671b3f
Opcode Fuzzy Hash: efb47377586fa7f429b6f0e4a97474af44f6486a3621aa15b8103602cb0f0421
Instruction Fuzzy Hash: AE113075500384DFEB20CF5AEC45B66FBE8EF44620F08846ADD458B756D775E408CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0169A42A, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0169A480

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7239c459e286b23e1e87c2b2b84af2c053d38f8e7998216cb6023170d024c65f
Instruction ID: c45d4e3f6feaeaf0368f106f08861f6e0cae8ebfa2c8b294b09fe547159fb013
Opcode Fuzzy Hash: 7239c459e286b23e1e87c2b2b84af2c053d38f8e7998216cb6023170d024c65f
Instruction Fuzzy Hash: 73018475409384AFDB128B15DC44B62FFA8DF46624F0880DAED854B257D375A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0169AAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0169AB46

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ef0e051c8d3ee1f23e762179a28d7cc65be242df2aa61853afc265153d47c11a
Instruction ID: db7697bdd6a07ec15d638a8d744f88b496a1b5688394b65d6537b69b82189c0a
Opcode Fuzzy Hash: ef0e051c8d3ee1f23e762179a28d7cc65be242df2aa61853afc265153d47c11a
Instruction Fuzzy Hash: F8117C314097849FDB228F55DC89A52FFF4EF46620F08849AED858B262C375A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0590081E, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05900858

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 63b55a206e1c87f9dfa877a64b9c54d9dcb9eccc86971989219b4f599a46783b
Instruction ID: 25079a45080960f2ac8e560a139aff7a0896abf4fc64ce5c85124f956ed0fd39
Opcode Fuzzy Hash: 63b55a206e1c87f9dfa877a64b9c54d9dcb9eccc86971989219b4f599a46783b
Instruction Fuzzy Hash: 48019271A042408FDB50CF2AD888766FBD8EF00220F4898AADD49CB686D779D404CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0169B45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0169B4A9

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 78233337dadfb88af6aa69f463b2572725549ddda37eb342f126469f4a0bc689
Instruction ID: 73aeb238a4028c050823a19e73d5bf308e04512b42790891aa9d07802ad9a5bf
Opcode Fuzzy Hash: 78233337dadfb88af6aa69f463b2572725549ddda37eb342f126469f4a0bc689
Instruction Fuzzy Hash: 660144755012409FDB60CE19EC45B66FBE8EF44A20F088459DD498B75AD375E404DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0169A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0169A666

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9b01e549035be3f0a2e09e2a72bc9ed3fa8d3f0c9fc9fc9ee3feac13e84f1bbf
Instruction ID: 8bf5bd4fd90eae83d82f5f7adae6aca731ffea5d1bdbb3f5c372a0cd0219c2c5
Opcode Fuzzy Hash: 9b01e549035be3f0a2e09e2a72bc9ed3fa8d3f0c9fc9fc9ee3feac13e84f1bbf
Instruction Fuzzy Hash: 5D015B315007409FDB228F99D944B66FFE4EF48720F0888AAED894B616D375A414CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0169BE1E, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 0169BE5B

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 02a8b2c02791e66c689e1ced5918f874e6db91907b2a8c851b886b7eaadcc016
Instruction ID: 2a74c99ec8979bf16bf84110ad9143feeefea3fd9bb4c8fadfb3238f02c60fd4
Opcode Fuzzy Hash: 02a8b2c02791e66c689e1ced5918f874e6db91907b2a8c851b886b7eaadcc016
Instruction Fuzzy Hash: 010171756006448FDB608F1AEC85B66FB9CEF44620F08C0AADE458B756D375E408CA72

Uniqueness

Uniqueness Score: -1.00%

Function 0169BD72, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0169BDA4

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 921a828a600afeac6085684614c43936ad2a8375aaa80e59dfcf0e8a700c1350
Instruction ID: 6badabd058b31c690d24d0b53a7d2ecc33a63b8b75ec40ec878ad13f68f5a008
Opcode Fuzzy Hash: 921a828a600afeac6085684614c43936ad2a8375aaa80e59dfcf0e8a700c1350
Instruction Fuzzy Hash: 5101B1765043408FDB108F59E884B66FB98DF40620F08C0AADC498B646D274E408CA72

Uniqueness

Uniqueness Score: -1.00%

Function 0169AE76, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E2C,?,?), ref: 0169AEC6

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 97a55f86acedb431c1e4c1e3339f6ac27f65f045a397b9e125beeeb02c4a1339
Instruction ID: 9c29c0b35bdb9363c43f6226b121763e324beaf8a9389442b2521008428c5dfc
Opcode Fuzzy Hash: 97a55f86acedb431c1e4c1e3339f6ac27f65f045a397b9e125beeeb02c4a1339
Instruction Fuzzy Hash: F501AD71500600ABD224DF1ADC86B36FBA8FF89B20F14C11AED484B741E231F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0169A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0169A346

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 292f013a6301b36186e0833c0eeda67d49898f21010037a44342d6d83634b100
Instruction ID: cd41dc203cf84a86764e6d2fbca1bd902f45bf23c487381918f60ad6c899d79a
Opcode Fuzzy Hash: 292f013a6301b36186e0833c0eeda67d49898f21010037a44342d6d83634b100
Instruction Fuzzy Hash: 8E01AD71500600ABD224DF1ADC86B36FBA8FF89B20F14815AED084B741E231F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 059011AA, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 059011FA

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 0d84f05c0ff22894abfca6da1ae81d27204d6fda833a8acbb78835a1930918d6
Instruction ID: acd0fb202f57e7389cd8dd29011f5dc33abcb33d4c1c4ded4eb3dff621fc858e
Opcode Fuzzy Hash: 0d84f05c0ff22894abfca6da1ae81d27204d6fda833a8acbb78835a1930918d6
Instruction Fuzzy Hash: CE018B71500604ABD224DF1ADC86B26FBA8EB89B20F14811AED084B641E231B916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 059008D2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05900904

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1f46fa89f386e82ef97477ff7593bc284027f5179414574f367a71a4987ad5e5
Instruction ID: 124fcae22d1cd8c6c9d923cd53603f570b23f5e240fb7bef9ceaacedc62358a4
Opcode Fuzzy Hash: 1f46fa89f386e82ef97477ff7593bc284027f5179414574f367a71a4987ad5e5
Instruction Fuzzy Hash: AB01A2715003409FEB10CF6AD888766FB94EF44220F48C8ABDD498F696D279E444CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0590126E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 059012BE

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fb1f648d8265ddd03994d428ec6421580be573b083ba94a49fbe23f7b5e7560f
Instruction ID: f22858e519ddcf9996a53955cbf3820b64c0b56df940cdd74caf441be90210a0
Opcode Fuzzy Hash: fb1f648d8265ddd03994d428ec6421580be573b083ba94a49fbe23f7b5e7560f
Instruction Fuzzy Hash: DA018B71500604ABD224DF1ADC86B26FBA8EB89B20F14811AED484B641E271B916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 05902052, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0590208D

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 78c5e55a64e4602a0a728721f4c2f698a48de42b311cc085eddd41ad2dd300e4
Instruction ID: 07585e844a38c8da351516ef5fb539d2f8cc878900b29b677538f554d571391f
Opcode Fuzzy Hash: 78c5e55a64e4602a0a728721f4c2f698a48de42b311cc085eddd41ad2dd300e4
Instruction Fuzzy Hash: 6F0171355007409FDB218F56D888B66FBA5EF04320F08C89EDD464B655D375E458CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0169A9AA, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0169A9DC

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6cd2652de5bb46dc08a9a14bd64f3559a5e04279fc61d626d16a6ed4e82e3fcc
Instruction ID: a2eb1b447f94b667d1aaf23140c3f547943744bd730a34c5167b6af81835db49
Opcode Fuzzy Hash: 6cd2652de5bb46dc08a9a14bd64f3559a5e04279fc61d626d16a6ed4e82e3fcc
Instruction Fuzzy Hash: A001AD749003409FDB60CF9AD984765FBE8EF44220F08C4ABDD488F606D379A444CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 059003C2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 059003FD

Memory Dump Source

Source File: 0000000C.00000002.817599683.0000000005900000.00000040.00000001.sdmp, Offset: 05900000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d956400e8157409449c9052464d6b76ae0cd6ca84f3832c1a6d7cf746085777d
Instruction ID: 27649d441925ace840d6b71aa1713353d5527f583f6f3f9b4d41f6be8a1fc24e
Opcode Fuzzy Hash: d956400e8157409449c9052464d6b76ae0cd6ca84f3832c1a6d7cf746085777d
Instruction Fuzzy Hash: 22018B31500340DFDB61CF46D888B25FBA4EF08320F48D89ADD890B656E375E458CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0169AB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0169AB46

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9256ea4020f1e8ebd7c00d4b7845ae9c79f1322c17c813195cd46c864c9e1971
Instruction ID: e20c0cfbecd1f0dc831b7246434af60340924a9fd5eb1259f7b9dbd2240cc439
Opcode Fuzzy Hash: 9256ea4020f1e8ebd7c00d4b7845ae9c79f1322c17c813195cd46c864c9e1971
Instruction Fuzzy Hash: E901AD315007408FDB218F8ADC84B21FBE4EF04720F08C89ADD4A4B75AD375A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0169A44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0169A480

Memory Dump Source

Source File: 0000000C.00000002.812402281.000000000169A000.00000040.00000001.sdmp, Offset: 0169A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 40040245bbe5ab505d9619f9a8ba34c799fd84c87fb9330f2f046f5a49b5bfec
Instruction ID: 9a7b8c0c52388bd093b67a438d7c5480b15b83867527a5beb3a2e4145dd45f13
Opcode Fuzzy Hash: 40040245bbe5ab505d9619f9a8ba34c799fd84c87fb9330f2f046f5a49b5bfec
Instruction Fuzzy Hash: ACF0AF359053408FDB208F4ADC88761FBE8EF44B30F08C0AADD494B756E379A408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 05837189, Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

(, xrefs: 05837047

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 61e2304882e8e4ea9b32bbee50eb3676a7350fa45f0b91a7674950f7003b3c0a
Instruction ID: 8ef7a7a3ac632138670c77e49056f7c28a10d5459c51f1492cad5fab344ea60e
Opcode Fuzzy Hash: 61e2304882e8e4ea9b32bbee50eb3676a7350fa45f0b91a7674950f7003b3c0a
Instruction Fuzzy Hash: 7651C7747001049FDB44DB98D891A6EB7B6EF88314F28C159E91ADB385CB36ED53CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05837058, Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

>_kq, xrefs: 0583712D

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: b1e23583c010e93becfd086cb4d94a414406356df0290096c12076b23ebe4130
Instruction ID: 62777bc2360971f46131967ce63937cca3ceeafadec49ec5ab999bf5be845a9c
Opcode Fuzzy Hash: b1e23583c010e93becfd086cb4d94a414406356df0290096c12076b23ebe4130
Instruction Fuzzy Hash: D641BF74700205AFE714DBA8DC51B6AB7B3EB89314F28C46AD916DB3D1CA75ED02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05831E18, Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Dlq, xrefs: 05831E45

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID: Dlq
API String ID: 0-1337854601
Opcode ID: 733f29928c973fb5a2224bf90c8a028ca66be6a6bf3ea97b762c3b6c870805c3
Instruction ID: b358aa1f17846258f6dd14ddbd972763aea3e75f4f787ea236c58bed3b6def63
Opcode Fuzzy Hash: 733f29928c973fb5a2224bf90c8a028ca66be6a6bf3ea97b762c3b6c870805c3
Instruction Fuzzy Hash: AA412A74E101099BCB14DBA9D899AEEBBF6BF8C711F148069E905FB244DB319C40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05834AA0, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

:@fq, xrefs: 05834E9A

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: fe33d8c2cc5e2463d4aa18c3a69ef275f9812d54ebec5f9cf7eda7303f66d09b
Instruction ID: 3d91ec94f9db7ee12ee7f07cfc512762a718c53cd4331d349c839bcfc53c3d52
Opcode Fuzzy Hash: fe33d8c2cc5e2463d4aa18c3a69ef275f9812d54ebec5f9cf7eda7303f66d09b
Instruction Fuzzy Hash: A341AF30B08619CFDBA0CFA9C48A77AB7F5BF45214F04856AE866C72A1C375DD04CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05831D90, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

Dlq, xrefs: 05831E45

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID: Dlq
API String ID: 0-1337854601
Opcode ID: 05e0bcef4169b241c7df40bc56497830425bac00ed0b6bc266deecd1d0413b16
Instruction ID: 34da448f33b054682b97137bd816eb304ff5d932a35b5327abde3df942faefd0
Opcode Fuzzy Hash: 05e0bcef4169b241c7df40bc56497830425bac00ed0b6bc266deecd1d0413b16
Instruction Fuzzy Hash: 60319C31E0424A9FCB15DBB9D8156EEBFF6FB89211F14806AD505FB244EB309D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05830007, Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

>_kq, xrefs: 0583007A

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: fcd93e23d745f02639cf3c7be67e2aff1c37192c5e5537b6fbe2a3e47e03768e
Instruction ID: da10da3fbb59edbff6b705d231bb86e795a3097072f5d45d84024c9e84b12032
Opcode Fuzzy Hash: fcd93e23d745f02639cf3c7be67e2aff1c37192c5e5537b6fbe2a3e47e03768e
Instruction Fuzzy Hash: E4117F7140E3814FD3129730EC647953F72AF43211F5A42EFC684CB6D7DA6C49588B62

Uniqueness

Uniqueness Score: -1.00%

Function 05832538, Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33394f5ac4ac206c6a1f52b7df24f7d87e99e139082c0c0e846562be09861e67
Instruction ID: 61af91d310a738f6e81e590ede6bbad851a7aca5e93231f8b0f868617d2c5cc6
Opcode Fuzzy Hash: 33394f5ac4ac206c6a1f52b7df24f7d87e99e139082c0c0e846562be09861e67
Instruction Fuzzy Hash: 66526B34B00215CFDB54EBB9D85966EB7B3BB88300F28816AC806D7395DFB49C56CB85

Uniqueness

Uniqueness Score: -1.00%

Function 05833760, Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb2223356ea6477a8dedb49aafafed6a4ac4c6e7dda4d8e4bb5e4320eca2dd7
Instruction ID: b22591269cd9935d3f4c311aaedc494f4f396d8aa0d5f50e4d19817c199fc60d
Opcode Fuzzy Hash: 0eb2223356ea6477a8dedb49aafafed6a4ac4c6e7dda4d8e4bb5e4320eca2dd7
Instruction Fuzzy Hash: 72D19470B04218DFDB14CBA9C85676DBBB3BB85305F64896AD806EB385CE70DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05833700, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7b94b42f8b36c83a789f6aa5e79cc2cf30873ce3e960a6d8dcecfd3ca51579
Instruction ID: 873b833036b1bc3bb791194d2841bccc037ad44544012377203b3031806b314f
Opcode Fuzzy Hash: 0a7b94b42f8b36c83a789f6aa5e79cc2cf30873ce3e960a6d8dcecfd3ca51579
Instruction Fuzzy Hash: 1AB18170B04209DFDB10CBA9D856B6DBBB3BB45705F64896AE806EB385CE70DD41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05833750, Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b80d111852bfe0b076198320da151abb5dddd6cbdd295f3b4db1aa062d3521e
Instruction ID: c045539afbb4007129b9225d8a53b5f84d3310fa8a1f469f5e35c363f8f7d910
Opcode Fuzzy Hash: 6b80d111852bfe0b076198320da151abb5dddd6cbdd295f3b4db1aa062d3521e
Instruction Fuzzy Hash: 22B18270B00208DFDB14CBA9D856B6DBBB3BB45705F648969E806EB385CE70DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 058333A8, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a035ed1d5ce4510ce68c53f716b3fbed260cefd5ed829258a82bf095ef5654c3
Instruction ID: 632c0e495a0ebfbd5a73ded7342ef002aa85e6281da431b909079c36bfe48547
Opcode Fuzzy Hash: a035ed1d5ce4510ce68c53f716b3fbed260cefd5ed829258a82bf095ef5654c3
Instruction Fuzzy Hash: 7C91BE31B002059FCB44EBBDC85466EB6E7BF89705B2485ADD906EB390EE74CC05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05831730, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b663492ea7a2e097576c520e7dec915c1138729182e5d7823c82a6f1b8a8ca70
Instruction ID: 078d051eadd61850e9468b53cb8218130d95c83969b36eef95a0e1f75d46b4e6
Opcode Fuzzy Hash: b663492ea7a2e097576c520e7dec915c1138729182e5d7823c82a6f1b8a8ca70
Instruction Fuzzy Hash: 51512835608209CBC715CA68D88B6B6BFA2FB41B15F08866BEC56C7285C734ED05CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 05831520, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418d9ab71040efffd5a032624355a47b6518dff3f771985e460d7292945bee83
Instruction ID: 2df04802f522a8f02b629da7fff2cec6d38d6857ae32d625d1f58343bee152a3
Opcode Fuzzy Hash: 418d9ab71040efffd5a032624355a47b6518dff3f771985e460d7292945bee83
Instruction Fuzzy Hash: F851067260C205CBD724CB68EC1977A7B96FB41B25F48893EE996CB280EB64DD41C781

