Play interactive tour

Edit tour

Windows Analysis Report Swift Payment-3134101002.exe

Overview

General Information

Sample Name:	Swift Payment-3134101002.exe
Analysis ID:	457985
MD5:	3221d82b7169d545f01f2e2ba94ade25
SHA1:	96326c074c61d3d176f4c6760ce5027b565fad03
SHA256:	41a5f782da40bea08f41a9510a299bfa071c7f84547085f65006c25002802449
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains method to dynamically call methods (often used by packers)

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Defender Exclusion

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Swift Payment-3134101002.exe (PID: 896 cmdline: 'C:\Users\user\Desktop\Swift Payment-3134101002.exe' MD5: 3221D82B7169D545F01F2E2BA94ADE25)

powershell.exe (PID: 2896 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5908 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 2952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5452 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9EC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 4500 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Swift Payment-3134101002.exe (PID: 5848 cmdline: C:\Users\user\Desktop\Swift Payment-3134101002.exe MD5: 3221D82B7169D545F01F2E2BA94ADE25)

Swift Payment-3134101002.exe (PID: 5260 cmdline: C:\Users\user\Desktop\Swift Payment-3134101002.exe MD5: 3221D82B7169D545F01F2E2BA94ADE25)

schtasks.exe (PID: 5872 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp54AF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6172 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5992.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Swift Payment-3134101002.exe (PID: 6208 cmdline: 'C:\Users\user\Desktop\Swift Payment-3134101002.exe' 0 MD5: 3221D82B7169D545F01F2E2BA94ADE25)

powershell.exe (PID: 1692 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 2248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 1332 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpF33C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5492 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Swift Payment-3134101002.exe (PID: 5436 cmdline: C:\Users\user\Desktop\Swift Payment-3134101002.exe MD5: 3221D82B7169D545F01F2E2BA94ADE25)

dhcpmon.exe (PID: 6580 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 3221D82B7169D545F01F2E2BA94ADE25)