Uniqueness

Uniqueness Score: -1.00%

Function 05831A60, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b76a5dd88bcb0aa0beba01b82a6591c9de47ef73da542e13537b387c899270
Instruction ID: 0ba9e576bea525e03468566b7ad6290b671c415e24097298da4b66e038b715aa
Opcode Fuzzy Hash: 85b76a5dd88bcb0aa0beba01b82a6591c9de47ef73da542e13537b387c899270
Instruction Fuzzy Hash: 71513A30B002049FDB54AB79C858B6DBAF7BF88701F258069E806EB3A5DE759C05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05831A70, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3733f58a695a3ec072e25bc743df7984cbb36e7714c099118252f921751069
Instruction ID: 18db300e1c348351966f068c54227a18ca702d2373a6136f0f3241f9146f9687
Opcode Fuzzy Hash: 5a3733f58a695a3ec072e25bc743df7984cbb36e7714c099118252f921751069
Instruction Fuzzy Hash: 52511A34B002049FDB54AB79C858B6DBAF7BF88701F258069E806EB3A5DE759C05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05834F10, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c98eca712fdc3e23c976cf3b3be4ccec1baf881a91eb5123a21a924645f6d8
Instruction ID: 27a23c2ba27b8ebce7bb70d21e1b54401b623f7c2646a5019bdc85f0e7623322
Opcode Fuzzy Hash: 63c98eca712fdc3e23c976cf3b3be4ccec1baf881a91eb5123a21a924645f6d8
Instruction Fuzzy Hash: CE516D35A111149FCB04DFA8D994AADBBF3FF88314B158169E916AB3A4CB31EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05834913, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3cf24aa08ffe6b1714459cc92151f0c7542c908b33837ed1f4f1d31f39348a
Instruction ID: 3eb3670ad99019bbe039cd4c64dad4221ae8d7cb64adf847be549ebb84791bd9
Opcode Fuzzy Hash: aa3cf24aa08ffe6b1714459cc92151f0c7542c908b33837ed1f4f1d31f39348a
Instruction Fuzzy Hash: E7410531A08149CBCF00CB29D84A7BAB7F6EB45325F148267EC66D73B0D234DD058B91

Uniqueness

Uniqueness Score: -1.00%

Function 05834820, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d0eff9c035bcdffc09d0f25d6897484da44c1949bc3efb661b8591619d382e
Instruction ID: fdba04900a632300a32410af3095d193fd8c72a08c75b356ce35f9b22cde8355
Opcode Fuzzy Hash: e5d0eff9c035bcdffc09d0f25d6897484da44c1949bc3efb661b8591619d382e
Instruction Fuzzy Hash: 9841F331608199CBEF04CE28C84BBB9BBA2FB51314F188276ED52CB6B1D238DC51C690

Uniqueness

Uniqueness Score: -1.00%

Function 058364B0, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3a60338f8d59a5ff9c79bbf5caa46f7905e41d2ceb67feb08b3dcb3fe25b7e
Instruction ID: 8eda957afba858bd699a47e83b2eeff2f007aa797b50f75563d4abbbe3ea9dc7
Opcode Fuzzy Hash: ab3a60338f8d59a5ff9c79bbf5caa46f7905e41d2ceb67feb08b3dcb3fe25b7e
Instruction Fuzzy Hash: 8751D274904341DFEB60AF70E84D62EBFA1FB88306B90A91BE84197358EF749855CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05836211, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c4b956e2599eaca47fc6c2690f84f99922efb8badef7c7b78f63bf8ad21a96
Instruction ID: a2510f6f5c87d410e94c7eafa1fda237a4b70b7890342ff5a8d42ec60c66937c
Opcode Fuzzy Hash: 66c4b956e2599eaca47fc6c2690f84f99922efb8badef7c7b78f63bf8ad21a96
Instruction Fuzzy Hash: AB418F30B002029BD788EBB9EC9563E33A7ABC63517158169D913D7394EEB4AC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05830638, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e899bfc137c31a705ab77275be7fe51218fc16b5c38cef0ac4ce62e26d8eb9
Instruction ID: 009c2ab53b44a10b21387d735d01b0b3f78defd9033c5e36d772683821afbf3e
Opcode Fuzzy Hash: f1e899bfc137c31a705ab77275be7fe51218fc16b5c38cef0ac4ce62e26d8eb9
Instruction Fuzzy Hash: C831137160C346CBD710CB69EC0A7AABF61EB82324F04472AE8A5D71D6E7685E10CB81

Uniqueness

Uniqueness Score: -1.00%

Function 058350D8, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f73905797e144c3de47848cde407c3ed1376ad1925a7412aed87d1963f4720c
Instruction ID: 30fc685fe852a2cb891ecddf3e67ed7feb50676cc4186c7c5ceb48cf77515d43
Opcode Fuzzy Hash: 6f73905797e144c3de47848cde407c3ed1376ad1925a7412aed87d1963f4720c
Instruction Fuzzy Hash: 34314830B102049FCB08EB79C859BADBBE6AF89304F2540ADE406DB7A5DF759C45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05830798, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee15439672e4cfcdb180b28adb0fca3399f0cfa56903217625713d709dbf677
Instruction ID: 6dfa5300ebbb83f2adc1713ffef541948db305c3a5ece50711643d8de633e941
Opcode Fuzzy Hash: dee15439672e4cfcdb180b28adb0fca3399f0cfa56903217625713d709dbf677
Instruction Fuzzy Hash: 84319231744204DFE7145A38DC1A77A3A96EB85701F84846EF806DB3C9DE76AC158F81

Uniqueness

Uniqueness Score: -1.00%

Function 05833116, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5792178d6b4f9f6b296f48625d568f061e0d9b43f32e94e9421e52d6662ffe
Instruction ID: bd424e0fef42333a4f91b9f828d77418b95b6f5b43bd8e9562a4efffacf78015
Opcode Fuzzy Hash: ba5792178d6b4f9f6b296f48625d568f061e0d9b43f32e94e9421e52d6662ffe
Instruction Fuzzy Hash: A3411670A083468FC714EB78D85462E7BE2BF84704F508D2DE4968B298DE34DD06CB96

Uniqueness

Uniqueness Score: -1.00%

Function 05835E79, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c75c2aa0f6d44981c595412ab59e993e039ca09a5fcd2bbb44052b9ccdc2a17
Instruction ID: 09b04021525bc84179ecd6e012463bdad0668fe28bd04eb41238ca95579a4c26
Opcode Fuzzy Hash: 1c75c2aa0f6d44981c595412ab59e993e039ca09a5fcd2bbb44052b9ccdc2a17
Instruction Fuzzy Hash: 8331AD707083469FDB14DB38D85062A7BE3BF85714F60892DE896CB2A5DB34DC05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05834A90, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c50fbdef5871a9325afbbe205255e7ee8437d0835124753928b890236f0121
Instruction ID: 2bc0ceb051cf3b80bcb7c26afebd0a9da1d03e3d530d7684550ce7e222e6e19a
Opcode Fuzzy Hash: a7c50fbdef5871a9325afbbe205255e7ee8437d0835124753928b890236f0121
Instruction Fuzzy Hash: E631BE31A04219CFDB90CFA9C48A7BAB7F5FF40214F08856AE865D72A1C335ED048B95

Uniqueness

Uniqueness Score: -1.00%

Function 05834920, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a9e2a29e2cf782c5a2e65431e9d66f91c538b5febb7f4af844ad4ba3277a9b
Instruction ID: 4ebed8b23557e34e9f007c328722f72009c38755be9456f4bbd8d98d079cb263
Opcode Fuzzy Hash: 12a9e2a29e2cf782c5a2e65431e9d66f91c538b5febb7f4af844ad4ba3277a9b
Instruction Fuzzy Hash: 6E31C430A08209CBCF10CB6AD44A7BAB7F6AB44325F148167ACA6D73B1D334DD04CB95

Uniqueness

Uniqueness Score: -1.00%

Function 016AA5FC, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42218b43b2018236c7134e2ae8a10d0f09288dac521fdb7db1ae8e6d39437a98
Instruction ID: df4a098267c420caac6717db721d398a51ac22463ef99c11dd1fa608fdf511ab
Opcode Fuzzy Hash: 42218b43b2018236c7134e2ae8a10d0f09288dac521fdb7db1ae8e6d39437a98
Instruction Fuzzy Hash: 78315EB550D3809FD302CF29D844956BFF4EF8A614F09899EF8C8D7212D2749908CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05831800, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a26672e078e63866990f81b3f13b3e123fbb51a4c4930289a40dedc3bc8991d
Instruction ID: e5df81a8767b94e9123c2fc07fa96adb3e1428a303f0ec4ac869ab64dbcb14e7
Opcode Fuzzy Hash: 7a26672e078e63866990f81b3f13b3e123fbb51a4c4930289a40dedc3bc8991d
Instruction Fuzzy Hash: BA21A135A085088BDB45CA68D8477BAB7B6EB85715F14452BE822C6280C735DD06C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 05831952, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02fa8f66e57bb94256db29651e02e22a0b3150b52c7bda3bdebc1bfd041e0d1
Instruction ID: f8823e37f156e6800f3e3422ca2e30123b396317d4193186c7f915054e961432
Opcode Fuzzy Hash: a02fa8f66e57bb94256db29651e02e22a0b3150b52c7bda3bdebc1bfd041e0d1
Instruction Fuzzy Hash: 6D21B030508345CFE750EB38E94C65E7FA2FF81305F09C6AAD4454B169DEB8AC19CB91

Uniqueness

Uniqueness Score: -1.00%

Function 058369F8, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6208ba3d48959d08cd8b356639c394caeeee1470bbf59e728163300d1a8bfe80
Instruction ID: 0c9416e8a3ebe25b86be42b39c9de5888a176fbc1d19060887da9651b21a1377
Opcode Fuzzy Hash: 6208ba3d48959d08cd8b356639c394caeeee1470bbf59e728163300d1a8bfe80
Instruction Fuzzy Hash: FC215E70B0030ADFCF249B7AC85A6AE7AB6BB48654F245428D902E7344EF358C41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 05836718, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad211fe9365ce1e2b37fc1f1c46ad123a6b8aacb114db0940b5c76f6db6dd4a
Instruction ID: e1a7826b3a0de37e5a25e51501d5a3da2a9e7aec328eeb4d8b348b823b3c665f
Opcode Fuzzy Hash: 0ad211fe9365ce1e2b37fc1f1c46ad123a6b8aacb114db0940b5c76f6db6dd4a
Instruction Fuzzy Hash: 32218470A00209DBDB24AF7AC859ABE7EF6BB48654F541528E902E7354EF788C41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 016AA960, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d615661d7af547bf7f6c7f19ec2b8b906f325b8e22203e0c1cbbb164be8b76
Instruction ID: d38d82f5e7039c5cd7c1e6f0fe701d2dda925bdefc1fc35e214909f5b11bd54e
Opcode Fuzzy Hash: 27d615661d7af547bf7f6c7f19ec2b8b906f325b8e22203e0c1cbbb164be8b76
Instruction Fuzzy Hash: D4215CB550D3806FD302CF15DC51A57BFE8EF86620F09889BF8889B252D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 016AAA18, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45db4448600faa967d94570c4ca8d19d7bd6840f85d2f995ca1283736d18e943
Instruction ID: 19abcdef334e9ed84a774c3313373ab17a49dac2f9cd7435c07febcb12b7763a
Opcode Fuzzy Hash: 45db4448600faa967d94570c4ca8d19d7bd6840f85d2f995ca1283736d18e943
Instruction Fuzzy Hash: F4215CB550D3806FD702CF25DC51956BFF4EF86620F0989DAF8889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 058332D0, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb800826f4fd240a29a640797868fb663036abb2151a062771cdf3ef15cca38
Instruction ID: f6de34cb348b14c71ff60ccc4420fad182374ab63b7783d25db7f2a039c28924
Opcode Fuzzy Hash: bbb800826f4fd240a29a640797868fb663036abb2151a062771cdf3ef15cca38
Instruction Fuzzy Hash: F4217F71804348EFCB109F6AD8497DDBFB4FB09325F248459E819AB380C7795884CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 058332E0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d978d3265697677a9950adf5d15534d4b6f493f2bd4b6296e1f0e1b1f3b798c
Instruction ID: ce841f2cdd986c479bd7c0a3fb6854b702a4baea295031e16cfae4d892c68033
Opcode Fuzzy Hash: 9d978d3265697677a9950adf5d15534d4b6f493f2bd4b6296e1f0e1b1f3b798c
Instruction Fuzzy Hash: 37216D71905348EFCB109FAAD8497DDBFB8FB49320F248419E819AB740C7795884CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 058369E8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a176bed36243e02f2c29a973429256d0895e3d75f1dcdff0e340a68af43d672
Instruction ID: 727f9cb5cf3b9dc780eb7330fbd56a1a3bc9614e4070029e79c4ac3b7bee24de
Opcode Fuzzy Hash: 7a176bed36243e02f2c29a973429256d0895e3d75f1dcdff0e340a68af43d672
Instruction Fuzzy Hash: 00115170B04309DFCF249B79C8566AE7EB6BB89654F245428E902E7350EB359C41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0583523D, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22bfb5ec2805aab0d51fdfb931ef636f5d9c035f0a77ad73c7aeb58ea49b3eb
Instruction ID: 48f8c0e5b2aee9915ee9ce8e8af1efb3c9ec195ffdfb35a8043dbd4fd797a838
Opcode Fuzzy Hash: e22bfb5ec2805aab0d51fdfb931ef636f5d9c035f0a77ad73c7aeb58ea49b3eb
Instruction Fuzzy Hash: A0119330B44204DFCB11DB64D95ABADBBF2BF45305F5401AEE806DB2A2CB754C05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05836CBB, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b75f2fd5ba8192e76eb43e11bc7ef42b5e965e7f6e3593b85b471540309fb4
Instruction ID: 20910e3acd6c50692fe5f2bfc9601fae146a6ff59f4f0e6249b8d1f0471cb478
Opcode Fuzzy Hash: a7b75f2fd5ba8192e76eb43e11bc7ef42b5e965e7f6e3593b85b471540309fb4
Instruction Fuzzy Hash: 5F114031608165AFE760CF6EAC0567A7BA5FB41339F144627E915C61E0EBB1DC02C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 05836707, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d694e95f421b5a94f8efff0a004a8ed6c9e659369f319e1d686928cb8269310
Instruction ID: dd07d563846f0f40e2cf5f8b2dbe967c8718ac7aeb7d51f45d869b8a02cbce16
Opcode Fuzzy Hash: 2d694e95f421b5a94f8efff0a004a8ed6c9e659369f319e1d686928cb8269310
Instruction Fuzzy Hash: 7F118430A04205DBCB24AF79C859AAE7EF2BB49750F140529E902E7390EB79DC41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD07AC, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812589905.0000000002FD0000.00000040.00000040.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb6fb92166aa862ec22d10c5c13b5f63bf73e0638bc2a30223f22db30d16642
Instruction ID: de93fe341200f486f52e115bb365511ab142e1599c8d6df45e765ddb615c3529
Opcode Fuzzy Hash: 4fb6fb92166aa862ec22d10c5c13b5f63bf73e0638bc2a30223f22db30d16642
Instruction Fuzzy Hash: D511D631644384DFD315CB14D944F26BBA2EB88708F2CC9ACEA494B643CB7BD803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0773, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812589905.0000000002FD0000.00000040.00000040.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a899498ee5256417beee676e87cbb6789648dd29ffc8aaed831af4c8a457fe7
Instruction ID: c99a417dedaeb01f990c303efb55e93f4a9956b6263b0ff2f1327fb20f17cd5f
Opcode Fuzzy Hash: 9a899498ee5256417beee676e87cbb6789648dd29ffc8aaed831af4c8a457fe7
Instruction Fuzzy Hash: F7214F355497C18FD7138B20D950B55BFB2AF47314F2D86DED8848B6A3C73A8806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0583059F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e2040ed7a70690f9d81a3e3e09a8f879c24565a696abbeb22260b59de32597
Instruction ID: 3c0cbbe275402bba00dd8b2d44347c172b298ffa8614a44c2f2fa4b25ed20584
Opcode Fuzzy Hash: 68e2040ed7a70690f9d81a3e3e09a8f879c24565a696abbeb22260b59de32597
Instruction Fuzzy Hash: 8211B16251C915CAE714C63CD84B37577E2BB80329F1C8733DC66EC0D6D2ACC8015290

Uniqueness

Uniqueness Score: -1.00%

Function 058313A0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4443683ca5a3056c7697f30be9d8b8848749887af3d5827be1a3e55ccc7ddb07
Instruction ID: 5c456be816df87b808e5c8c3c825e5bbae2e76a4dcaafc153eac5541bc59e55d
Opcode Fuzzy Hash: 4443683ca5a3056c7697f30be9d8b8848749887af3d5827be1a3e55ccc7ddb07
Instruction Fuzzy Hash: 45018622B1D01847E314C42ED94A77AB18BF784A29F04C733B896C6694E5ADDC40C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 05836420, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8371f2cf9db9f9842f92d9bcb99629b5b541e1683d92f379dec5e4073d08360
Instruction ID: 887e236518c61eb4ae475e1a915e3bc479c3c52d46b714bf82992214573e470f
Opcode Fuzzy Hash: a8371f2cf9db9f9842f92d9bcb99629b5b541e1683d92f379dec5e4073d08360
Instruction Fuzzy Hash: 2011E530F00301AFDB108F798956B6A7BE6EB84355F10803ED505C7241FA75D856CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05831391, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c54ef80e1e95e5701d87638bbe40484d1f27d42d76d9494d3db09478adc51f
Instruction ID: ed57adbcc7876d75dfedc7c897a26eebb897f3d07e680898ffa9f032635747de
Opcode Fuzzy Hash: e7c54ef80e1e95e5701d87638bbe40484d1f27d42d76d9494d3db09478adc51f
Instruction Fuzzy Hash: 5201F223B1D45406E314842EDC06776B687F785B29F04C733A8A6C66C0E8ADDC408BD2

Uniqueness

Uniqueness Score: -1.00%

Function 016AA834, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4bdef08b91af010458a8e349254874f47171704555300eedbbb42cba3d91bf
Instruction ID: 5239d22ccaf71666920b1c6d8e6273313262f4a30f0984cf37b66fd3b20cc581
Opcode Fuzzy Hash: 7f4bdef08b91af010458a8e349254874f47171704555300eedbbb42cba3d91bf
Instruction Fuzzy Hash: 53010CB5644301AFD310CF49DC41E67FBE8EB88A60F14C92EFD5997310D275E9048BA6

Uniqueness

Uniqueness Score: -1.00%

Function 02FD05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812589905.0000000002FD0000.00000040.00000040.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4003a63807bba72bc917685264dbd76f7cf109242ed196c397fb2d436343f2
Instruction ID: 1dfe407429502c762a236a04a89065a08608a40756416e994977cb6caa908159
Opcode Fuzzy Hash: 4c4003a63807bba72bc917685264dbd76f7cf109242ed196c397fb2d436343f2
Instruction Fuzzy Hash: 5C0162765097806FD7128B16DC41862FFE8DF8662070984DBEC898B652D229A909CB76

Uniqueness

Uniqueness Score: -1.00%

Function 016AA8E8, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec18b4d271a18b5eea6ff4304652095208e88a6e277f333dc72ee92eb756ae82
Instruction ID: be8497c25bc05e78d5e560743b4e0015541eb35e00c157e81f6673368680386a
Opcode Fuzzy Hash: ec18b4d271a18b5eea6ff4304652095208e88a6e277f333dc72ee92eb756ae82
Instruction Fuzzy Hash: D1F081B66043007BD3108E45DC41E63FBE8EB84A60F14C95AFD4D57310D275E9048AA6

Uniqueness

Uniqueness Score: -1.00%

Function 016AA790, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b9d835b12af9cb2253bf03acfe3cf8214212bf30237bde7741716fcdd9a4a9
Instruction ID: 0edac522f4b916487b69b56b5a9723fe26062133bf397d5f95cfa2e6cb849cb2
Opcode Fuzzy Hash: c1b9d835b12af9cb2253bf03acfe3cf8214212bf30237bde7741716fcdd9a4a9
Instruction Fuzzy Hash: DCF081B26443007BD7108E45DC41E63FBE8EB84A60F14C95AFD4957311D275E9048AA6

Uniqueness

Uniqueness Score: -1.00%

Function 05837310, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f46b7b93701173ef76dbb638450b55914004bbc13bef283208f420b7612569a
Instruction ID: c931e8b740c81b256f807f8821353c2c19267272b786a6349526278ca482571a
Opcode Fuzzy Hash: 0f46b7b93701173ef76dbb638450b55914004bbc13bef283208f420b7612569a
Instruction Fuzzy Hash: F1F028B0309145CBD728861CD8427B936A2EB86314F5C40BAEC5ACB642C525CE46C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 05831648, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5f9f300c61d3adda0f6e8a2a0dbdc47472673a80f2fc16daf2ba3d6b2ecc7d
Instruction ID: 8941b6147e8ceb4681d3a305484b4d65c840e24034c68aec0404074e0400331c
Opcode Fuzzy Hash: 0f5f9f300c61d3adda0f6e8a2a0dbdc47472673a80f2fc16daf2ba3d6b2ecc7d
Instruction Fuzzy Hash: EA01D135705200CFE3048B94EC68A6A7BE5FB42305F49C4BAED48CF253E6798C09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05835E19, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac8532ff1a6ff5c4f254d5dbd8926aedf0a3b596586025e20d713179a6990c8
Instruction ID: f2262aa383022981db8c8b65149bb1c2151025870d742c1c57326a1f2ef3e4dd
Opcode Fuzzy Hash: 6ac8532ff1a6ff5c4f254d5dbd8926aedf0a3b596586025e20d713179a6990c8
Instruction Fuzzy Hash: D4F020303042616BE320D239DC61FAA369BABCAB18F14412EE645DB2C1CFA0DC0487D9

Uniqueness

Uniqueness Score: -1.00%

Function 05831658, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d27c4af9726c3e2073bcc2c536705c0f8b442ffbe975308588be387f30bdae
Instruction ID: aa3f61f6e11c985e8d6eea49a0d877ac99aad0cfdfc0925455a2a3c6fd1ca287
Opcode Fuzzy Hash: 78d27c4af9726c3e2073bcc2c536705c0f8b442ffbe975308588be387f30bdae
Instruction Fuzzy Hash: 73F0AF31705204CFE3048B84D858A69BBD5FB41305F49C4BAE908CF252E6798C05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05830299, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b0155850e268ef8bef936f8e1f5c7baef7664a36e35961310930994490911d
Instruction ID: 50748327bd335492657b41a2996d6154cf885a8640e52d21edf083b7b5d861d5
Opcode Fuzzy Hash: b5b0155850e268ef8bef936f8e1f5c7baef7664a36e35961310930994490911d
Instruction Fuzzy Hash: EDF0E5213112009BDB1677BCEC0A36E3A59EB46751F84043BE507CB285ED2AFE114BC6

Uniqueness

Uniqueness Score: -1.00%

Function 058314B0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9179becddf4db5aed4545d579e4854dca9f8b9d926db4c44db1805b30dac5761
Instruction ID: 848b94512e581e708bdc572393d12003cc9d136cb30b95d379181d1b51a2894b
Opcode Fuzzy Hash: 9179becddf4db5aed4545d579e4854dca9f8b9d926db4c44db1805b30dac5761
Instruction Fuzzy Hash: 95F0E2353403445FD721A738EC1CA293FE5AF89311B8000AAF503CB2E6DEA19C05CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05835E28, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f86feb64d0064aef0f235e51279890c9f157e8cde0828e81e5c3042f99c5a0
Instruction ID: 54e5fde638f3a720e8e4b765722fc6c03ec4800882f1aecac9c81024b1bc1544
Opcode Fuzzy Hash: 26f86feb64d0064aef0f235e51279890c9f157e8cde0828e81e5c3042f99c5a0
Instruction Fuzzy Hash: 2BE0D8703102246BD724623A9C42F6B329FABC9B24F24402EF605EB2C0CDA0DC0443A9

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0868, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812589905.0000000002FD0000.00000040.00000040.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 56dca20542a3d0ee67d0e246c29f9735aae7fb249819dffb9f6bcd323d1c8652
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: 7FF01935648644DFC316CF40D940F26FBA2EB89718F28C6ADE9490B762C737E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 058302A8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7e288ea2f048ec904caa65e91e262469331cac5c3f5d3dd360dd995937cb3c
Instruction ID: 17a5adb27d944897dcd5ec32e48fec57eff1ec2ff7a3d2a363f80b94349c9723
Opcode Fuzzy Hash: 2d7e288ea2f048ec904caa65e91e262469331cac5c3f5d3dd360dd995937cb3c
Instruction Fuzzy Hash: 71E09A303112109BDB16B7A8EC1A36E3699EB85741F80083AE907CB284DE2ABD114BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0583145B, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af680b3e79a42e533da721a0e783418df2e45dbe7b594e334c215926a0a06a4b
Instruction ID: 715f55b1bcf8b42540ae1059e225487c5f213dce02832d5f1eabe41e2f720d72
Opcode Fuzzy Hash: af680b3e79a42e533da721a0e783418df2e45dbe7b594e334c215926a0a06a4b
Instruction Fuzzy Hash: 87E06D716055046FD744EAA4CC6179EBBE6EB85221F94806DD409E7381DE32AD028B84

Uniqueness

Uniqueness Score: -1.00%

Function 02FD05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812589905.0000000002FD0000.00000040.00000040.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d3984d70419bd57b057d5aca58a08f7d8928d3bc9b91520442741c6f99c544
Instruction ID: 5131562283f4df88b8222a50f26e2f58bb871416bc3c41449f4b8728d9d9b4a7
Opcode Fuzzy Hash: e3d3984d70419bd57b057d5aca58a08f7d8928d3bc9b91520442741c6f99c544
Instruction Fuzzy Hash: F7E092766006005BD650CF0AEC41462FBD8EB84630B18C07FDC0D8B700E636F504CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 016AAA7B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4b2deb20fb7eb2a1f5f098af6cd5ebd077fd9c937a37aa1b283b0c62eea6ab
Instruction ID: f9d0239b1a66e09c0233b3ea801d57d207baed889f3051f995f8aa110123b215
Opcode Fuzzy Hash: 6c4b2deb20fb7eb2a1f5f098af6cd5ebd077fd9c937a37aa1b283b0c62eea6ab
Instruction Fuzzy Hash: E2E0D8726403006BD2509F06DC46F23FB9CDB40A30F04C45BED085B301E176B5048AE6

Uniqueness

Uniqueness Score: -1.00%

Function 016AA873, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee379c3ff454f78a6b6a44df75785ab04524674f0a66ccddab8a304934896a3
Instruction ID: a47baa25c509af5019594cc811f90c7e35b05dad70350b961661cc8865a70eaf
Opcode Fuzzy Hash: eee379c3ff454f78a6b6a44df75785ab04524674f0a66ccddab8a304934896a3
Instruction Fuzzy Hash: 6FE0D8726403006BD2109F06DC46F72FB98DB50E30F04C45BED0C5B301E176B5048AE6

Uniqueness

Uniqueness Score: -1.00%

Function 016AA9C3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e3f3a4dfe6da5edef9eadd5743aef985cb4c4d52cd46e9590d786d2f601651
Instruction ID: d9be47512dcf19465a405ea7c1dd09afa40d943bda2c42a16415b630b2eec42d
Opcode Fuzzy Hash: 08e3f3a4dfe6da5edef9eadd5743aef985cb4c4d52cd46e9590d786d2f601651
Instruction Fuzzy Hash: 48E0D8726403046BD2108F06DC46F23FB9CDB40A30F08C45BED085B701E1B6B5048AF6

Uniqueness

Uniqueness Score: -1.00%

Function 016AA7B7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d6e88687013ddc32968068587ddb89f99563fba84f4e515dddd6f1ef313871
Instruction ID: 83f720f88660880317d9ca68896a79d727bf25fde1e39ffa43b2fff442bf0db3
Opcode Fuzzy Hash: c2d6e88687013ddc32968068587ddb89f99563fba84f4e515dddd6f1ef313871
Instruction Fuzzy Hash: F0E0D8716403006BD2109E06DC86B22FB98DB40930F04C457ED0C5B301E176B5048AE6

Uniqueness

Uniqueness Score: -1.00%

Function 016AA90F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c08441e62a1a14354a0b57d23dba6c572fe2bfbd76f7da4106cd3d70aad49a
Instruction ID: 26c36df7d57d46cf417a4bf213a5f468672e62dfa3769deb648f4d1e8bb63c46
Opcode Fuzzy Hash: 21c08441e62a1a14354a0b57d23dba6c572fe2bfbd76f7da4106cd3d70aad49a
Instruction Fuzzy Hash: 0FE048756413046BD3509E06DC46B62FB98DB44930F54C557ED0C5B705E1B6B5048AE6

Uniqueness

Uniqueness Score: -1.00%

Function 016AA697, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812425970.00000000016A2000.00000040.00000001.sdmp, Offset: 016A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647c1ff0df8d3701a958b90c38df30872e5bec69e8d394eea75e3ca898709055
Instruction ID: a074bbbb340a71052ec1f163e8be9241061cbb3cbb981652a6c6887ea38620b1
Opcode Fuzzy Hash: 647c1ff0df8d3701a958b90c38df30872e5bec69e8d394eea75e3ca898709055
Instruction Fuzzy Hash: 18E0D8B26413006BD3109E06DC46F23FB98EB84A30F04C557ED085B302E176B5148AE6

Uniqueness

Uniqueness Score: -1.00%

Function 05831468, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953fb65e025531a7d07e7a900066ca85f4100a8e2ef47c8b3389383b2a1e4aa9
Instruction ID: 7fcb0d527752ce79f78b52102389925a5e3465837e9e3201494be7d03b236ffb
Opcode Fuzzy Hash: 953fb65e025531a7d07e7a900066ca85f4100a8e2ef47c8b3389383b2a1e4aa9
Instruction Fuzzy Hash: 72E048717001186FC744EBA9CC51A9FBBEBEB85210F54805DD409E7381DE326D02CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 016923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812392757.0000000001692000.00000040.00000001.sdmp, Offset: 01692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1441a8e50cd99f857a69e6bafa228e6845c672bfd4d666309d88c88cd06b9ba2
Instruction ID: 7f98623527d10378edb2d0f644d28dd39e83506f40786fe8e603a44269e9f814
Opcode Fuzzy Hash: 1441a8e50cd99f857a69e6bafa228e6845c672bfd4d666309d88c88cd06b9ba2
Instruction Fuzzy Hash: DBD05E79206A915FE7268A1CC5B8B953FE8AB61B04F4644FDE8008B767C369D6D1D200

Uniqueness

Uniqueness Score: -1.00%

Function 016923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.812392757.0000000001692000.00000040.00000001.sdmp, Offset: 01692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d7797c958fddef30f65c08b02537a6cd918f1cb5343df15fdcc488e218738b
Instruction ID: 972ad9507c3e6d70526b15b0c973e5622ddbebcfaf21431a63181529cb5ec632
Opcode Fuzzy Hash: f4d7797c958fddef30f65c08b02537a6cd918f1cb5343df15fdcc488e218738b
Instruction Fuzzy Hash: 49D05E342002814BDB15DB0CC5A4F593BD8AB41B00F0644EDAD008B366C7A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 05830780, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d010d5f8e9cd9f47e485dfa7f21cc0ffb8d15e327428d880bb074359debb19
Instruction ID: b05a03755cba7169bb3cfa9c308d9b0efe359e19acfd4de9517c7038803c88e4
Opcode Fuzzy Hash: 94d010d5f8e9cd9f47e485dfa7f21cc0ffb8d15e327428d880bb074359debb19
Instruction Fuzzy Hash: ABB0122234453817580D319D3C118EDB38EC9D68763C0106FF50E97340CD893D0103DE

Uniqueness

Uniqueness Score: -1.00%

Function 05831369, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af1cba6f2b871a57b3b85831965a36f5123a65c1e342b296000c6cb6aaa785a
Instruction ID: e3c220d39b9381928054dd446bafe2662fe53b05d5a1719e64f11fae377853f0
Opcode Fuzzy Hash: 2af1cba6f2b871a57b3b85831965a36f5123a65c1e342b296000c6cb6aaa785a
Instruction Fuzzy Hash: C0D0127248D3C11FD7134B60ED153413F619B63305F4A80A684C28B0D7DE6D9966DF62