dhcpmon.exe (PID: 6812 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 3221D82B7169D545F01F2E2BA94ADE25)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "533a35a8-575b-4ab4-8925-c191b861", "Group": "Yota", "Domain1": "yota890.hopto.org", "Domain2": "127.0.0.1", "Port": 23890, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 50, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "yota890.hopto.org", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2380b:$a: NanoCore 0x23864:$a: NanoCore 0x238a1:$a: NanoCore 0x2391a:$a: NanoCore 0x2386d:$b: ClientPlugin 0x238aa:$b: ClientPlugin 0x241a8:$b: ClientPlugin 0x241b5:$b: ClientPlugin 0x1b57a:$e: KeepAlive 0x23cf5:$g: LogClientMessage 0x23c75:$i: get_Connected 0x1583d:$j: #=q 0x1586d:$j: #=q 0x158a9:$j: #=q 0x158d1:$j: #=q 0x15901:$j: #=q 0x15931:$j: #=q 0x15961:$j: #=q 0x15991:$j: #=q 0x159ad:$j: #=q 0x159dd:$j: #=q
0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000D.00000002.504645095.0000000003D3A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000002A.00000002.453923165.0000000003D01000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000002A.00000002.453923165.0000000003D01000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a75:$a: NanoCore 0x49ace:$a: NanoCore 0x49b0b:$a: NanoCore 0x49b84:$a: NanoCore 0x5d22f:$a: NanoCore 0x5d244:$a: NanoCore 0x5d279:$a: NanoCore 0x7621b:$a: NanoCore 0x76230:$a: NanoCore 0x76265:$a: NanoCore 0x49ad7:$b: ClientPlugin 0x49b14:$b: ClientPlugin 0x4a412:$b: ClientPlugin 0x4a41f:$b: ClientPlugin 0x5cfeb:$b: ClientPlugin 0x5d006:$b: ClientPlugin 0x5d036:$b: ClientPlugin 0x5d24d:$b: ClientPlugin 0x5d282:$b: ClientPlugin 0x75fd7:$b: ClientPlugin 0x75ff2:$b: ClientPlugin
0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x34a72:$a: NanoCore 0x34a97:$a: NanoCore 0x34af0:$a: NanoCore 0x44c9b:$a: NanoCore 0x44cc1:$a: NanoCore 0x44d1d:$a: NanoCore 0x51b7b:$a: NanoCore 0x51bd4:$a: NanoCore 0x51c07:$a: NanoCore 0x51e33:$a: NanoCore 0x51eaf:$a: NanoCore 0x524c8:$a: NanoCore 0x52611:$a: NanoCore 0x52ae5:$a: NanoCore 0x52dcc:$a: NanoCore 0x52de3:$a: NanoCore 0x5bc8b:$a: NanoCore 0x5bd07:$a: NanoCore 0x5e5ea:$a: NanoCore 0x63bb9:$a: NanoCore 0x63c33:$a: NanoCore
Process Memory Space: Swift Payment-3134101002.exe PID: 5260	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13447:$x1: NanoCore.ClientPluginHost 0x13484:$x2: IClientNetworkHost 0x6f542:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79d09:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Swift Payment-3134101002.exe PID: 5260	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Swift Payment-3134101002.exe PID: 5260	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9145:$a: NanoCore 0x941f:$a: NanoCore 0x94a9:$a: NanoCore 0x1340a:$a: NanoCore 0x13422:$a: NanoCore 0x13447:$a: NanoCore 0x1723d:$a: NanoCore 0x17253:$a: NanoCore 0x17276:$a: NanoCore 0x2d5fd:$a: NanoCore 0x2d613:$a: NanoCore 0x2d63a:$a: NanoCore 0x42810:$a: NanoCore 0x42823:$a: NanoCore 0x42855:$a: NanoCore 0x49945:$a: NanoCore 0x49958:$a: NanoCore 0x4998a:$a: NanoCore 0x6c2e5:$a: NanoCore 0x6c2f5:$a: NanoCore 0x6c331:$a: NanoCore
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.Swift Payment-3134101002.exe.3d47ab8.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.3d47ab8.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.3d47ab8.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Swift Payment-3134101002.exe.3d4c0e1.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.3d4c0e1.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.3d4c0e1.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
42.2.Swift Payment-3134101002.exe.3d4eacc.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
42.2.Swift Payment-3134101002.exe.3d4eacc.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
42.2.Swift Payment-3134101002.exe.3d4eacc.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Swift Payment-3134101002.exe.3e21330.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.3e21330.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
42.2.Swift Payment-3134101002.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
42.2.Swift Payment-3134101002.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
42.2.Swift Payment-3134101002.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
42.2.Swift Payment-3134101002.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
42.2.Swift Payment-3134101002.exe.3d4eacc.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
42.2.Swift Payment-3134101002.exe.3d4eacc.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
42.2.Swift Payment-3134101002.exe.3d4eacc.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
42.2.Swift Payment-3134101002.exe.2d23a2c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
42.2.Swift Payment-3134101002.exe.2d23a2c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
42.2.Swift Payment-3134101002.exe.3d530f5.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
42.2.Swift Payment-3134101002.exe.3d530f5.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
42.2.Swift Payment-3134101002.exe.3d530f5.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Swift Payment-3134101002.exe.2d7911c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.2d7911c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.2d8d750.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb53b:$x1: NanoCore.ClientPluginHost 0x13469:$x1: NanoCore.ClientPluginHost 0x19444:$x1: NanoCore.ClientPluginHost 0x22eb7:$x1: NanoCore.ClientPluginHost 0x2d2eb:$x1: NanoCore.ClientPluginHost 0x382d5:$x1: NanoCore.ClientPluginHost 0x44083:$x1: NanoCore.ClientPluginHost 0x4fdd6:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb574:$x2: IClientNetworkHost 0x134a2:$x2: IClientNetworkHost 0x23014:$x2: IClientNetworkHost 0x2d324:$x2: IClientNetworkHost 0x382ef:$x2: IClientNetworkHost 0x4409d:$x2: IClientNetworkHost 0x4fe13:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.2d8d750.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb53b:$x2: NanoCore.ClientPluginHost 0x13469:$x2: NanoCore.ClientPluginHost 0x19444:$x2: NanoCore.ClientPluginHost 0x22eb7:$x2: NanoCore.ClientPluginHost 0x2d2eb:$x2: NanoCore.ClientPluginHost 0x382d5:$x2: NanoCore.ClientPluginHost 0x44083:$x2: NanoCore.ClientPluginHost 0x4fdd6:$x2: NanoCore.ClientPluginHost 0x23e0d:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb63f:$s4: PipeCreated 0x13584:$s4: PipeCreated 0x19522:$s4: PipeCreated 0x230ad:$s4: PipeCreated 0x2d436:$s4: PipeCreated 0x3930a:$s4: PipeCreated 0x45e2e:$s4: PipeCreated 0x53229:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb555:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.2d8d750.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb53b:$a: NanoCore 0xb5b7:$a: NanoCore 0xde9a:$a: NanoCore 0x13469:$a: NanoCore 0x134e3:$a: NanoCore 0x19444:$a: NanoCore 0x1948e:$a: NanoCore 0x1a0e8:$a: NanoCore 0x22eb7:$a: NanoCore 0x22fa1:$a: NanoCore 0x23e18:$a: NanoCore
13.2.Swift Payment-3134101002.exe.2cf160c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.2cf160c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.3e12f14.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.3e12f14.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.Swift Payment-3134101002.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.Swift Payment-3134101002.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
13.2.Swift Payment-3134101002.exe.3e12f14.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x2d5f7:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost 0x2d611:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.3e12f14.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x2d5f7:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x30934:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost 0x2d5e4:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.2d6cedc.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.2d6cedc.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
13.2.Swift Payment-3134101002.exe.3e25fcf.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.3e25fcf.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.3e21330.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.3e21330.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
13.2.Swift Payment-3134101002.exe.2d7911c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d17:$x1: NanoCore.ClientPluginHost 0x1fb6f:$x1: NanoCore.ClientPluginHost 0x27a9d:$x1: NanoCore.ClientPluginHost 0x2da78:$x1: NanoCore.ClientPluginHost 0x374eb:$x1: NanoCore.ClientPluginHost 0x4191f:$x1: NanoCore.ClientPluginHost 0x4c909:$x1: NanoCore.ClientPluginHost 0x586b7:$x1: NanoCore.ClientPluginHost 0x6440a:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d50:$x2: IClientNetworkHost 0x1fba8:$x2: IClientNetworkHost 0x27ad6:$x2: IClientNetworkHost 0x37648:$x2: IClientNetworkHost 0x41958:$x2: IClientNetworkHost 0x4c923:$x2: IClientNetworkHost 0x586d1:$x2: IClientNetworkHost 0x64447:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.2d7911c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d17:$x2: NanoCore.ClientPluginHost 0x1fb6f:$x2: NanoCore.ClientPluginHost 0x27a9d:$x2: NanoCore.ClientPluginHost 0x2da78:$x2: NanoCore.ClientPluginHost 0x374eb:$x2: NanoCore.ClientPluginHost 0x4191f:$x2: NanoCore.ClientPluginHost 0x4c909:$x2: NanoCore.ClientPluginHost 0x586b7:$x2: NanoCore.ClientPluginHost 0x6440a:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x38441:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e34:$s4: PipeCreated 0x1fc73:$s4: PipeCreated 0x27bb8:$s4: PipeCreated 0x2db56:$s4: PipeCreated 0x376e1:$s4: PipeCreated 0x41a6a:$s4: PipeCreated 0x4d93e:$s4: PipeCreated 0x5a462:$s4: PipeCreated
13.2.Swift Payment-3134101002.exe.2d7911c.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a5f:$a: NanoCore 0x15ab8:$a: NanoCore 0x15aeb:$a: NanoCore 0x15d17:$a: NanoCore 0x15d93:$a: NanoCore 0x163ac:$a: NanoCore 0x164f5:$a: NanoCore 0x169c9:$a: NanoCore 0x16cb0:$a: NanoCore 0x16cc7:$a: NanoCore 0x1fb6f:$a: NanoCore 0x1fbeb:$a: NanoCore 0x224ce:$a: NanoCore 0x27a9d:$a: NanoCore 0x27b17:$a: NanoCore 0x2da78:$a: NanoCore 0x2dac2:$a: NanoCore 0x2e71c:$a: NanoCore
13.2.Swift Payment-3134101002.exe.2d6cedc.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14de5:$x1: NanoCore.ClientPluginHost 0x21f57:$x1: NanoCore.ClientPluginHost 0x2bdaf:$x1: NanoCore.ClientPluginHost 0x33cdd:$x1: NanoCore.ClientPluginHost 0x39cb8:$x1: NanoCore.ClientPluginHost 0x4372b:$x1: NanoCore.ClientPluginHost 0x4db5f:$x1: NanoCore.ClientPluginHost 0x58b49:$x1: NanoCore.ClientPluginHost 0x648f7:$x1: NanoCore.ClientPluginHost 0x7064a:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e12:$x2: IClientNetworkHost 0x21f90:$x2: IClientNetworkHost 0x2bde8:$x2: IClientNetworkHost 0x33d16:$x2: IClientNetworkHost 0x43888:$x2: IClientNetworkHost 0x4db98:$x2: IClientNetworkHost 0x58b63:$x2: IClientNetworkHost 0x64911:$x2: IClientNetworkHost 0x70687:$x2: IClientNetworkHost
13.2.Swift Payment-3134101002.exe.2d6cedc.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14de5:$x2: NanoCore.ClientPluginHost 0x21f57:$x2: NanoCore.ClientPluginHost 0x2bdaf:$x2: NanoCore.ClientPluginHost 0x33cdd:$x2: NanoCore.ClientPluginHost 0x39cb8:$x2: NanoCore.ClientPluginHost 0x4372b:$x2: NanoCore.ClientPluginHost 0x4db5f:$x2: NanoCore.ClientPluginHost 0x58b49:$x2: NanoCore.ClientPluginHost 0x648f7:$x2: NanoCore.ClientPluginHost 0x7064a:$x2: NanoCore.ClientPluginHost 0x15db4:$s2: FileCommand 0x44681:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a7b6:$s4: PipeCreated 0x22074:$s4: PipeCreated 0x2beb3:$s4: PipeCreated 0x33df8:$s4: PipeCreated 0x39d96:$s4: PipeCreated 0x43921:$s4: PipeCreated 0x4dcaa:$s4: PipeCreated
13.2.Swift Payment-3134101002.exe.2d6cedc.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dbf:$a: NanoCore 0x14de5:$a: NanoCore 0x14e41:$a: NanoCore 0x21c9f:$a: NanoCore 0x21cf8:$a: NanoCore 0x21d2b:$a: NanoCore 0x21f57:$a: NanoCore 0x21fd3:$a: NanoCore 0x225ec:$a: NanoCore 0x22735:$a: NanoCore 0x22c09:$a: NanoCore 0x22ef0:$a: NanoCore 0x22f07:$a: NanoCore 0x2bdaf:$a: NanoCore 0x2be2b:$a: NanoCore 0x2e70e:$a: NanoCore 0x33cdd:$a: NanoCore 0x33d57:$a: NanoCore
Click to see the 52 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Swift Payment-3134101002.exe, ProcessId: 5260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\Swift Payment-3134101002.exe' , ParentImage: C:\Users\user\Desktop\Swift Payment-3134101002.exe, ParentProcessId: 896, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe', ProcessId: 2896