Uniqueness

Uniqueness Score: -1.00%

Function 05832510, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605f65532fc84e34d489f05e3e2dc44615546f490bc8b73382753144687f6f4f
Instruction ID: f2c445f1790f866eed734e5c01deea3dc6e038e733194dccac9c6828b2deeb5f
Opcode Fuzzy Hash: 605f65532fc84e34d489f05e3e2dc44615546f490bc8b73382753144687f6f4f
Instruction Fuzzy Hash: 3DC08C10528B800AF3E09360AE6E3D23F01B302120FC88387C240928F2D7DC9C10C3C6

Uniqueness

Uniqueness Score: -1.00%

Function 058324E9, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494cf86d5aa18d347684b84ee65f9ce853ec4ff4e6ab31252817c77600a0dd2b
Instruction ID: 4e12f41f4eafbb99d590e954b510d9b09acad44941044af6fc4abee861fbc1c4
Opcode Fuzzy Hash: 494cf86d5aa18d347684b84ee65f9ce853ec4ff4e6ab31252817c77600a0dd2b
Instruction Fuzzy Hash: EBC08C005283C007E3A09320AC8D3DB3F00B302190FD886CB8240928E0C3ECD815C38A

Uniqueness

Uniqueness Score: -1.00%

Function 058332A8, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81bf4781748991cedd83406485a526099a0c1d5094ac07c92f9de403eef5cded
Instruction ID: 92523c890e9c2b4721321c0c044a405f536bd74b21f296e20baa840e28812879
Opcode Fuzzy Hash: 81bf4781748991cedd83406485a526099a0c1d5094ac07c92f9de403eef5cded
Instruction Fuzzy Hash: 7FC08C009283810AFB4193A0AC183002A417702212F9853C682A0C20E0CBEC9C11C345

Uniqueness

Uniqueness Score: -1.00%

Function 058300F0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.817508321.0000000005830000.00000040.00000001.sdmp, Offset: 05830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e7ec1e28c775854508a2530b739c9b5438578f586c2d31a821edfb3339a11c
Instruction ID: 8bfcba73151774f3c171687c4353787670501c80dd9418e2567a6333d0dac316
Opcode Fuzzy Hash: 66e7ec1e28c775854508a2530b739c9b5438578f586c2d31a821edfb3339a11c
Instruction Fuzzy Hash: 3FB0121100D2D207D3264320AC147932E003302530EDC938690B0000E3C34C03358645

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: fullview.exe PID: 5544 Parent PID: 3424 fullview.exeCOMMON

Executed Functions

Function 05150AC7, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE ref: 05150B47

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6d8ce79af4deda324f09aaa679a95d5126eeb1b431a2daceac5977e4dd051a80
Instruction ID: 3b5185a2a3af76c5842ce6659cfdd929de4b60448e0d2444286a757cf91496ef
Opcode Fuzzy Hash: 6d8ce79af4deda324f09aaa679a95d5126eeb1b431a2daceac5977e4dd051a80
Instruction Fuzzy Hash: C6219F765097849FEB228F25DC84B52BFB4EF06324F0885DAED858F563D3709908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05150AFE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE ref: 05150B47

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: a99341a8d9500ba62b82a92851d955c2019a76db12e675f60ed191b6bc1275c6
Instruction ID: 64d09fb48d28cabf81731a5c2bd86cc55ee68f7c659241b31b220b1d5e8ed2f0
Opcode Fuzzy Hash: a99341a8d9500ba62b82a92851d955c2019a76db12e675f60ed191b6bc1275c6
Instruction Fuzzy Hash: 95115E75500304DFDB20CF95D888B66FBE5EF08324F08C4AADD468B656D375E518CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05072548, Relevance: .7, Instructions: 746COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1267303b3d4ff0b66059597645351a46d5e31dd2949810b0af2b1703ed77d606
Instruction ID: 2d5b3a1c8dfce9267e23a0520c600a0b9dc7aec90eaa6054ff5298da49f2c0e7
Opcode Fuzzy Hash: 1267303b3d4ff0b66059597645351a46d5e31dd2949810b0af2b1703ed77d606
Instruction Fuzzy Hash: 2E625B34B006598FCB54EB79E95876EB7F3BB88308F25802AD406973A9CF319D56CB44

Uniqueness

Uniqueness Score: -1.00%

Function 05076DA2, Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

(, xrefs: 05077047

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: bdaee67f15f44687de6dde06a5c655a22ff798a2de0e70ccea69c2cb7d54b4bc
Instruction ID: 672d2cdda17f04343c58641e443cdffb7680c01dfab73c1460e30a076d7f4055
Opcode Fuzzy Hash: bdaee67f15f44687de6dde06a5c655a22ff798a2de0e70ccea69c2cb7d54b4bc
Instruction Fuzzy Hash: F0E1F934B002589FD744DF98D891B6EB7B2EB88318F24C059E919DB389CB36AD13CB54

Uniqueness

Uniqueness Score: -1.00%

Function 051517BE, Relevance: 1.6, APIs: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 05151869

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c3a1bc0e180b040930ce44de4f7481976fd9ae1f591a67f5d3fec267ed81d86f
Instruction ID: efddab34d00e63828e487422b676e6a2569727eeb04f14ac0302fe89d0024b9f
Opcode Fuzzy Hash: c3a1bc0e180b040930ce44de4f7481976fd9ae1f591a67f5d3fec267ed81d86f
Instruction Fuzzy Hash: B1316CB1544380AFE722CF25CC44B66BFE8EF46220F0885AEED858B252D375E409DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BEAC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 00BEACD1

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 33cbfc22c694c6623c99e681845a8453386579290233b324980a85f422a6870b
Instruction ID: 0efa84d638eaac3d0b7daa21a4a224a875f909c1297f6b8e7a2c3b0dc9998f1f
Opcode Fuzzy Hash: 33cbfc22c694c6623c99e681845a8453386579290233b324980a85f422a6870b
Instruction Fuzzy Hash: 3231D4B25043846FE7228F25CC85FA7BFECEF05310F0884AAED819B152D264E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00BEAD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,BE9D06FF,00000000,00000000,00000000,00000000), ref: 00BEADD4

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8caca292b31ae724dd773d2087d14a8836b11cb8ba2e34f997979aae6ec0acde
Instruction ID: e45792dbe39ddf7cda594d830b571540ccbfdcbb6dc14e4e74d32cb7231e3246
Opcode Fuzzy Hash: 8caca292b31ae724dd773d2087d14a8836b11cb8ba2e34f997979aae6ec0acde
Instruction Fuzzy Hash: D93170715097845FE722CF25CC84F92BFFCEF06310F18849AE9859B152D364E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05150C88, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,BE9D06FF,00000000,00000000,00000000,00000000), ref: 05150D22

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: f962eaf9bac5743dd5d3f6f43e3cdf305bf34f137b624de63615e6425c0ee4db
Instruction ID: 19b18b491f5b67a974be6f12c979a1830bba87861ec0d95bdc5d38e11fbf8331
Opcode Fuzzy Hash: f962eaf9bac5743dd5d3f6f43e3cdf305bf34f137b624de63615e6425c0ee4db
Instruction Fuzzy Hash: AB21C3B2509380AFE7128F65DC45F56BFB8EF46320F08849AE985DB152C264A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA2AC, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 00BEA346

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5e72ce1689bcd70ec8586b4603e7abb53dcfd7c42dbb50643c42eea3c141b286
Instruction ID: 13db7cc7eea684d0440f27e635575b33dabe3355377823b97417ac395e7943e8
Opcode Fuzzy Hash: 5e72ce1689bcd70ec8586b4603e7abb53dcfd7c42dbb50643c42eea3c141b286
Instruction Fuzzy Hash: EB31857140E3C06FD3138B259C55B21BFB4EF47610F0A81DBD984CB5A3D219A919C772

Uniqueness

Uniqueness Score: -1.00%

Function 05150D81, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,BE9D06FF,00000000,00000000,00000000,00000000), ref: 05150E12

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 13487e564878c32986fdafdba8be805fbf59081b6e583b5281dd3098643cedf3
Instruction ID: d527b3adefb4f3c45109e74536d6701ea35b8dc5742e0aa57386d654720e41a9
Opcode Fuzzy Hash: 13487e564878c32986fdafdba8be805fbf59081b6e583b5281dd3098643cedf3
Instruction Fuzzy Hash: 84219471509384AFE7228F65DC44F66BFA8EF45320F0884AAE945DB152D374E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051518C0, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E2C,BE9D06FF,00000000,00000000,00000000,00000000), ref: 05151955

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7eec214297967073174f307eed3dc05d4a2d538c9bf36791ccc2dc186a8a153b
Instruction ID: c653ee75684020638a496fda0f0556344469917ca0a677ca0b9dbd46c3cbf5a5
Opcode Fuzzy Hash: 7eec214297967073174f307eed3dc05d4a2d538c9bf36791ccc2dc186a8a153b
Instruction Fuzzy Hash: 3E21F8B5408784AFE713CB25DC40FA2BFB8EF46720F1885DAED849B153D264A909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0515161C, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 051516B6

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: af1f7fd96856bda5b707f61953d6942e71902299fdc77118f564098023283393
Instruction ID: 42d8c70dcf562e1a53c2f6b889782d31425033d80c6feb99517d307e3d482250
Opcode Fuzzy Hash: af1f7fd96856bda5b707f61953d6942e71902299fdc77118f564098023283393
Instruction Fuzzy Hash: 4721DA755093C06FD3138B25DC51F62BFB4EF87A10F0981DBE9848B653D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 051517EA, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 05151869

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c4844de389093d5b2ae551aab0ee586452599a990799adfa8cacf343ec4c9d07
Instruction ID: 087309c122978dd986ce1d7bc956eb76b07854715b1405825ab2b64be0020842
Opcode Fuzzy Hash: c4844de389093d5b2ae551aab0ee586452599a990799adfa8cacf343ec4c9d07
Instruction Fuzzy Hash: 2C216B71540740AFE731DF66D885B66FBE8FF08320F04896AED858B651D775E404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BEBC64, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00BEBCF5

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: c7a4428bbbed01d79c81c474b042a000f8fc798440f718cb9787727b227d8d19
Instruction ID: ef6c131c2c3d8971d33df47930c6bf0868f68ae75de4c2bd4b5547e189e730b4
Opcode Fuzzy Hash: c7a4428bbbed01d79c81c474b042a000f8fc798440f718cb9787727b227d8d19
Instruction Fuzzy Hash: AD216D755093C49FD7228B25DC54B62BFF4EF46220F0984EBE884CB263D3249808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BEAC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E2C), ref: 00BEACD1

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ef0091d5e8c1f40084616928b25e61442ec693598cd721aaaa72dcd4feae924e
Instruction ID: 1d991f68c68ea81f322f74ee99a3635ecac3479f7af44347213cc98631840862
Opcode Fuzzy Hash: ef0091d5e8c1f40084616928b25e61442ec693598cd721aaaa72dcd4feae924e
Instruction Fuzzy Hash: 1221CF72500704AFE7219F66CC84F6AFBECEF08320F14846AED419B641D324E9088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0515094B, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 051509C6

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 70d6b2364c1f00426e9acb524091f971cfadf1ffd533411fe9301fca3cd35700
Instruction ID: 118939cc0346b8f91c2b170ce75ebeca66fae9959ddc547af358ee9308ce4b0d
Opcode Fuzzy Hash: 70d6b2364c1f00426e9acb524091f971cfadf1ffd533411fe9301fca3cd35700
Instruction Fuzzy Hash: C52171725093809FE7128B65DC95B92BFA8AF06320F0984EAED85CB253D274D808C761

Uniqueness

Uniqueness Score: -1.00%

Function 00BEAD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,BE9D06FF,00000000,00000000,00000000,00000000), ref: 00BEADD4

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7ca784e335e93b9f2c87b1ead0004fa80e8f863c0c2caff74291287f6357374f
Instruction ID: 8643fd3b3b37be9ec02cbe247bf65d114526612b821b2c2b4a76b344308f531d
Opcode Fuzzy Hash: 7ca784e335e93b9f2c87b1ead0004fa80e8f863c0c2caff74291287f6357374f
Instruction Fuzzy Hash: CE218171600744AFE721CF26CC84FA6BBECEF04710F14C4AAE9459B655D764F808CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00BEAE43, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E2C,?,?), ref: 00BEAEC6

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 0ef711afc5ee752f561223f6316bb99e4ed47ed33bcec62c9fcb21b272ea8973
Instruction ID: 970ee649446f1dbe34dcf46ad3f505a06b8141fb55b359e79a88d77833f13e3f
Opcode Fuzzy Hash: 0ef711afc5ee752f561223f6316bb99e4ed47ed33bcec62c9fcb21b272ea8973
Instruction Fuzzy Hash: E021E7715493806FD3128B26CC41F72BFB8EF87620F0981CBED848B652D220B915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05150DAE, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,BE9D06FF,00000000,00000000,00000000,00000000), ref: 05150E12

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 48e2bfc79b86dde44292c0e1d719ce9dcbc135ed0a35f20940de7b77414bc8cb
Instruction ID: d4b5538ea9fd38d46071b466480399b831a96cc91610f47d662dd0c019619982
Opcode Fuzzy Hash: 48e2bfc79b86dde44292c0e1d719ce9dcbc135ed0a35f20940de7b77414bc8cb
Instruction Fuzzy Hash: 2211AF75600304AFEB21CF65DC88F6ABBA8EF08720F14846AED45CB645D774E448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00BEBD39, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,BE9D06FF,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00BEBDA4

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 15289a722952a54301b7e01a932f966f618774fb2971c379f8ae3727f60f65c0
Instruction ID: ebad42aed7b5de51d516f5e97c3d0ebc7bf704ee462d5aeb1c04b9f51551995b
Opcode Fuzzy Hash: 15289a722952a54301b7e01a932f966f618774fb2971c379f8ae3727f60f65c0
Instruction Fuzzy Hash: 412190714093C09FD7128F25DD80B52BFB8EF42214F0984EBED858F663D264A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BEB42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00BEB4A9

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 1131ab0a42a0de738525b19f917a921983bf79e858523697c1e0559d80860463
Instruction ID: f59295dfe22913a4a38ab503fa870f104822beb309d8c7267749b3ca87bf0de8
Opcode Fuzzy Hash: 1131ab0a42a0de738525b19f917a921983bf79e858523697c1e0559d80860463
Instruction Fuzzy Hash: 452181715093845FD7228E15DC45B63BFF8EF56714F0880CAED84CB293D365A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05150CC6, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,BE9D06FF,00000000,00000000,00000000,00000000), ref: 05150D22

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 047c4ef2cc4325f8061e98625cc4e5109f3683bfa4f311cec37403d1b2e1d134
Instruction ID: 2b3c64cdf5a999f0c98e3932be88ff494813826157e53ea1bb966fc0f6ae529c
Opcode Fuzzy Hash: 047c4ef2cc4325f8061e98625cc4e5109f3683bfa4f311cec37403d1b2e1d134
Instruction Fuzzy Hash: 7E11BF75500304AFEB21CFA9DC85FAAFBA8EF48720F14846AED458B645D774E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0515089F, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,BE9D06FF,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 05150904

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2c19324079608f29bf42b6609927b986f15857453018515ffb86762f0f9c6921
Instruction ID: c22b77af0ff7257108015a17aeeff69226ca7693e8f45269f714589e7943baca
Opcode Fuzzy Hash: 2c19324079608f29bf42b6609927b986f15857453018515ffb86762f0f9c6921
Instruction Fuzzy Hash: A01193B54093C09FE7128B25DC94B56BFB4EF46224F0980DBED85CF693D2799908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BEBDED, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 00BEBE5B

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: a55f36540ada794542c986d27c85cae53c80c1583fceccc0f3043572dd90c43b
Instruction ID: d6375e100c04b4e1cef6a5766965dc04c21f0a7eaf3beda0992a37428f85d754
Opcode Fuzzy Hash: a55f36540ada794542c986d27c85cae53c80c1583fceccc0f3043572dd90c43b
Instruction Fuzzy Hash: 012184765093C49FD7128B25DC45B92BFE4EF12310F0984DAED858F263D364A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05150386, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 051503FD

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 801d5b1013e92aaf73bee7f17970d698bc600ebde4f9d69959a5afbce86f54a4
Instruction ID: dfe65c7164aecd786037a6a50723c1f17622a4ce591760951bbc974cba7e3d48
Opcode Fuzzy Hash: 801d5b1013e92aaf73bee7f17970d698bc600ebde4f9d69959a5afbce86f54a4
Instruction Fuzzy Hash: 5E218E714097C09FDB238B21DC54A62BFB0AF0B324F0D84DAEDC44F563D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 051507F6, Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,BE9D06FF,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 05150858

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1b4716607d6a186ab1b8b07b75775e72994e979be173d03855e95512446703bd
Instruction ID: 7618709557359eca74f2985ceec0c27a40758ba5253944fe93269beca5431116
Opcode Fuzzy Hash: 1b4716607d6a186ab1b8b07b75775e72994e979be173d03855e95512446703bd
Instruction Fuzzy Hash: 441181719093C09FD712CB65DC85B52BFE8EF46220F0984EAED85CF652D274A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BEA666

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e1b0dcafc4e47e378469022e6d2a7fb3e9a0890481cbfaafb6034bd602145bde
Instruction ID: 14fb521f1fff27654f161fc14eea450733b90e3abe6b90c6e67972eb04d8f486
Opcode Fuzzy Hash: e1b0dcafc4e47e378469022e6d2a7fb3e9a0890481cbfaafb6034bd602145bde
Instruction Fuzzy Hash: 7F118471409780AFDB228F55DC44B62FFF8EF4A310F0885DAED858B552D375A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05151EAB, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 05151F15

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3c6b49517a369c6cff697f54f01e96ecb61477b06af26bc0d7f10f37ee98060f
Instruction ID: 808bf398cba73203319d14cca0fa0712eebd36cc1105fe17ecb150acd5047589
Opcode Fuzzy Hash: 3c6b49517a369c6cff697f54f01e96ecb61477b06af26bc0d7f10f37ee98060f
Instruction Fuzzy Hash: 77118E71449384AFDB228B15DC45B52FFB4EF46224F0884DEED858B663C275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA97B, Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00BEA9DC

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6b36d5ff88562458ade0194e7d1ac48338c8267226b50a3496c002eaafdf72bf
Instruction ID: 927e878505468b8e25fbff93237d0126209d9bcf17f610f3a78aaf9352c9f5af
Opcode Fuzzy Hash: 6b36d5ff88562458ade0194e7d1ac48338c8267226b50a3496c002eaafdf72bf
Instruction Fuzzy Hash: 32118F714493C49FD7128F15DC84B52BFB4EF46224F1884EBED858F253D275A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0515097E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 051509C6

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d65c37e76cd6fcb76ae61219faf8fff9e05bf500fffa307fc0397caa0960a04b
Instruction ID: 4be0fd4f169681f5ba65897ff6796642706c3e686bdf4e42ce08d5612b04426e
Opcode Fuzzy Hash: d65c37e76cd6fcb76ae61219faf8fff9e05bf500fffa307fc0397caa0960a04b
Instruction Fuzzy Hash: 4E1130716053448FEB60CF6AD849B56FB98EF48320F08846ADD59CB646D774E804CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05151902, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E2C,BE9D06FF,00000000,00000000,00000000,00000000), ref: 05151955

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 81d1678712b108d06dcf9c0f05c592eb8b70b4f536ac0e9b08f4bab9641c3c4e
Instruction ID: 2717d69aa80e6b1ebe0c638a2d2cda5fb170f8545629ac13270afa72283ce048
Opcode Fuzzy Hash: 81d1678712b108d06dcf9c0f05c592eb8b70b4f536ac0e9b08f4bab9641c3c4e
Instruction Fuzzy Hash: 3201C071540304AEE721CF1ADC85BA6FB98EF44730F54C49AED859B246D7B8E508CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00BEBCAA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00BEBCF5

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: d011b638651103615a2c9ab6c496726fe2a62c95f9fa97c66637aa2250cf4205
Instruction ID: 7d93b7e22ed8c0290a7f30da1f507b626d92fc5f26f578de1118b4074c434506
Opcode Fuzzy Hash: d011b638651103615a2c9ab6c496726fe2a62c95f9fa97c66637aa2250cf4205
Instruction Fuzzy Hash: A0113C755043849FEB20CF66D884B66FBE8EF44320F18C4AADD498B656D774E818CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BEAAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00BEAB46

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8b2daa6f525e5330910728d6a16031a15d8e0eee742794b608735d4ed7b19ba5
Instruction ID: 4965079a29d048cf3cb0ce2cc90a09d2e2888f64ec428f465b739c6d98a8b2db
Opcode Fuzzy Hash: 8b2daa6f525e5330910728d6a16031a15d8e0eee742794b608735d4ed7b19ba5
Instruction Fuzzy Hash: CD117C314097849FD7218F16DC85A52FFF4EF46720F08C5DAED858B262C3B5A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA42A, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,BE9D06FF,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00BEA480

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c01eb080a729260384c1f416e22779c7012de885ec15759acb7558a710625e1b
Instruction ID: 0ebd6a9ee36f5d27defb3ce5c64d483fc4955cb74437333ecb3afd2cfc9e214e
Opcode Fuzzy Hash: c01eb080a729260384c1f416e22779c7012de885ec15759acb7558a710625e1b
Instruction Fuzzy Hash: AB018475409384AFD7128B16DC44B62FFB8DF46724F08C0DAED858B256D375A808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0515081E, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,BE9D06FF,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 05150858

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 9ad587d0e78361b451584121576227fd3e4614dc646ea3fad9dc79fed2f5c29e
Instruction ID: 8be49d33685f39729511fe3f1d9739fc6c21669624ba609a18da3152bfbc57b9
Opcode Fuzzy Hash: 9ad587d0e78361b451584121576227fd3e4614dc646ea3fad9dc79fed2f5c29e
Instruction Fuzzy Hash: 14019E71A04240CFDB60DF6AD888B66FB98EF04320F08C4AADD49CB646D775E408CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BEB45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00BEB4A9

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 678a50542c8fb621c7ab8c085df21335c6f87f8400d48f4974bb6cd1f9955c3c
Instruction ID: 56beaea266bf390a7bebf8e533ded3a4535e51fcabb87a3818f33fdb0ae78d0c
Opcode Fuzzy Hash: 678a50542c8fb621c7ab8c085df21335c6f87f8400d48f4974bb6cd1f9955c3c
Instruction Fuzzy Hash: B5016D716002408FEB20CE1AD885B22FBE4EF14720F088499ED498B786E374E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BEA666

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0e455cf4e12d91b97c691f519f065b52a25b817fe5c6aea30372de7ae35a8a42
Instruction ID: 68c8c7c3e72505fb725542ab92a461a5f90278a0d8ac6a841911a912b9dc1249
Opcode Fuzzy Hash: 0e455cf4e12d91b97c691f519f065b52a25b817fe5c6aea30372de7ae35a8a42
Instruction Fuzzy Hash: D5018B314007409FDB218F56D884B16FFE4EF49320F08C8AADE494A615D375E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00BEBE1E, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 00BEBE5B

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: a4c003964aeb1fa4716e7472f8c6b521ca12585ac3b6f9d81684523b89ec75dd
Instruction ID: c1f1ba4965d20afdca1ad8a80f77524b4726688e3eb865f676097a81e5081b79
Opcode Fuzzy Hash: a4c003964aeb1fa4716e7472f8c6b521ca12585ac3b6f9d81684523b89ec75dd
Instruction Fuzzy Hash: 690171756006848FD7608F1BD885BA6FBD4EF44720F08C4AADE458B756D375E808DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 051508D2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,BE9D06FF,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 05150904

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 65b716514d113c8ffca97d5ca7c41ef566e3098b8076a93ea034e6a4558166c9
Instruction ID: 2364290d1d7366ccbedfd6b31ef60c66f4803ae371564a5a0b6e1fe819c40343
Opcode Fuzzy Hash: 65b716514d113c8ffca97d5ca7c41ef566e3098b8076a93ea034e6a4558166c9
Instruction Fuzzy Hash: 60017171501340DFEB20CF6AD888765FB94EF44330F08C4AADD598B646D7749448CA62

Uniqueness

Uniqueness Score: -1.00%

Function 05151666, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 051516B6

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4b851d403d99691ada9a59d0dbe9baf026a07798e2a989e3df3f348b8664147c
Instruction ID: edea43a6826fc58b488d1477eb94af3d0a50c6d5c91c9943fc7a3fa2f6e20fe1
Opcode Fuzzy Hash: 4b851d403d99691ada9a59d0dbe9baf026a07798e2a989e3df3f348b8664147c
Instruction Fuzzy Hash: CE01A271500604ABD214DF1ADC82B26FBA8FF89B20F14C11AED084B741D271F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 00BEA346

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3ef8621dda003237145efceab3cd7fa55b242dce77015357ed19320fe886530d
Instruction ID: c071050e0f6e8e9bbbc78ed5ba2a7cad19d96d1c20751f94929013dfb1067e4f
Opcode Fuzzy Hash: 3ef8621dda003237145efceab3cd7fa55b242dce77015357ed19320fe886530d
Instruction Fuzzy Hash: 5201A271500604ABD214DF1ADC82B26FBA8FF89B20F14C15AED084B741D271F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BEAE76, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E2C,?,?), ref: 00BEAEC6

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: dc5bc380fa11aa151e181174ba6dcbc33b1c3d75b01fcf28a83c983824da5622
Instruction ID: a6894c5356832008bc4fdf4b371cec3068028ebb74e75d7a36ea627a388f5bd0
Opcode Fuzzy Hash: dc5bc380fa11aa151e181174ba6dcbc33b1c3d75b01fcf28a83c983824da5622
Instruction Fuzzy Hash: 3301A271500604ABD214DF1ADC82B26FBA8FF89B20F14C11AED084B741D271F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BEBD72, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,BE9D06FF,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00BEBDA4

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b79440ae943f55e410d8d950a7732cd4e3e1e30db15b607d9a4d27da2d7459ea
Instruction ID: adf1e80db4d6827c4b3cf4651760d4fb4bd9c87652578af8e502387249a7dd36
Opcode Fuzzy Hash: b79440ae943f55e410d8d950a7732cd4e3e1e30db15b607d9a4d27da2d7459ea
Instruction Fuzzy Hash: 23017C755043448FDB608F6AE885B56FBE4EF44320F18C4BADD498B646D774E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05151EDA, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 05151F15

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3c3bc4e04d83da52fd7047fd72e3e0f8514d71eb973f7a6a2ebc737c59f0b1a8
Instruction ID: 2e13656f941a2f53ad8c7c702869c0778a0eb404a14ee1807d91ae83f0533608
Opcode Fuzzy Hash: 3c3bc4e04d83da52fd7047fd72e3e0f8514d71eb973f7a6a2ebc737c59f0b1a8
Instruction Fuzzy Hash: E6019E31540300DFDB218F16D844B65FBA1EF04220F08C09AED964B655D3B9E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA9AA, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00BEA9DC

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5d370151214f2fe095406e6fbd4ec199281ad1135788a1b4a87ab05342d5d88b
Instruction ID: 1f77ba6a3be8c7d9b51939acc115df2da260ee9ded0ee292c6138034f4d21cfd
Opcode Fuzzy Hash: 5d370151214f2fe095406e6fbd4ec199281ad1135788a1b4a87ab05342d5d88b
Instruction Fuzzy Hash: 54018B749003849FDB60CF5AD984765FFE8EF44320F18C4EADD498F606D378A448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 051503C2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 051503FD

Memory Dump Source

Source File: 0000000D.00000002.830856442.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1b55ac61c5f50bbf56019fff863e451a88b05df6f8ba12e952969d05608b7252
Instruction ID: 289936386f1cfbb5f2959da3f7b5428f97bf0a55db0ecf0e39ffbaa3c183ac88
Opcode Fuzzy Hash: 1b55ac61c5f50bbf56019fff863e451a88b05df6f8ba12e952969d05608b7252
Instruction Fuzzy Hash: CC017C31500300DFDB21CF56D848B25FFA1EF08320F08C49ADE454B616D375A458CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BEAB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00BEAB46

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f5507a6ae985ed821810d13482eeab4619f8b9e3f30cadde07d552f07bd4ad4a
Instruction ID: 280a779e6c574a9ffbb3cdec71f505c3a3d5eb861e13c7723f5e4daacbe057d0
Opcode Fuzzy Hash: f5507a6ae985ed821810d13482eeab4619f8b9e3f30cadde07d552f07bd4ad4a
Instruction Fuzzy Hash: E7018B315006448FDB208F16D884B12FFE5EF44720F08C59ADE464B656D3B5A808DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,BE9D06FF,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00BEA480

Memory Dump Source

Source File: 0000000D.00000002.827502475.0000000000BEA000.00000040.00000001.sdmp, Offset: 00BEA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f7fa3f55ea557488a0e8171ebafd1e0c1d58d34c82fa8264f3734171d6f1bb6a
Instruction ID: 6b39492ad5519f9c78e6c61377f69408f0f41ae8fb82ecea73cc5199332a2524
Opcode Fuzzy Hash: f7fa3f55ea557488a0e8171ebafd1e0c1d58d34c82fa8264f3734171d6f1bb6a
Instruction Fuzzy Hash: C0F06D355042848FD7208F16D888761FBE4DF44320F18C0AADD454B756E3B9A408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05077189, Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

(, xrefs: 05077047

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 9dfdcaab01bc2ae2dce66a0f1745430938bed2afc1bebe664187b67f9fd66361
Instruction ID: dacfed079da4f2a5a277fa0646cca159a4f5312f1154ce7dc9ab601aacf28af8
Opcode Fuzzy Hash: 9dfdcaab01bc2ae2dce66a0f1745430938bed2afc1bebe664187b67f9fd66361
Instruction Fuzzy Hash: 1E51C934B002499FD744DF98D891A6EB7B6EB88318F24C159D929DB389CB32ED53CB44

Uniqueness

Uniqueness Score: -1.00%

Function 05077058, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

>_kq, xrefs: 0507712D

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: ba1bbebc32f0c9933dfcfe1e01c65af6180e4ee7e2faa2c91a260be988422e4e
Instruction ID: 640595c546172b4aae485a140b498e9abff4aecc74f55cc2d538a4acf8aa1606
Opcode Fuzzy Hash: ba1bbebc32f0c9933dfcfe1e01c65af6180e4ee7e2faa2c91a260be988422e4e
Instruction Fuzzy Hash: 2941D731B00249AFD714DB68D850B6EB7B2EB88304F25846AE926DB395CA75EC03CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05071D90, Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

Dlq, xrefs: 05071E45

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: Dlq
API String ID: 0-1337854601
Opcode ID: 7adfb8c418973781d4f753386d64930fa9d7035ab7e0244d726b525bc0ce853f
Instruction ID: f0510af1af6ce33a5dec46d379603b3789ec89b473930cd48081b6591d4fe1a2
Opcode Fuzzy Hash: 7adfb8c418973781d4f753386d64930fa9d7035ab7e0244d726b525bc0ce853f
Instruction Fuzzy Hash: 1B41C031E002498FCB44DBB9D8146EFBBF6EF89310F14846AE505EB290EA309905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05071E18, Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Dlq, xrefs: 05071E45

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: Dlq
API String ID: 0-1337854601
Opcode ID: bf5ff472d5bf8b326e86e8cdb1d432b546df8f859456548a092fd74354f389f8
Instruction ID: b34755b07923b9f5f173544503a26be059312db3715a2a7078aa04f57888b958
Opcode Fuzzy Hash: bf5ff472d5bf8b326e86e8cdb1d432b546df8f859456548a092fd74354f389f8
Instruction Fuzzy Hash: F5410730E101099FCB14DFAAE855BEEBBF6BB8C310F148469E515BB290DB709D45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05070006, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

>_kq, xrefs: 0507007A

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: f61ffb471552ff6a20e1305a3c1fd28ec10ef91abcc1a9818617191edce619c0
Instruction ID: b30f6ba0bfd0b481024971653044cd4b515220e88c93e0636350237c6efcb288
Opcode Fuzzy Hash: f61ffb471552ff6a20e1305a3c1fd28ec10ef91abcc1a9818617191edce619c0
Instruction Fuzzy Hash: B221C33240D3D94FC3025770DC1579A7FB1AF43210F6A42ABD580CB297DA6C4A54C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05072538, Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e49305ebe5336be7b9712839b72275c4096894c7beadb243a75bd1f5f59e8a7
Instruction ID: e09e8ebfd32d6bd58bdec96e7eaa80c01d6ef6dfada4313ffc925a8942eb9936
Opcode Fuzzy Hash: 0e49305ebe5336be7b9712839b72275c4096894c7beadb243a75bd1f5f59e8a7
Instruction Fuzzy Hash: 95527B34B006598BCB54EB79E55876EB7F3BB88308F25802AD406D73A8DF319D56CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05073700, Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e25e123a70bffb116fff2a3c1cdb191fd64bd4e6ef8b18e742d117a0842489
Instruction ID: 5c9f1c6d65ef6c839fc001eabe171f9ed7c04ac67e65f3a5eacf2ef91041db09
Opcode Fuzzy Hash: a7e25e123a70bffb116fff2a3c1cdb191fd64bd4e6ef8b18e742d117a0842489
Instruction Fuzzy Hash: A7B1AE70F0020CDBEB10CBA8E445BADBBF3BB85701F64896AE506AB385CA70DD45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 05073752, Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6186b7a32f1e56c84a1d53e82e834f908e0235683e13e25b15aa1cce77f31c4
Instruction ID: 0aad8a0caf81d10d3d8da63587c5c784d13f32dcf07494d1f9d10c66b6fbc98f
Opcode Fuzzy Hash: c6186b7a32f1e56c84a1d53e82e834f908e0235683e13e25b15aa1cce77f31c4
Instruction Fuzzy Hash: 15B19070F0020CDBEB14CFA9E445BADBBF6BB84301F64896AE506AB385CA70DD45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 050733A8, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9870c89008576b5306b4bdea03d0dd91db6f281c19d4e16531ac1d75c751a4d8
Instruction ID: df13c8f56d4a60ba72ca044aaf2265aa9a0ff17db29af65eafcd60f2480a3353
Opcode Fuzzy Hash: 9870c89008576b5306b4bdea03d0dd91db6f281c19d4e16531ac1d75c751a4d8
Instruction Fuzzy Hash: 3A81B231F002198FDB48EB79D4586AE76E7BFC8300B2584B9E506EB395EE31CC058795