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\Swift Payment-3134101002.exe' , ParentImage: C:\Users\user\Desktop\Swift Payment-3134101002.exe, ParentProcessId: 896, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe', ProcessId: 2896

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Swift Payment-3134101002.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe	Avira: detection malicious, Label: HEUR/AGEN.1105323
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: HEUR/AGEN.1105323

Found malware configuration

Show sources

Source: 0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "533a35a8-575b-4ab4-8925-c191b861", "Group": "Yota", "Domain1": "yota890.hopto.org", "Domain2": "127.0.0.1", "Port": 23890, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 50, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "yota890.hopto.org", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Show sources

Source: yota890.hopto.org	Virustotal: Detection: 6%			Perma Link
Source: yota890.hopto.org	Virustotal: Detection: 6%			Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d4c0e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d530f5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.504645095.0000000003D3A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.453923165.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift Payment-3134101002.exe PID: 5260, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Swift Payment-3134101002.exe

Joe Sandbox ML: detected

Source: 42.2.Swift Payment-3134101002.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack	Avira: Label: TR/NanoCore.fadte
Source: 13.2.Swift Payment-3134101002.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: Swift Payment-3134101002.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Swift Payment-3134101002.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49726 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49735 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49736 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49737 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49739 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49742 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49743 -> 79.134.225.73:23890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49744 -> 79.134.225.73:23890

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: yota890.hopto.org
Source: Malware configuration extractor	URLs: 127.0.0.1

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 79.134.225.73 ports 0,2,3,23890,8,9

Source: global traffic

TCP traffic: 192.168.2.5:49719 -> 79.134.225.73:23890

Source: Joe Sandbox View

IP Address: 79.134.225.73 79.134.225.73

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Code function: 13_2_02982F5A WSARecv,

13_2_02982F5A

Source: unknown

DNS traffic detected: queries for: yota890.hopto.org

Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: powershell.exe, 00000002.00000002.385961451.00000000048FF000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.366083395.0000000007C54000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.384602564.00000000047C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.385961451.00000000048FF000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.366083395.0000000007C54000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.385961451.00000000048FF000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.366083395.0000000007C54000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000003.345525440.00000000052EF000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.352725391.0000000005619000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro

Source: Swift Payment-3134101002.exe, 0000000D.00000002.504645095.0000000003D3A000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d4c0e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d530f5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.504645095.0000000003D3A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.453923165.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift Payment-3134101002.exe PID: 5260, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.3d4c0e1.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.3e21330.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 42.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 42.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 42.2.Swift Payment-3134101002.exe.2d23a2c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 42.2.Swift Payment-3134101002.exe.3d530f5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.2d7911c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.2d8d750.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.2d8d750.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Swift Payment-3134101002.exe.2cf160c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.3e12f14.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Swift Payment-3134101002.exe.3e12f14.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.2d6cedc.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.3e25fcf.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.3e21330.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.2d7911c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.2d7911c.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Swift Payment-3134101002.exe.2d6cedc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Swift Payment-3134101002.exe.2d6cedc.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000002A.00000002.453923165.0000000003D01000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Swift Payment-3134101002.exe PID: 5260, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Swift Payment-3134101002.exe PID: 5260, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Swift Payment-3134101002.exe

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_0298198E NtQuerySystemInformation,		13_2_0298198E
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_02981953 NtQuerySystemInformation,		13_2_02981953

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_02929788	13_2_02929788
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_02928B88	13_2_02928B88
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_02922FA8	13_2_02922FA8
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_0292B3E8	13_2_0292B3E8
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_02923850	13_2_02923850
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_0292984F	13_2_0292984F
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_0292306F	13_2_0292306F
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 42_2_04EF2FA8	42_2_04EF2FA8
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 42_2_04EF23A0	42_2_04EF23A0
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 42_2_04EF3850	42_2_04EF3850
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 42_2_04EF306F	42_2_04EF306F

Source: Swift Payment-3134101002.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Swift Payment-3134101002.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Swift Payment-3134101002.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPiUrUItCGsY.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPiUrUItCGsY.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPiUrUItCGsY.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Swift Payment-3134101002.exe, 00000000.00000000.222356961.0000000000DF4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMessageEn.exe< vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000A.00000000.265756427.0000000000204000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMessageEn.exe< vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000003.280499805.0000000000B00000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMessageEn.exe< vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.504778591.0000000003E0D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.504778591.0000000003E0D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.504778591.0000000003E0D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.504778591.0000000003E0D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.504645095.0000000003D3A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.504645095.0000000003D3A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.498885828.0000000002970000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502501954.0000000002CE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Swift Payment-3134101002.exe
Source: Swift Payment-3134101002.exe, 00000012.00000000.279888913.00000000009C4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMessageEn.exe< vs Swift Payment-3134101002.exe

Source: Swift Payment-3134101002.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.3d4c0e1.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.3d4c0e1.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.3e21330.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.3e21330.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 42.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 42.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 42.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 42.2.Swift Payment-3134101002.exe.2d23a2c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 42.2.Swift Payment-3134101002.exe.2d23a2c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 42.2.Swift Payment-3134101002.exe.3d530f5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 42.2.Swift Payment-3134101002.exe.3d530f5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.2d7911c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.2d7911c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.2d8d750.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.2d8d750.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.2d8d750.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Swift Payment-3134101002.exe.2cf160c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.2cf160c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.3e12f14.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.3e12f14.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Swift Payment-3134101002.exe.3e12f14.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.3e12f14.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.2d6cedc.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.2d6cedc.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.3e25fcf.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.3e25fcf.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.3e21330.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.3e21330.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.2d7911c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.2d7911c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.2d7911c.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Swift Payment-3134101002.exe.2d6cedc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Swift Payment-3134101002.exe.2d6cedc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Swift Payment-3134101002.exe.2d6cedc.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000002A.00000002.453923165.0000000003D01000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Swift Payment-3134101002.exe PID: 5260, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Swift Payment-3134101002.exe PID: 5260, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: Swift Payment-3134101002.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TPiUrUItCGsY.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Swift Payment-3134101002.exe, iZJJdJcm0j1jlqDgZC/tli8EI1eBmVGUWaPhL.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Swift Payment-3134101002.exe, iZJJdJcm0j1jlqDgZC/tli8EI1eBmVGUWaPhL.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@37/38@16/2

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_0298174E AdjustTokenPrivileges,		13_2_0298174E
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_02981717 AdjustTokenPrivileges,		13_2_02981717

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

File created: C:\Program Files (x86)\DHCP Monitor

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

File created: C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe

Jump to behavior

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Mutant created: \Sessions\1\BaseNamedObjects\KNHtpfYsPXzJQUeQbjh
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3888:120:WilError_01
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1188:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_01
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{533a35a8-575b-4ab4-8925-c191b861d6ad}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_01

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD9EC.tmp

Jump to behavior

Source: Swift Payment-3134101002.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