Uniqueness

Uniqueness Score: -1.00%

Function 00BE2477, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827489049.0000000000BE2000.00000040.00000001.sdmp, Offset: 00BE2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a39e83d58611ad55c4b25efaec747dfcb4562007adb4e482665ee7c6f7927f6
Instruction ID: 7035c178c17e2a02353c596e00545795d0d3ff51ec5e9bd6aac6c5c1aedfce59
Opcode Fuzzy Hash: 0a39e83d58611ad55c4b25efaec747dfcb4562007adb4e482665ee7c6f7927f6
Instruction Fuzzy Hash: 9D619B6694E3C15FDB07973A5D39294BFF9AF23321B4E41CBD5848F2E3D248488583A2

Uniqueness

Uniqueness Score: -1.00%

Function 05071A60, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e86762457ffd9af38d87e95f3f55836c2743c092c85cdaf457b75fb7332071
Instruction ID: 3edbaaddb489d0a41ecb79c9fe79e4f1b90fb1f357bef21346a5fc3953ec7db1
Opcode Fuzzy Hash: e4e86762457ffd9af38d87e95f3f55836c2743c092c85cdaf457b75fb7332071
Instruction Fuzzy Hash: 34513A30B002189FDB44ABB9D858B6DBBF7BF88700F258069E406EB3A5DE759D05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05074F01, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59fdbf92e5f8acd1f30d805948454ab18c8311d61532f4283274b31db5a57fcd
Instruction ID: 5c78f37e2d44b50319756d6367fa47b21e8e2579ceaaed27bee304561bdcff24
Opcode Fuzzy Hash: 59fdbf92e5f8acd1f30d805948454ab18c8311d61532f4283274b31db5a57fcd
Instruction Fuzzy Hash: 31517331A11118DFCB04DFA8D894AADBBF3FF88314B158569E516AB3A4CB31DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05071A70, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b48c741fc569ce69fd3f9945d11e7b9d44d046f825b78d477355015f40b70bf
Instruction ID: 21f5a5be7fa717e9cced43eac2b404b1bd6259281dae6e1345f10a4d501845b8
Opcode Fuzzy Hash: 1b48c741fc569ce69fd3f9945d11e7b9d44d046f825b78d477355015f40b70bf
Instruction Fuzzy Hash: 36511A34B002149FDB44ABB9C858B6DBAF7BF88300F258069E806EB7A5DF759C05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05074F10, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbab156ae12a27e505637a297b38dc7c40f8b948d5122278e73a02c41d1b32e
Instruction ID: 56387b172b3e3a9188b99eb7e066dd8d7b5fc2a88eb3c7a9c41e1293f354bb75
Opcode Fuzzy Hash: ddbab156ae12a27e505637a297b38dc7c40f8b948d5122278e73a02c41d1b32e
Instruction Fuzzy Hash: 8D517131A11118DFCB04DFA8D894AADBBF3FF88314B158559E516AB3A4CB31DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050764B0, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ca9a5edd70f4419eaa1c0edafb8061a5f5269434380e47b693515cf995dbe3
Instruction ID: d98ebfbe8a48e89727a0e9be0510d173ae3b8de9c27f23134bfc75435d352e9f
Opcode Fuzzy Hash: 93ca9a5edd70f4419eaa1c0edafb8061a5f5269434380e47b693515cf995dbe3
Instruction Fuzzy Hash: 2D51C074A15342DFDB00AF70E84D52EBFE1FB88755B10892AE88197258EF748842CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05076211, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ae4db3d3579b045e515bc5ff08ac606fe77e1a520934c7df95169a1cdccdf9
Instruction ID: 27def0465fed230959a04a4d401118492ec05bd10a34298967867f1be0552171
Opcode Fuzzy Hash: 97ae4db3d3579b045e515bc5ff08ac606fe77e1a520934c7df95169a1cdccdf9
Instruction Fuzzy Hash: FC417C31B00A469BC748EB38EC98A7E3393EBC52547218929D517C73E8EF369C02C795

Uniqueness

Uniqueness Score: -1.00%

Function 05074F5E, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b69545495d430468d0325921fbd8b1ae16ddaa61d419c109c5f0b726738a766
Instruction ID: 1a31cbea2b83ab5e034d1f70771ee0bccd6dd7d03ce20017085be40211dfdc59
Opcode Fuzzy Hash: 7b69545495d430468d0325921fbd8b1ae16ddaa61d419c109c5f0b726738a766
Instruction Fuzzy Hash: B2416D31A10118DFCB04DFA8D994AADBBF2FF88314B258199E516AB365CB31EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05070798, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06461b4b5d34873a8c0a0a3ed48ac2e42276cead0a10bd44eb1e059eec997bc
Instruction ID: 38cc2e64de00ad4aa1ee8e4ebd40e9689f436e814cd7fd408c36b3b61a1272b1
Opcode Fuzzy Hash: a06461b4b5d34873a8c0a0a3ed48ac2e42276cead0a10bd44eb1e059eec997bc
Instruction Fuzzy Hash: 5941F571B442089FD3449728EC1DB7E7BA6DB85700F4485E9F546EB3D5CE788806CB85

Uniqueness

Uniqueness Score: -1.00%

Function 050730F8, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b8b914bb4de5f84a4d767905cc6352738c509be483f26f2fe93b89b2536f4a
Instruction ID: 098975956113ff6e77b64d5a0bcd1e07d40e115754ba3d7c891cf29e60cc58f3
Opcode Fuzzy Hash: 04b8b914bb4de5f84a4d767905cc6352738c509be483f26f2fe93b89b2536f4a
Instruction Fuzzy Hash: 36413730A0834A9FC714EB78D85062E7BE2FFC4344F10886DE48697298DB34DD0ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 050750D8, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1077b75b4c7dc3b6d136b8d4e5119be9fa659913c97aaf811fc52e375f872325
Instruction ID: 1ff07e237510b6d4735e4e49026b2464f8c325fdffc13207037552320dae2084
Opcode Fuzzy Hash: 1077b75b4c7dc3b6d136b8d4e5119be9fa659913c97aaf811fc52e375f872325
Instruction Fuzzy Hash: 6B315E71B001189FCB04DB79D859BADBBE6AF89704F2540A9E406DB3A5EF71DC058B81

Uniqueness

Uniqueness Score: -1.00%

Function 05074AB7, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8055dab6f498ed155d8fd35e39d9b049aa7fa39ce23cfe3638c57c47a047de8
Instruction ID: 87ffa2cd503dad67eaff8aaa9481d19adcf96cd777d8d6b4d067997b83aa2927
Opcode Fuzzy Hash: a8055dab6f498ed155d8fd35e39d9b049aa7fa39ce23cfe3638c57c47a047de8
Instruction Fuzzy Hash: 9D31A230E08A699BCF61CB68D4807BD77F1BF46211F098666E066CA191C335D904CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA5FC, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e417854c3a59efb4d6ad4cf6627950a14000be7ccf137541c5c6b7593846e0
Instruction ID: 77f56df929c9ddbbbf773baeec24f2b8982ac5251c2071a733700576eb1d8cfe
Opcode Fuzzy Hash: 11e417854c3a59efb4d6ad4cf6627950a14000be7ccf137541c5c6b7593846e0
Instruction Fuzzy Hash: E1315CB55093809FD301CF29C84095ABFF4EF8A614F09899EF888DB252D275E908CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05071810, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e83c3e919a7b9fc17da78d3767cff89a640913e164a4bf8f85094d62bffbef
Instruction ID: d19369d68caa7c9a334bc3938aead9bef7f0f36ebe4fa243555b10241aff7cdd
Opcode Fuzzy Hash: 63e83c3e919a7b9fc17da78d3767cff89a640913e164a4bf8f85094d62bffbef
Instruction Fuzzy Hash: 8821CF35E186098BD785CA69F8417BEB7F6FF45320F14852BE462C62C0C334D905C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 050749A6, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb290abedf754730cf67a7b23537f536563dfd48e2565bf4796b44a3ef0169ab
Instruction ID: 347452bd503df047bd69b79d6ad8250f42e7da365c9fffef202b944614c07380
Opcode Fuzzy Hash: bb290abedf754730cf67a7b23537f536563dfd48e2565bf4796b44a3ef0169ab
Instruction Fuzzy Hash: 12218031E04A49CBCF50CB7DE951BBEF3E6AB41325F14826BA0BAC72D1C238D555C619

Uniqueness

Uniqueness Score: -1.00%

Function 05070638, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12100e06910dde823e6156c284b68c8641173c15e92b3c6efcf32113ff930d2a
Instruction ID: 1182de4236bb0de2f43480f9bc5c917d663f4f9529f0a0a7eb002bef7ceb427a
Opcode Fuzzy Hash: 12100e06910dde823e6156c284b68c8641173c15e92b3c6efcf32113ff930d2a
Instruction Fuzzy Hash: 07210672E0410E8BD710CB6AE8697BEBBA2EB81304F04472BA455D7281C27495408E59

Uniqueness

Uniqueness Score: -1.00%

Function 05071800, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cade9860799445f12128a48c0ff7a9bac6d97cd25048fad0b40f2f0f769f7b
Instruction ID: e31562eb48e28de1d3316c806e075173c9206a1a9ead7d9462e5e411ade8a5fe
Opcode Fuzzy Hash: 97cade9860799445f12128a48c0ff7a9bac6d97cd25048fad0b40f2f0f769f7b
Instruction Fuzzy Hash: 0721A235E1851987D795CA68E8417BFB7F6FF45310F14417BE422D62C0C734DA05C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 05076420, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3405b3ce377d1375a395601e12b429627f449e41d39a52d40102e30ed7f43fcb
Instruction ID: 2476886718a8d643fc68787aed52108e74b8ace42bdedacaa45df2c30c97fed4
Opcode Fuzzy Hash: 3405b3ce377d1375a395601e12b429627f449e41d39a52d40102e30ed7f43fcb
Instruction Fuzzy Hash: 6C11EB31F003069FCB149AB4A855BAF77E6EB84354F10803EE506D7344EA72C915C794

Uniqueness

Uniqueness Score: -1.00%

Function 05076718, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5284dd9a277b21f4cb513918706becfc7c94ed6c0f0b86700fe403b13c2e5f
Instruction ID: ddbcc45538781770c5755d7911836f976e4b26bce9ff043d402541061f41a8b6
Opcode Fuzzy Hash: eb5284dd9a277b21f4cb513918706becfc7c94ed6c0f0b86700fe403b13c2e5f
Instruction Fuzzy Hash: 65216F70E0060DCFDB649F75D958BAE7AF6BB48690F140468D503EB350DF7A8885CB94

Uniqueness

Uniqueness Score: -1.00%

Function 050769F8, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a57b340d0f3be5ccd3d41e9aa04db87551e92d482ec784366d90ddb70444ba
Instruction ID: 01c27889444b62b4fde212e08a369e51c6d03519cd5397eea9aeb4906d372f97
Opcode Fuzzy Hash: a7a57b340d0f3be5ccd3d41e9aa04db87551e92d482ec784366d90ddb70444ba
Instruction Fuzzy Hash: FD214970E00A0ADFCB64EF75E4186AE7AF6BB48650F209429D503E7350EF769885CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05071658, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8d57269294feddbcbbd7efbd734190a57350b7a9db8682a82cf15e159b7762
Instruction ID: 2198dfb1050711b8a07a4427d0fd6f6a0c1d8796d0495f470aa5d110038faed0
Opcode Fuzzy Hash: 6c8d57269294feddbcbbd7efbd734190a57350b7a9db8682a82cf15e159b7762
Instruction Fuzzy Hash: 0B1104327052188FC3049F54E858BBFBBDAFB81314F1A887DE5488F285CA759C41C794

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAA18, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c884a016570341ca6cc0d88a511594c93febfbbbfdfd0e1faa5d02ebffe970ca
Instruction ID: 1401e385a47495fdd322acc1aabdf3d82de4f46044c0ddc057a475e5d04f440d
Opcode Fuzzy Hash: c884a016570341ca6cc0d88a511594c93febfbbbfdfd0e1faa5d02ebffe970ca
Instruction Fuzzy Hash: 2F218CB150D3806FD702CF25DC51956BFF4EF86620F0989DAF8888B213D234A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA960, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b4bac6c51e4dcc08e1e44f4cd0cbbf43ab0f455d9c182c4bbb62a9e5c40033
Instruction ID: fac970bd693c70b96a92c35d5c57a555b2c6e30ccb19ca25b1c413b2e5a5e2ea
Opcode Fuzzy Hash: e8b4bac6c51e4dcc08e1e44f4cd0cbbf43ab0f455d9c182c4bbb62a9e5c40033
Instruction Fuzzy Hash: B5218CB150D3806FD302CF15DC50A57BFE4EF86620F09C89AF8888B252D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05076CBA, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924ddbb5675cd85ab1864f4027a224c1cc39fde49349f71bfb2e417135f966dd
Instruction ID: 2f9427b4752399443d0bacd7d3f9f36adc18939778d3deefe3687b1d60854ccc
Opcode Fuzzy Hash: 924ddbb5675cd85ab1864f4027a224c1cc39fde49349f71bfb2e417135f966dd
Instruction Fuzzy Hash: 92110232A1462C9BD704DA69FC04ABF77AAFB80328B140627E113C22D0CB739E1587A5

Uniqueness

Uniqueness Score: -1.00%

Function 028B0776, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.828100142.00000000028B0000.00000040.00000040.sdmp, Offset: 028B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa96af4b034ff77e184a5965c73d8ec535c9f52f872a177e188ce7e55489f29b
Instruction ID: 3a99095e94fc54e9c511435397b6b8948ff6f8bc8c23ac689bf5a4a9b96801e3
Opcode Fuzzy Hash: aa96af4b034ff77e184a5965c73d8ec535c9f52f872a177e188ce7e55489f29b
Instruction Fuzzy Hash: 30216F3910D3C19FD713CB64D890B95BFB1AF4B214F2986EED4888B6A3C3369916CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05071961, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890fb70f74d26fa83049ca8398e6a799a82f6253d044c2a3447a5ece30d2b830
Instruction ID: ad1a4b6b99759aea1a7ce8d0c43b4e4f9dd5f1a3c4c0ec23e615e09c9c8d4447
Opcode Fuzzy Hash: 890fb70f74d26fa83049ca8398e6a799a82f6253d044c2a3447a5ece30d2b830
Instruction Fuzzy Hash: A5216F315083898FC701EF24E94C79A7BA5FF81308F5685A9D0548F26DDFB49D29C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 050732E0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f627f2811eb8a7315fec5fa3aa1b5498e7d8d91cdeeb89dda1c1903289b93ed7
Instruction ID: 6ed6573b87eb3e06de6a2ff3b940405e1692fe8d9a8099a1d3ff05a2cef8ffa4
Opcode Fuzzy Hash: f627f2811eb8a7315fec5fa3aa1b5498e7d8d91cdeeb89dda1c1903289b93ed7
Instruction Fuzzy Hash: 15216D71905348EFDB209F6AD8457DDBFB8FB49320F248519E819AB340C7796894CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0507523D, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7527970633919a549449b353825fde333454d900d04722a6b3ca624e102d6ee4
Instruction ID: 51c38bc100bb26e36eff87c58afba466c059c8062dd72ddd1999047ead4c3d12
Opcode Fuzzy Hash: 7527970633919a549449b353825fde333454d900d04722a6b3ca624e102d6ee4
Instruction Fuzzy Hash: 42117230B44248DFCB01DB64E959BED7BE2BF45305F5405AEE016DB2A2DB754C4A8B01