File read: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9EC.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe C:\Users\user\Desktop\Swift Payment-3134101002.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe C:\Users\user\Desktop\Swift Payment-3134101002.exe
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp54AF.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5992.tmp'
Source: unknown	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe 'C:\Users\user\Desktop\Swift Payment-3134101002.exe' 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpF33C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe C:\Users\user\Desktop\Swift Payment-3134101002.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9EC.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe C:\Users\user\Desktop\Swift Payment-3134101002.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe C:\Users\user\Desktop\Swift Payment-3134101002.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp54AF.tmp'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5992.tmp'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpF33C.tmp'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe C:\Users\user\Desktop\Swift Payment-3134101002.exe

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: Swift Payment-3134101002.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Swift Payment-3134101002.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Swift Payment-3134101002.exe

Static file information: File size 1495040 > 1048576

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Swift Payment-3134101002.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15ee00

Source: Swift Payment-3134101002.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: Swift Payment-3134101002.exe, iZJJdJcm0j1jlqDgZC/tli8EI1eBmVGUWaPhL.cs

.Net Code: stackVariable2.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 10_2_000A9598 push esp; ret	10_2_000A959D
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_004D9598 push esp; ret	13_2_004D959D
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 42_2_005A9598 push esp; ret	42_2_005A959D

Source: initial sample	Static PE information: section name: .text entropy: 7.48327692436
Source: initial sample	Static PE information: section name: .text entropy: 7.48327692436

Source: Swift Payment-3134101002.exe, K42DoNDH332WPEJUma/WdjdUkpf6imjdhyBbe.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'aMZ30p1CTO', 'yb93AjSki7', 'tdV32kkHUo', 'i6137ixvKq', 'QTQ3oNnXX5', 'WBI9io1JEE', 'VN39tQMBOf', 'BK69OeVdUP'
Source: Swift Payment-3134101002.exe, bMPDSo5ZtOD48oHHM5/pKutg6xq4kDPYuYRFy.cs	High entropy of concatenated method names: '.ctor', 'aTQyKrtn5F', 'JXPyPrc0tn', 'qygyfTs9HG', 'LyyyTUQaUU', 'JvSyQStaST', 'kjvylFI9Tq', 'gUOy9w0kbS', 'uhGypRn51C', 'AvkyDy4Von'
Source: Swift Payment-3134101002.exe, oevLTPmXCnbJFKYHnb/vnQj8HLXpA84ldu1Tb.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'CZPbgiSDSU', 'CE1WdFOrFU', 'moLWudDqWR', 't80ldpK0Jx', 'OqilupDkYm', 'qgClmfmnAu', 'HmwlpSUj9N', 'dRule9ISKy'
Source: Swift Payment-3134101002.exe, aoSQaHRWJXH35uGm9Z/kd3mOT8nskqBoIxxTG.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'r0hd1RDdlP', 'B2Sl5QN086', 'qPFlXBPQX8', 'CxilHtPYqc', 'NRolSthTGR', 'APQlwAGovr', 'vmIlvNRBH6', 'BK69OeVdUP'
Source: Swift Payment-3134101002.exe, U1mtIZ9iMGCOYTVqGC/CF7euXlmAhskFiL3pc.cs	High entropy of concatenated method names: 'bUa3k103Dj', 'HPc38p9PZY', 'Uhn3DlaELj', '.ctor', 'I5R3xKZsVy', 'EMu352xWlG', 'iNn3sGMHr5', 'vGA3q7MfsB', 'Awp3iRysQD', 'FrC3n4Ry9p'
Source: Swift Payment-3134101002.exe, pjGOFQEF6EgToSX0ta/gSyUGpkpitrQxELJ4s.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'Tevdarjy7P', 'g92lkUh0gR', 'rmQlZ72SbY', 'BK69OeVdUP', 'PKQ9Nh5xHi', 'VfclDowSUD', 'BuPl4GyFi7', 'FXjdw2uoAC'
Source: Swift Payment-3134101002.exe, iZJJdJcm0j1jlqDgZC/tli8EI1eBmVGUWaPhL.cs	High entropy of concatenated method names: '.cctor', 'jWhfN3Ts9f0m2', 'mlLKYipiwq', 'sRSKXDXjma', 'Tj1KWietwa', 'Sy4KSq8aBY', 'MJ6KC98hl9', 'IH5KGHYlWL', 'NymKzGH3LX', 'aPBPNwc8oK'
Source: Swift Payment-3134101002.exe, RFBqOWnLDu2Put6Sl2/aTLIt4ifB8Brgq2y9v.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'L3hd6XXegI', 'BK69OeVdUP', 'PKQ9Nh5xHi', 'hcylxkIgto', 'oTslhHLEAo', 'oUJlftpB5w', 'X38l2hfn8H', 'e8IlRsHZWZ'
Source: Swift Payment-3134101002.exe, qZnhhoqG4laOnQUbKh/D5fa8DsitTlrglIHOS.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'dXfdBjy5Yx', 'KXFlQFUw2y', 'ltqlPtHYvk', 'E5xdVLfjcu', 'MNhdtIS43g', 'fe18AdELRYgIjZorV4X', 'oV2Qe3EFXxQoDLVSDeD', 'NNDuSrEmN4CqIfFIbIp'
Source: Swift Payment-3134101002.exe, yUreQMeU10LmPBsLgB/hmWNRKUVG4ThBDjrNH.cs	High entropy of concatenated method names: 'j0yfN3TTRAw5q', '.ctor', '.cctor', 'c8Q196thcdo5jj1hkbE', 'W7mwe2tDYjcJCxImDxH', 'aFFXOXtbCFFiaGVXNOp', 'fcCybIta9dl14bfqX9E', 'JwyHNTtRTFiNXfkXRs7', 'WYDiJqtECkeCOU9T1Sd', 'qIGoppti0mvtsKWSjZj'

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	File created: C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9EC.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

File opened: C:\Users\user\Desktop\Swift Payment-3134101002.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4937	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2004	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4568	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1962	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5111
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3572
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Window / User API: foregroundWindowGot 625
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Window / User API: foregroundWindowGot 519
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2906
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 864
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3506

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe TID: 1388	Thread sleep time: -40731s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe TID: 5872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1760	Thread sleep count: 4568 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1760	Thread sleep count: 1962 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1056	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6048	Thread sleep count: 5111 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6048	Thread sleep count: 3572 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3888	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe TID: 6412	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe TID: 6464	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe TID: 6368	Thread sleep time: -1120000s >= -30000s
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe TID: 6212	Thread sleep time: -39435s >= -30000s
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe TID: 6396	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6584	Thread sleep time: -41889s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6816	Thread sleep time: -46031s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7060	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7144	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe TID: 3596	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Code function: 13_2_02981476 GetSystemInfo,

13_2_02981476

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Thread delayed: delay time: 40731	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Thread delayed: delay time: 39435
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 41889
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 46031
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000002.00000003.345072447.00000000051FB000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.351987466.0000000005528000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000002.00000003.345072447.00000000051FB000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.351987466.0000000005528000.00000004.00000001.sdmp	Binary or memory string: hl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: Swift Payment-3134101002.exe, 0000000D.00000003.344753637.0000000000B3C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle3Vc

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Memory written: C:\Users\user\Desktop\Swift Payment-3134101002.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Memory written: C:\Users\user\Desktop\Swift Payment-3134101002.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9EC.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe C:\Users\user\Desktop\Swift Payment-3134101002.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe C:\Users\user\Desktop\Swift Payment-3134101002.exe	Jump to behavior
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp54AF.tmp'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5992.tmp'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpF33C.tmp'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Process created: C:\Users\user\Desktop\Swift Payment-3134101002.exe C:\Users\user\Desktop\Swift Payment-3134101002.exe

Source: Swift Payment-3134101002.exe, 0000000D.00000003.366405419.0000000005E7B000.00000004.00000001.sdmp	Binary or memory string: Program Manager&
Source: Swift Payment-3134101002.exe, 0000000D.00000003.318577979.0000000000B22000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: Swift Payment-3134101002.exe, 0000000D.00000002.498526319.0000000001410000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Swift Payment-3134101002.exe, 0000000D.00000002.498526319.0000000001410000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Swift Payment-3134101002.exe, 0000000D.00000002.498526319.0000000001410000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Swift Payment-3134101002.exe, 0000000D.00000002.504425651.0000000003200000.00000004.00000001.sdmp	Binary or memory string: Program ManagerL
Source: Swift Payment-3134101002.exe, 0000000D.00000003.491876524.0000000005E53000.00000004.00000001.sdmp	Binary or memory string: Program ManagerILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=DESKT
Source: Swift Payment-3134101002.exe, 0000000D.00000003.383325852.0000000005E50000.00000004.00000001.sdmp	Binary or memory string: Program ManagerFilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPA
Source: Swift Payment-3134101002.exe, 0000000D.00000002.498526319.0000000001410000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Swift Payment-3134101002.exe, 0000000D.00000002.498526319.0000000001410000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Swift Payment-3134101002.exe, 0000000D.00000003.297068689.0000000000B44000.00000004.00000001.sdmp	Binary or memory string: Program ManagerT
Source: Swift Payment-3134101002.exe, 0000000D.00000003.344753637.0000000000B3C000.00000004.00000001.sdmp	Binary or memory string: Program Managert$
Source: Swift Payment-3134101002.exe, 0000000D.00000002.496739406.0000000000B21000.00000004.00000020.sdmp	Binary or memory string: Program ManagerOpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, Ge

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Code function: 13_2_0298366E GetSystemTimes,

13_2_0298366E

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d4c0e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d530f5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.504645095.0000000003D3A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.453923165.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift Payment-3134101002.exe PID: 5260, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Swift Payment-3134101002.exe, 0000000D.00000002.504778591.0000000003E0D000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502501954.0000000002CE1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d4c0e1.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d4eacc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d530f5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Swift Payment-3134101002.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.Swift Payment-3134101002.exe.3d49c96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.504645095.0000000003D3A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.453923165.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift Payment-3134101002.exe PID: 5260, type: MEMORYSTR

Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_02982A9E bind,		13_2_02982A9E
Source: C:\Users\user\Desktop\Swift Payment-3134101002.exe	Code function: 13_2_02982A4C bind,		13_2_02982A4C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools11	Input Capture11	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection112	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Obfuscated Files or Information2	Security Account Manager	System Information Discovery14	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading2	LSA Secrets	Security Software Discovery11	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol11	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Swift Payment-3134101002.exe	100%	Avira	HEUR/AGEN.1105323
Swift Payment-3134101002.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe	100%	Avira	HEUR/AGEN.1105323
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	HEUR/AGEN.1105323
C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
24.0.dhcpmon.exe.d00000.0.unpack	100%	Avira	HEUR/AGEN.1105323	Download File
42.0.Swift Payment-3134101002.exe.5a0000.0.unpack	100%	Avira	HEUR/AGEN.1105323	Download File
10.2.Swift Payment-3134101002.exe.a0000.0.unpack	100%	Avira	HEUR/AGEN.1105323	Download File
13.0.Swift Payment-3134101002.exe.4d0000.0.unpack	100%	Avira	HEUR/AGEN.1105323	Download File
13.2.Swift Payment-3134101002.exe.4d0000.1.unpack	100%	Avira	HEUR/AGEN.1105323	Download File
42.2.Swift Payment-3134101002.exe.5a0000.1.unpack	100%	Avira	HEUR/AGEN.1105323	Download File
42.2.Swift Payment-3134101002.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
13.2.Swift Payment-3134101002.exe.3d47ab8.8.unpack	100%	Avira	TR/NanoCore.fadte	Download File
13.2.Swift Payment-3134101002.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.0.Swift Payment-3134101002.exe.c90000.0.unpack	100%	Avira	HEUR/AGEN.1105323	Download File
28.0.dhcpmon.exe.840000.0.unpack	100%	Avira	HEUR/AGEN.1105323	Download File
18.0.Swift Payment-3134101002.exe.860000.0.unpack	100%	Avira	HEUR/AGEN.1105323	Download File
10.0.Swift Payment-3134101002.exe.a0000.0.unpack	100%	Avira	HEUR/AGEN.1105323	Download File