Uniqueness

Uniqueness Score: -1.00%

Function 028B05CF, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.828100142.00000000028B0000.00000040.00000040.sdmp, Offset: 028B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce92063734e4958ba01440953f814d3fff15f0f7e26ddf22b4cae19a954a9df
Instruction ID: 718328d9608097a620532076fc600109a7abccf11d9092e2707d784952aad7d8
Opcode Fuzzy Hash: 1ce92063734e4958ba01440953f814d3fff15f0f7e26ddf22b4cae19a954a9df
Instruction Fuzzy Hash: 1911C8B640D3805FD3138F25AC518A3BFB8EE8323031980DBE849CF653D525A949CB76

Uniqueness

Uniqueness Score: -1.00%

Function 028B07AC, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.828100142.00000000028B0000.00000040.00000040.sdmp, Offset: 028B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602fa9133179bff41c15ddfdb46fa8b50a5ac2ad57fb9c062ae466bb55d3184a
Instruction ID: 7726aed66410bb307b82f4cd32d1fd94e1c872a59742d3f6778fcdf3b1cda334
Opcode Fuzzy Hash: 602fa9133179bff41c15ddfdb46fa8b50a5ac2ad57fb9c062ae466bb55d3184a
Instruction Fuzzy Hash: 4711AF38244384DFD716CB14D940B67BBA1AF88708F28C9ACE9498B742C77BD803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 05076707, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda188cc1db897c4edb3a5ee2e67e08fa4f5220e18c75595776c3095a2f5f851
Instruction ID: a0744ffa5e8e347a192404031429434fb8be5f0c3cd01bc9b9eb87a851b41e39
Opcode Fuzzy Hash: fda188cc1db897c4edb3a5ee2e67e08fa4f5220e18c75595776c3095a2f5f851
Instruction Fuzzy Hash: A4118270E00609CFCB54DF74D958AAE7BF2BF48650F140869E403E7350EB359885CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 050769E8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19b57d845b7040f4fb13010373ed2f2fa91d8a4be3b5591e23042642a0af956
Instruction ID: a757c16ba53b4960240a122896932a6dc29a065da741d2600741748729a089cf
Opcode Fuzzy Hash: d19b57d845b7040f4fb13010373ed2f2fa91d8a4be3b5591e23042642a0af956
Instruction Fuzzy Hash: BC118E71E00A0ADFCF54DB74D8246AE7AB2BB88210F244829D403E7350EB768885CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0507059F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7408b5a92a5eb60e0f5273acb7adffd173112b515bf0bc510a14c5b0594a6384
Instruction ID: 41be65963f69fcd93d1cc4d4ff2b874f1b83761e851cf429b4492379d84d594a
Opcode Fuzzy Hash: 7408b5a92a5eb60e0f5273acb7adffd173112b515bf0bc510a14c5b0594a6384
Instruction Fuzzy Hash: 65114E62E1C519CAE714C63DB8B937F77E2BB80225F088773D466C81D5D66CC0415E1C

Uniqueness

Uniqueness Score: -1.00%

Function 05071391, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2c9e9439a4afde0881acb836a55750b2f747b92d442c759fb80ed64cc951d6
Instruction ID: 87af1ef1f6626668ac989323aadb92f4ddd539aba9c225c96f97a676b581d558
Opcode Fuzzy Hash: ec2c9e9439a4afde0881acb836a55750b2f747b92d442c759fb80ed64cc951d6
Instruction Fuzzy Hash: 86018F73E1C42857E334842EED4077F76CAE785221F048333B4A6C6AC0E86DD88186A9

Uniqueness

Uniqueness Score: -1.00%

Function 050713A0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754bbe45275a1d368a09e9af83f14d5ccaf50612dadb2682bc060bc115adff0c
Instruction ID: f65c420d411f5c6a7c947e94a5a6738744795b30423e88988e65262f23d6982c
Opcode Fuzzy Hash: 754bbe45275a1d368a09e9af83f14d5ccaf50612dadb2682bc060bc115adff0c
Instruction Fuzzy Hash: 18016D72F1C02C57E334C42EF94077EB28BE784221F048333B4A6CAAC4E96DD881D699

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA834, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c86abead9528e4b53d8352eb83eac6852b2fab60fb28f848345355941e9881
Instruction ID: c6d0018cfa7a81ce61472eee8b957de8c9ef06e1fa3491702651b54104f41397
Opcode Fuzzy Hash: 82c86abead9528e4b53d8352eb83eac6852b2fab60fb28f848345355941e9881
Instruction Fuzzy Hash: F0010CB5644301AFD310CF09DC41E5BFBE8EB88A60F14C92EFD5997310D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA790, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a504fe7801318f7ace198aff5ee09f5419772fea7e11f6ba95eaa9c747542c
Instruction ID: e893bf139a426b1947309c01ccc615938e199222f7d9fe4c642939597d4ea275
Opcode Fuzzy Hash: d1a504fe7801318f7ace198aff5ee09f5419772fea7e11f6ba95eaa9c747542c
Instruction Fuzzy Hash: 41F081B26443007BD7108E06DC41E67FBE9EB84A60F14C95AFD0957311D171E9048AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA8E8, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc53652aa529e8bc76836a3a6f8d694d6718aed7384f006390e20a664bc7a65b
Instruction ID: def29c64e76f66b4d8235cf0060eff7ad3afbf56336ddd8c1e0c927813882042
Opcode Fuzzy Hash: fc53652aa529e8bc76836a3a6f8d694d6718aed7384f006390e20a664bc7a65b
Instruction Fuzzy Hash: F5F0A4B26443007BD310CF06DC41E67FBECEB84A60F14C95EFD0957310D171E9048AA2

Uniqueness

Uniqueness Score: -1.00%

Function 05077310, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b892fa05cf70513cef462bf37040bbc04769d50dcf64b2ce7cce4165f6e7f04d
Instruction ID: 70d5934b23dece70cabdce9ec33e484ca5522637e8fdd2816a4f1599762956cc
Opcode Fuzzy Hash: b892fa05cf70513cef462bf37040bbc04769d50dcf64b2ce7cce4165f6e7f04d
Instruction Fuzzy Hash: 7CF02830B08149CBD338C62CE80477D3692EB86344F1C40BAE81ACB642C5258C46C789

Uniqueness

Uniqueness Score: -1.00%

Function 05071648, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a166ac31af441e1dd9c5d1e97a600558dc334db1e2a3af1971ff815553bf028c
Instruction ID: 752b9e354db84703050c494854b8acc0b525eabc306eb31cebb841a72e57414e
Opcode Fuzzy Hash: a166ac31af441e1dd9c5d1e97a600558dc334db1e2a3af1971ff815553bf028c
Instruction Fuzzy Hash: 8201F231B052188FC3008F44E458A7EBBE5FB41304F0AC4BAE5488B292D274DC05C764

Uniqueness

Uniqueness Score: -1.00%

Function 05075E28, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d822f74abf838738c1f1d14f84371638fe20f0e75f87882e61758ce83902f0
Instruction ID: ef53b9f6db1a1d376257d6d76cc53952bfb0d075eea4e0e9f995de8af10b81b3
Opcode Fuzzy Hash: 96d822f74abf838738c1f1d14f84371638fe20f0e75f87882e61758ce83902f0
Instruction Fuzzy Hash: CFE09B317501546BD714667E9C41FAE72DFABC9714F144169F705DB2C1CDA0DC444398

Uniqueness

Uniqueness Score: -1.00%

Function 028B0868, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.828100142.00000000028B0000.00000040.00000040.sdmp, Offset: 028B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: dd2b34a72b4644ec10a3e66e0d17a53e263f1e2ba7adfb0a3ff746ec8e9712bc
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: F9F01D39144644DFC716CF40D940B66FBA2EB89718F24C6ADE9490B752C737E913DA81

Uniqueness

Uniqueness Score: -1.00%

Function 05070299, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a9f2fd05ed464dab8f0d206423e35d4c200198864ef7110cc17a60ee8a45a8
Instruction ID: f2161f921359f5dd3bad7c82629c644f78d34b83ef2f9e9c1f206fe7462aa15e
Opcode Fuzzy Hash: d9a9f2fd05ed464dab8f0d206423e35d4c200198864ef7110cc17a60ee8a45a8
Instruction Fuzzy Hash: A8F0E5233102085BDB166374F82A37E3B99DB45750F41047AEA47DB681ED2AEE068B86

Uniqueness

Uniqueness Score: -1.00%

Function 05071459, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81024b36a17a8421afa25db0c9678cc01e86fff2f164764088fbdc897f5a4fb6
Instruction ID: 1495c210b7f00afad3737a3e79da6969965e3ef0b8cd5d5b3bc1b43a401a57c1
Opcode Fuzzy Hash: 81024b36a17a8421afa25db0c9678cc01e86fff2f164764088fbdc897f5a4fb6
Instruction Fuzzy Hash: 99E0657260511C6BC744EB69CC12BAFBBE9DB84310F5481A9E505E7381DE329A058794

Uniqueness

Uniqueness Score: -1.00%

Function 050714B0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457d545314e907965101cc9c3c824eec5748da481dbe399f7f93723662a14bea
Instruction ID: 652b2cd6e40fe526382d79bb7351dcd451d045ec53f5c7ba0d5b461cdb4db818
Opcode Fuzzy Hash: 457d545314e907965101cc9c3c824eec5748da481dbe399f7f93723662a14bea
Instruction Fuzzy Hash: DFF08C393442408FD7129B78ED1CA293FE6AFC9312B5504EAE106CB2F2DE708C09CB80

Uniqueness

Uniqueness Score: -1.00%

Function 028B05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.828100142.00000000028B0000.00000040.00000040.sdmp, Offset: 028B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df95e603e6526b0e309e5a3446e9a49fef27ca46b73101458a50fba3bc027076
Instruction ID: e27ad21034e2998d85d7db65927e70c96bc4c3691e18498e0daf98f829ccac93
Opcode Fuzzy Hash: df95e603e6526b0e309e5a3446e9a49fef27ca46b73101458a50fba3bc027076
Instruction Fuzzy Hash: 50E06D766406045BD650CF0AEC41452FBD8EB84630718C06BDC0D8B700E575B5088EA5

Uniqueness

Uniqueness Score: -1.00%

Function 050702A8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabdefc218a0f9b59c8ac595280f3bceabe5d3ec8dcc694696260c7e3f356b2a
Instruction ID: eca73e42d3dc34722500974b3852f85df28ca2f561e45269d284cec82ef897ec
Opcode Fuzzy Hash: dabdefc218a0f9b59c8ac595280f3bceabe5d3ec8dcc694696260c7e3f356b2a
Instruction Fuzzy Hash: F0E092313102185BDA056378B82937E3799DB84740F40057AE607DB680DD2AE9028B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA7B7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1fea4920c1c51d99a67b2016684b85cbc457a147d05953689ac231925b9926
Instruction ID: 211d5900790c72f98eb1ab5f574ec9a7b95f12b5aab6ff8dbe5e981c1df6ea1f
Opcode Fuzzy Hash: fc1fea4920c1c51d99a67b2016684b85cbc457a147d05953689ac231925b9926
Instruction Fuzzy Hash: 47E0D87164130467D6109F06AC82B12FF98DB80A30F44C557ED085B701E0B5B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA697, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea67ca8e2aa0c20c6fb04ff30fe3daddd670e6979842af26708e1650bea614ae
Instruction ID: 8d76b962e845cfc5dae012e7a0960f654210ef8ca561ee38100a1f8e4b0e14ae
Opcode Fuzzy Hash: ea67ca8e2aa0c20c6fb04ff30fe3daddd670e6979842af26708e1650bea614ae
Instruction Fuzzy Hash: 80E0D8B26413046BD3109F06AC42F13FF9CDB84A30F04C557ED085B702E0B1B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA90F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80d15ef55c06bec7b76a51eeac77d2f8240e2b608b682429d0332f44de86ddf
Instruction ID: 0d997503b42b716701659c97d0849c811470a681b6ad2437b7fd7cf4aa97c2db
Opcode Fuzzy Hash: a80d15ef55c06bec7b76a51eeac77d2f8240e2b608b682429d0332f44de86ddf
Instruction Fuzzy Hash: 50E0D87164130467D2108F06EC42B12FB98DB80930F44C557ED085B701E0B6F5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAA7B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c015e84f81e79b9ee425b4b561977dc2bd203fcb9cb3c59887852b4746cc357b
Instruction ID: 70ee664881ba15fb595defcc0a948304d95bef033004bb14dbb25e70799bc9a1
Opcode Fuzzy Hash: c015e84f81e79b9ee425b4b561977dc2bd203fcb9cb3c59887852b4746cc357b
Instruction Fuzzy Hash: 4FE0D87264130467D6109F06AC42F13FF9CDB80A30F04C55BED095B701E1B1B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA873, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1671b0c34a1047ce3b6e927a90117096710e48e2fe3f317243e197a13cae627b
Instruction ID: c5e21a27aeb644eced34784f1251ebdfca11864dc29c1a938d4e1c63b2f60965
Opcode Fuzzy Hash: 1671b0c34a1047ce3b6e927a90117096710e48e2fe3f317243e197a13cae627b
Instruction Fuzzy Hash: 01E0D87264130467D2109F06AC42F62FB98DB90A30F04C56BED085B701E0B1B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA9C3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827530397.0000000000BF2000.00000040.00000001.sdmp, Offset: 00BF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36141e4c0cc38104ffa523632cd9e7765bc524fb5eeb285016a38aa3baff126
Instruction ID: 4d06ebdfc9971dddea2ef7420dcfe2cd3a8a8ce1301ae824b8ed1afe27b5715c
Opcode Fuzzy Hash: b36141e4c0cc38104ffa523632cd9e7765bc524fb5eeb285016a38aa3baff126
Instruction Fuzzy Hash: E7E0D87264130467D2108F06AC42F13FB98DB80A30F08C55BED085B701E0B1F5089AE5

Uniqueness

Uniqueness Score: -1.00%

Function 05070751, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74caf3ed58d694bde7776a4d1460ced23e9a7ffde0b37eae6c211eaf4edaae22
Instruction ID: 389bc688989a731682befbd9ab97333253afa2a31816029e0b06e112159dc150
Opcode Fuzzy Hash: 74caf3ed58d694bde7776a4d1460ced23e9a7ffde0b37eae6c211eaf4edaae22
Instruction Fuzzy Hash: B4D05E2760213C33D90831A8BC1BBFF928CCB51665F8812A5BA48F2742C84DAB6002E9

Uniqueness

Uniqueness Score: -1.00%

Function 05071468, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc72b8ad713c3f7f24f3e0c469a3c394aec9c5b942d1e88d696f2c7c15646da
Instruction ID: b21207b3ee1f34d4b37ffab3a94beec15796798bd226c82d57fcc1dd12d5ed3c
Opcode Fuzzy Hash: 7fc72b8ad713c3f7f24f3e0c469a3c394aec9c5b942d1e88d696f2c7c15646da
Instruction Fuzzy Hash: 97E0487170411C6FC744EBA9CC51AAEBBE9DB84210F5080A9E505E7382DF325D06C794

Uniqueness

Uniqueness Score: -1.00%

Function 00BE23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827489049.0000000000BE2000.00000040.00000001.sdmp, Offset: 00BE2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad74e32631f1e1360e09c743c1b7765382ea9ec50b188e3eb080621f489015e
Instruction ID: 63f9079f309432375640e68b1a1052fcdb7d8080788998d372c20292cd690ee8
Opcode Fuzzy Hash: 7ad74e32631f1e1360e09c743c1b7765382ea9ec50b188e3eb080621f489015e
Instruction Fuzzy Hash: 5DD05E79205AD14FD3268B1CC1A9B953BE8EF51B04F4644F9E8008B7A7C369DA81D200

Uniqueness

Uniqueness Score: -1.00%

Function 00BE23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.827489049.0000000000BE2000.00000040.00000001.sdmp, Offset: 00BE2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b391c791c86fb8ed430feae21f9364931cbd4bcc1c2dd1c7234b4b972346693
Instruction ID: 09a73f536ba2de1eb80af8590b8f1bb75511abae5c6db4aa20c4426aee72646d
Opcode Fuzzy Hash: 4b391c791c86fb8ed430feae21f9364931cbd4bcc1c2dd1c7234b4b972346693
Instruction Fuzzy Hash: 5FD05E342003814FC715DB0DC194F5937D8EB41B00F1A44E8AC008B266C7A8DC81CA00

Uniqueness

Uniqueness Score: -1.00%

Function 05070780, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57555233765893605339524621e327118a15d8a8a1e1931fd82527748e27656
Instruction ID: 49b014e11aff0f17f933817ab417987adf43e88caa897c54019023f262eb3d12
Opcode Fuzzy Hash: c57555233765893605339524621e327118a15d8a8a1e1931fd82527748e27656
Instruction Fuzzy Hash: 66B0922234453C131809319938128ADB68D898696528010AAF60EA72428D892E5102DE