Domains

Source	Detection	Scanner	Label	Link
yota890.hopto.org	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
yota890.hopto.org	7%	Virustotal		Browse
yota890.hopto.org	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
127.0.0.1	0%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
yota890.hopto.org	79.134.225.73	true	true	7%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
yota890.hopto.org	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.385961451.00000000048FF000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.366083395.0000000007C54000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://google.com	Swift Payment-3134101002.exe, 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.384602564.00000000047C1000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.385961451.00000000048FF000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.366083395.0000000007C54000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000002.00000003.345525440.00000000052EF000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.352725391.0000000005619000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.385961451.00000000048FF000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.366083395.0000000007C54000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.73	yota890.hopto.org	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457985
Start date:	02.08.2021
Start time:	16:40:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Swift Payment-3134101002.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@37/38@16/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.8% (good quality ratio 12.4%) Quality average: 41.6% Quality standard deviation: 39%
HCA Information:	Successful, ratio: 100% Number of executed functions: 367 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:41:26	API Interceptor	667x Sleep call for process: Swift Payment-3134101002.exe modified
16:41:33	API Interceptor	152x Sleep call for process: powershell.exe modified
16:41:36	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\Swift Payment-3134101002.exe" s>$(Arg0)
16:41:36	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
16:41:40	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
16:42:42	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
79.134.225.73	POS AUTO REJECT TRANSACTIONSxlsx.vbs	Get hash	malicious	Browse	subsnet.duckdns.org:35500/is-ready
	50Passagem 2.js	Get hash	malicious	Browse	accer.sytes.net:7974/Vre
	50Passagem 2.js	Get hash	malicious	Browse	accer.sytes.net:7974/Vre

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
yota890.hopto.org	Faktura-835382925.exe	Get hash	malicious	Browse	79.134.225.73
	New Order.exe	Get hash	malicious	Browse	79.134.225.73
	New Order July.exe	Get hash	malicious	Browse	79.134.225.73
	jtH33Uljkz.exe	Get hash	malicious	Browse	79.134.225.73
	JUBnIETj2h.exe	Get hash	malicious	Browse	79.134.225.73

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	NEW INQUIRY.exe	Get hash	malicious	Browse	79.134.225.95
	Order List.exe	Get hash	malicious	Browse	79.134.225.115
	RFQ 217563.exe	Get hash	malicious	Browse	79.134.225.116
	ORDER CONFIRMATION - 5309,pdf.exe	Get hash	malicious	Browse	79.134.225.76
	y7DZJshX9j.exe	Get hash	malicious	Browse	79.134.225.44
	SQycD6hL4Y.exe	Get hash	malicious	Browse	79.134.225.12
	TENDER INQUIRY REQUIREMENTS.exe	Get hash	malicious	Browse	79.134.225.95
	xwcTd7Kh9O.exe	Get hash	malicious	Browse	79.134.225.16
	RA1_20210729.exe	Get hash	malicious	Browse	79.134.225.98
	spworks.msi	Get hash	malicious	Browse	79.134.225.73
	spworks.msi	Get hash	malicious	Browse	79.134.225.73
	Request For Quotation.xlsx	Get hash	malicious	Browse	79.134.225.16
	Faktura-835382925.exe	Get hash	malicious	Browse	79.134.225.73
	Order List.gz.exe	Get hash	malicious	Browse	79.134.225.100
	doc_18000476456499946534.exe	Get hash	malicious	Browse	79.134.225.44
	Bh8aCXgJx4.exe	Get hash	malicious	Browse	79.134.225.22
	Resumen detallado del proveedor de 1302640 de solicitud de presupuesto.exe	Get hash	malicious	Browse	79.134.225.8
	Investment1FZELtd.exe	Get hash	malicious	Browse	79.134.225.35
	KRooWcCysc.exe	Get hash	malicious	Browse	79.134.225.25
	Request price for partsDP35212202122000.exe	Get hash	malicious	Browse	79.134.225.44

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1495040
Entropy (8bit):	7.453387490513826
Encrypted:	false
SSDEEP:	24576:J1oxcVmGXEzFfx8Dgkfx8DgT+rw8ojngl1F4aw1jhzxSbj5mZUYLL:cxQ+F58Dgk58DgJbIFYdxQj4ZUA
MD5:	3221D82B7169D545F01F2E2BA94ADE25
SHA1:	96326C074C61D3D176F4C6760CE5027B565FAD03
SHA-256:	41A5F782DA40BEA08F41A9510A299BFA071C7F84547085F65006C25002802449
SHA-512:	C3699599F6649AF0919906EA4CC40039C11C22D16A4FAE4CDAF23779A1811F405317B9058C3F7CBAA17340E0DAD261A3251700C2658F5E10F7AA76242FFD4B10
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a............................~.... ... ....@.. .......................@............@.................................0...K....@..,.................... ....................................................... ............... ..H............text........ ...................... ..`.sdata....... ......................@....rsrc...,....@......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Swift Payment-3134101002.exe.log Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21692
Entropy (8bit):	5.3617502255191
Encrypted:	false
SSDEEP:	384:btL6sk2nTnOgRdEeexXn3YTxQ1pghV0J/3eSJMC3at:lkE9Rdr2P1pgT0pFMCg
MD5:	F26BD29FDBE62ADF1B27226C0BCA0F76
SHA1:	575CD4E74CADE25362041CD1D39D97D7FFA4B103
SHA-256:	5C6E29CAB2238370A0312DF7305EE77D37AD73208D5AA9CCE32847A240A24AE0
SHA-512:	7AE0DFAB07A0A0D9B809ECB2E9E2A9A0DDCC18948F3DF1F23D552A7792EB63BF9B8DC4609314006F46EB779446CCD32D1EB7B966A93E1F644D0473E28175C264
Malicious:	false
Reputation:	unknown
Preview:	@...e.....................3.d.[.....Q.{...v..........@..........D...............fZve...F.....x.)].......System.Management.AutomationH...............<@.^.L."My...:U..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F...]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD...............Microsoft.Management.Inf

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gdksdx4.dbh.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eh3vh0vl.a5b.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgq2ow1k.yiq.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ft3s03ih.awi.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hikacsuv.u45.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jjgrjvom.1cc.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kj1llfos.ssx.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q2i2gyxt.uiy.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtoebvt2.pqv.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnpzrqyn.exk.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp54AF.tmp Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1315
Entropy (8bit):	5.118105243297081
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Ppgqxtn:cbk4oL600QydbQxIYODOLedq3Sdj
MD5:	AED85AE1D81D0B7B27DC4BA30626540C
SHA1:	2D401295A809F8ED7669D7DB7D9B5D6EEB20BCD1
SHA-256:	F5EC002D41D0481CEE02B0205CE033460D998755D6B8E9FA9E60D5BE1636EBFA
SHA-512:	012F34354AC0A09E707A65B4F1AEC2D272F01BA81DFBFEFE6B5B8FD4E7EE373A006D7FF518E1C0A35EDE7792230C2B9C3102D8F65701053DFDD562CF3C1FC441
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp5992.tmp Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpD9EC.tmp Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1649
Entropy (8bit):	5.171845576133123
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB9tn:cbhC7ZlNQF/rydbz9I3YODOLNdq31
MD5:	ABA8A7EB8FC293B45B8926B254C8545D
SHA1:	C265284659BCC0F1CA9EF728D93F050E6A0DB2FA
SHA-256:	46E944053EFBC4554B10F9C8187AEA3FD48BF87C4466E3F463ED803C55005F24
SHA-512:	8045D1CFE3CD98513A68C7698FA981CB6A3FA8161659FBEEA416FC923B01BB6AAABBEB9CA0F9F343C78371FE233D5D1333CA44D6A6FDD968AED8500C4291603B
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Local\Temp\tmpF33C.tmp Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1649
Entropy (8bit):	5.171845576133123
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB9tn:cbhC7ZlNQF/rydbz9I3YODOLNdq31
MD5:	ABA8A7EB8FC293B45B8926B254C8545D
SHA1:	C265284659BCC0F1CA9EF728D93F050E6A0DB2FA
SHA-256:	46E944053EFBC4554B10F9C8187AEA3FD48BF87C4466E3F463ED803C55005F24
SHA-512:	8045D1CFE3CD98513A68C7698FA981CB6A3FA8161659FBEEA416FC923B01BB6AAABBEB9CA0F9F343C78371FE233D5D1333CA44D6A6FDD968AED8500C4291603B
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	data
Category:	dropped
Size (bytes):	1856
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
MD5:	838CD9DBC78EA45A5406EAE23962086D
SHA1:	C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
SHA-256:	6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
SHA-512:	F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
Malicious:	false
Reputation:	unknown
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:zgQt:UQt
MD5:	A4BBCDC296399DF2D741B81AC1F23823
SHA1:	DC25F6B400FFC462E07B540A9EF2AE0DDC65A244
SHA-256:	427760C35EEFFED1C016FAA83871E56BE306DF8AB2CF038969DBE4E5409550F9
SHA-512:	660A3A98791BDA9CC850E7233B4409CCC994749CE56EE780DEB491618850362A14A20A74371E9A072F3C2A54D847267CB2F19992ED86EA3049E0442047502DBE
Malicious:	true
Reputation:	unknown
Preview:	x$...V.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Reputation:	unknown
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVnXygY6oRDT6P2bfVn1:RzWDT62DWDT621
MD5:	4315325323A62DE913E5CCD153817BCE
SHA1:	8B38155CD8ACB20BBA0C2A8AF02BFD35B15221A8
SHA-256:	E0C2085D878FDF53CD7D8F0AA9F07490802C51FC3C14A52B6FEA96AD0743C838
SHA-512:	B5036A6CD4852CEBCA86F588D94B9D58B63EB07B2F4DEBD38D5E1BE68B0BB62F82FA239673B6C08F432A28DD50E1D15773DC3738251BD2F9959F1255D72745EB
Malicious:	false
Reputation:	unknown
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	data
Category:	dropped
Size (bytes):	426840
Entropy (8bit):	7.999608491116724
Encrypted:	true
SSDEEP:	12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
MD5:	963D5E2C9C0008DFF05518B47C367A7F
SHA1:	C183D601FABBC9AC8FBFA0A0937DECC677535E74
SHA-256:	5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
SHA-512:	0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
Malicious:	false
Reputation:	unknown
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.702856968507876
Encrypted:	false
SSDEEP