Uniqueness

Uniqueness Score: -1.00%

Function 050724E9, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363c411e4a8a5e631587a21a0fabe92ce8e217782ce24f5efdbb8d1c1e7c2593
Instruction ID: af6ba2b2d338b7ac3dbd687ea2c306d77b4730bac80c73d8ffb9dc9408bdf5b8
Opcode Fuzzy Hash: 363c411e4a8a5e631587a21a0fabe92ce8e217782ce24f5efdbb8d1c1e7c2593
Instruction Fuzzy Hash: 46C08C3620524867D300A300ED86BF73328E3422A8FA045A1E000C3A84C5284E00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 05071369, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248971ce34ef471fb5e2f11d919eda72c2bd18db38cf35dfc51dd92457f4bfa2
Instruction ID: aab5f981793a106c13828d4c27dbc365eb63624c8ede0f456681730096798130
Opcode Fuzzy Hash: 248971ce34ef471fb5e2f11d919eda72c2bd18db38cf35dfc51dd92457f4bfa2
Instruction Fuzzy Hash: 44C08CA318834027E3010220DC16B333610E730301F1680E16680AB2E9DD58C52A8A62

Uniqueness

Uniqueness Score: -1.00%

Function 050700F0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d0d184daa6ff280205accdb040a803fd2ef911bd35ff8db30ee9d322ba6c56
Instruction ID: a0e6a0b66bf0bf0fbed8656710923191f16a94c15e4c8e14bac8444471d6beae
Opcode Fuzzy Hash: e7d0d184daa6ff280205accdb040a803fd2ef911bd35ff8db30ee9d322ba6c56
Instruction Fuzzy Hash: 5AB012E79070526BCF000324FD0ABB73F188741305F0901A2780082143C9484378C3B2

Uniqueness

Uniqueness Score: -1.00%

Function 05072519, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.830682746.0000000005070000.00000040.00000001.sdmp, Offset: 05070000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed454d542c85aeae465456468becd03cffd1a6cdf2f414134eb3cf1208e0516
Instruction ID: b86a3e0ac2f7cf29265934b8e0d6fd90daa8b3a70635afe58d92e29999e445a4
Opcode Fuzzy Hash: 3ed454d542c85aeae465456468becd03cffd1a6cdf2f414134eb3cf1208e0516
Instruction Fuzzy Hash: 71B01279200384ABC608F701EF4ABF63312F38134C391C560D201C37A8C92C5E00C7C0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: fullview.exe PID: 6400 Parent PID: 7088 fullview.exeCOMMON

Executed Functions

Function 0149A818, Relevance: 3.1, APIs: 2, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0149A7C1
FindCloseChangeNotification.KERNELBASE(?), ref: 0149A888

Memory Dump Source

Source File: 00000010.00000002.821839657.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: ChangeCloseCreateFindMutexNotification
String ID:
API String ID: 2967213129-0
Opcode ID: 84d789ca76a3e8b03d09c86388efca19cc879bd9cc0b85fcaa26478147682a7f
Instruction ID: 21f69185e3ed5bba837ad9672a54a59eecf06f900adb23d88aad19bf1b6dc987
Opcode Fuzzy Hash: 84d789ca76a3e8b03d09c86388efca19cc879bd9cc0b85fcaa26478147682a7f
Instruction Fuzzy Hash: 6531C5714093809FEB12CF29D885756BFA4EF02324F1884EBDD848F663D2759909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0149A361, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0149A411

Memory Dump Source

Source File: 00000010.00000002.821839657.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ab78e74c0943102c0ba196cf8345e3623104e46a5fdd6dbe7414217b7f775700
Instruction ID: 30b1f655fd60541ab937b80807db7c87d270db36fd10aee681c83a799fbe05fb
Opcode Fuzzy Hash: ab78e74c0943102c0ba196cf8345e3623104e46a5fdd6dbe7414217b7f775700
Instruction Fuzzy Hash: C831A272404784AFE7228F25CC84F57BFBCEF05310F08849BE9809B152D224E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0149A459, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,BB15A002,00000000,00000000,00000000,00000000), ref: 0149A514

Memory Dump Source

Source File: 00000010.00000002.821839657.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c7f5b55194b31f4ed66d7817cfa0e5d761212b24c070e50c10cbeb4c22be31c3
Instruction ID: 21d2bb2e24bdd165e64c2121d67e8f00eae3913a7955cc61a8636097e954b64b
Opcode Fuzzy Hash: c7f5b55194b31f4ed66d7817cfa0e5d761212b24c070e50c10cbeb4c22be31c3
Instruction Fuzzy Hash: E33161715097846FEB22CF65CC45F62BFE8EF06720F18849AE9858B263D264E548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0149A71A, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0149A7C1

Memory Dump Source

Source File: 00000010.00000002.821839657.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0c8ce00e500f532c4cf2689a516b9601dcfb0edc2bdeaf43cc75deac6b4136d9
Instruction ID: 321ea2a875b24bfb9f0f821a0526c6054f598de439a2b26e12e477bcfe28a303
Opcode Fuzzy Hash: 0c8ce00e500f532c4cf2689a516b9601dcfb0edc2bdeaf43cc75deac6b4136d9
Instruction Fuzzy Hash: A9317EB15097806FE722CB25CC85B56BFA8EF06310F18849AE9848B292D375E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 0149A56A, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,BB15A002,00000000,00000000,00000000,00000000), ref: 0149A600

Memory Dump Source

Source File: 00000010.00000002.821839657.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 96513733af70d4febc2193746352fe2ccb4466487b97e3146ac77f25aebdff33
Instruction ID: 518f381ca58cda571ffcd2d16006231fe4ab4ee969b85cd02bea1f389fefdfcf
Opcode Fuzzy Hash: 96513733af70d4febc2193746352fe2ccb4466487b97e3146ac77f25aebdff33
Instruction Fuzzy Hash: A92192B25053806FEB228F15DC45F57BFB8EF45320F18849BE985DB252D264E848C771

Uniqueness

Uniqueness Score: -1.00%

Function 0149A392, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0149A411

Memory Dump Source

Source File: 00000010.00000002.821839657.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2ea4d980354d1496231af8de42873ef658cbfb25e6cfad623eeb56278f824025
Instruction ID: 5378bb79696bf3a214a882572de3a8df7138a32b9f736537d10d2f5c8e8fb3fb
Opcode Fuzzy Hash: 2ea4d980354d1496231af8de42873ef658cbfb25e6cfad623eeb56278f824025
Instruction Fuzzy Hash: 0221C272500704AEEB21CF59CC88F6BFBECEF08320F14846AED419B251D274E9058A71

Uniqueness

Uniqueness Score: -1.00%

Function 0149A74E, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0149A7C1

Memory Dump Source

Source File: 00000010.00000002.821839657.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 49dd43758012c48bdfd1150ce9b3bbe6be3866afdfb25c1c47e448b83ed46035
Instruction ID: c51bc5178fadd29e68966f6541bfe548167e0630856b38907fcf2ff3bdee5532
Opcode Fuzzy Hash: 49dd43758012c48bdfd1150ce9b3bbe6be3866afdfb25c1c47e448b83ed46035
Instruction Fuzzy Hash: ED217FB1600240AFEB21DF69CC85B6AFFE8EF04310F1484AAED458B352D675E405CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0149A49A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,BB15A002,00000000,00000000,00000000,00000000), ref: 0149A514

Memory Dump Source

Source File: 00000010.00000002.821839657.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a63ea2071e4dd98eb1a989fbee45c20a2f8cb3482a5fe7d2e96e2b078bbf6760
Instruction ID: 3aff14bb3114db894ee64549574128b4409643784d728b6922fca9cccb556413
Opcode Fuzzy Hash: a63ea2071e4dd98eb1a989fbee45c20a2f8cb3482a5fe7d2e96e2b078bbf6760
Instruction Fuzzy Hash: 28215E71640304AFEB21CE29DC85F67BBECEF04720F14846AED459B662D774E544CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0149A58E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,BB15A002,00000000,00000000,00000000,00000000), ref: 0149A600

Memory Dump Source

Source File: 00000010.00000002.821839657.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: fcb6afafbb12fdda4e67d3bb0964a6386c5739fcce0b39d259c70109b311a776
Instruction ID: d8fb5cd59b21380173992f479533b17f1b5772ec06fc253ed69d083f53e3934a
Opcode Fuzzy Hash: fcb6afafbb12fdda4e67d3bb0964a6386c5739fcce0b39d259c70109b311a776
Instruction Fuzzy Hash: 67118EB2600300AFEB319E19DC45F67FFA8EF44720F14845AED859B652E774E845CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0149A856, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0149A888

Memory Dump Source

Source File: 00000010.00000002.821839657.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e27390b03f327293b8ca7f076a5002f9024737e84c4d38d312e29a788fff7d7e
Instruction ID: 0dc4f87fc483d2daea14f92a028a0a1d71af203d7491a7ad1901258530d7f1d2
Opcode Fuzzy Hash: e27390b03f327293b8ca7f076a5002f9024737e84c4d38d312e29a788fff7d7e
Instruction Fuzzy Hash: E1017C719002409FDB60CF5AD885766FFA4EF04320F18C4ABDD498F656D678A809CA62

Uniqueness

Uniqueness Score: -1.00%

Function 030902F0, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822036442.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0871d921f41ad0af42b1b7373d7dc7cdd24809e8de6cb04dc43980e8a3964ce
Instruction ID: 0c44d3e3cab23918174d5f9164f83ba4872a507107d60ece74af3d90858c4b5a
Opcode Fuzzy Hash: a0871d921f41ad0af42b1b7373d7dc7cdd24809e8de6cb04dc43980e8a3964ce
Instruction Fuzzy Hash: A5C14C74A01318CFEB28DF74D848BADBBB2FB88304F5084AAD106AB294DB755D85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 030902E0, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822036442.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f4222b0e7259bc5b8946603dd213308c17c456db11e961017d6ecdc685234e
Instruction ID: d8a0636e8c71eb40eeef4f3e2d184b1e24d068d3a2e0ba94eef8fb92a44d8936
Opcode Fuzzy Hash: 41f4222b0e7259bc5b8946603dd213308c17c456db11e961017d6ecdc685234e
Instruction Fuzzy Hash: A3C14C74A01218CFEB28DF74D844BADBBB2FB88304F5084AAD50AAB294DB755D85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 030903BD, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822036442.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d558cea159cdd6a3df6afea2334d125568d229a78d9de1f8f0d53dd0d0d14c
Instruction ID: 15f8d3f8e57e7b2622eca663280fb4ca508a6e131a90032d053c416e8056e70a
Opcode Fuzzy Hash: b8d558cea159cdd6a3df6afea2334d125568d229a78d9de1f8f0d53dd0d0d14c
Instruction Fuzzy Hash: 3EA14A74A01219CFEB28DF74C844BADBBB2FF88304F5084AAD10AAB294DB755D85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0309042C, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822036442.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5641fec011a646f3cabd0ecb7bab88993ee98d2d295f9c8ab35c6ba48dab2d3
Instruction ID: f810b5fdb3b55baf9ddef250c4beaa8d468076b0a27aea29d60f2f94740190ca
Opcode Fuzzy Hash: e5641fec011a646f3cabd0ecb7bab88993ee98d2d295f9c8ab35c6ba48dab2d3
Instruction Fuzzy Hash: 06914A74A01319CFEB28DF74C844BADBBB2FF88304F5084AA910AAB294DB755D85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 03090474, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822036442.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385e5875a0620b4fdb6538308e9ec56463923666119b3e81285f0d4afab0bc46
Instruction ID: c5ed4d9b77cdb6672d7d040bfa60f0f02d2b527aca91ebd08ea01cad4170828f
Opcode Fuzzy Hash: 385e5875a0620b4fdb6538308e9ec56463923666119b3e81285f0d4afab0bc46
Instruction Fuzzy Hash: 3B914B74A01319CFEB28DF75C844BADBBB2FF88304F5084AA910AAB294DB755D85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 03090521, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822036442.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98e92748a14e88afc5aa9c979b90cb2a6803dbaee7fa2cf697951417527ab4f
Instruction ID: 37e8e82efc2754000fae4a46eea1c847e902488c098a33984b580cba56fca85a
Opcode Fuzzy Hash: a98e92748a14e88afc5aa9c979b90cb2a6803dbaee7fa2cf697951417527ab4f
Instruction Fuzzy Hash: AD714B34A01219CFDB64DF75C844BADBBB2FF88304F5084AAD10AAB2A4DB755D85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0309058F, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822036442.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2dab43e2528e2d10221210b9cfa90cb6ddd7cd2ffe2871f595c33eabccb7a4b
Instruction ID: 1006cb96fa84a526ab0a71c0f3f507802df063e0605b16b6ece4e07d2c843b65
Opcode Fuzzy Hash: f2dab43e2528e2d10221210b9cfa90cb6ddd7cd2ffe2871f595c33eabccb7a4b
Instruction Fuzzy Hash: 08614B34E012198FDB64DF65C844BADBBB2FF84304F5084EA910AAB294DB755EC5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03090080, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822036442.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4bab927c2afc31c7565ea9549f98ed28fbe78e6eaca10c64cb3834b1efe93fc
Instruction ID: 2b327ae7c03095676ee995194cc7918cb9d18a41b88c65d07c5661b9a0d6fece
Opcode Fuzzy Hash: f4bab927c2afc31c7565ea9549f98ed28fbe78e6eaca10c64cb3834b1efe93fc
Instruction Fuzzy Hash: 875162382157858FD314DF38E49894A7BF2FBC078471085ADE5444B26EEF78AC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03090007, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822036442.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb2d86a63e8d8854664125298934b528947ca1862271969055ddd8146d318b3
Instruction ID: 81f104515ab0b5d95b49d28cfe608c02a6ff8f32b6009c83f901bafc07b34585
Opcode Fuzzy Hash: 2eb2d86a63e8d8854664125298934b528947ca1862271969055ddd8146d318b3
Instruction Fuzzy Hash: 1401763004F3C19FCB179B748CA26913FB5AE0321431A44DBD081CF1B7E629A84ADB66

Uniqueness

Uniqueness Score: -1.00%

Function 030F05CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822061156.00000000030F0000.00000040.00000040.sdmp, Offset: 030F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be711f80fa27cb000ad637628fd066c98a6855755868e59807fc77328e487ae7
Instruction ID: 52f1bf59e956ffca661c1178c348a270708773d7228888ac5635a6d306ebb09b
Opcode Fuzzy Hash: be711f80fa27cb000ad637628fd066c98a6855755868e59807fc77328e487ae7
Instruction Fuzzy Hash: BE01D67554D7806FD7128B06EC40862FFF8EF86220709C4AFEC898B612D225B918CB72

Uniqueness

Uniqueness Score: -1.00%

Function 030F05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.822061156.00000000030F0000.00000040.00000040.sdmp, Offset: 030F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268378d313b0ba860b6cd2548a8c14e5b70e268c83050c70751fd75a28f2bac3
Instruction ID: 0f9578d0e5718094311e743ad6510ffefa0d98c211f55990ba8dfa0073ec30b7
Opcode Fuzzy Hash: 268378d313b0ba860b6cd2548a8c14e5b70e268c83050c70751fd75a28f2bac3
Instruction Fuzzy Hash: 33E06D766416005BD650CF0AEC41852FBD8EB88630758C06BDC0D8B700E535B904CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 014923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.821832308.0000000001492000.00000040.00000001.sdmp, Offset: 01492000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c9318fe849640231d624e213d0ed4d15d9e1f117c47338d359fce6ce247693
Instruction ID: 60962e19db6d260fd7fa763fc5ca4d3a81bf0fcfb38a2af1ffa3e38351037f2d
Opcode Fuzzy Hash: 90c9318fe849640231d624e213d0ed4d15d9e1f117c47338d359fce6ce247693
Instruction Fuzzy Hash: CBD05E79205AA15FE7268A1CC1A8F963FE4AB61B04F4644FAE8008B777C3A9D681D200

Uniqueness

Uniqueness Score: -1.00%

Function 014923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.821832308.0000000001492000.00000040.00000001.sdmp, Offset: 01492000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3519fa0859725cf681d0ffdd3107a15fd24554313a717d6f649af1c1ceba13
Instruction ID: 8acb6347ae5f128575bf00f7bdd32f9c95c5bf7a53fb8c3b6a81f90cbad74fc9
Opcode Fuzzy Hash: 2c3519fa0859725cf681d0ffdd3107a15fd24554313a717d6f649af1c1ceba13
Instruction Fuzzy Hash: 77D05E342002814BDB25DB1CC198F5A3FD4AB41B00F0644E9AD008B376C7F4D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Njrat

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre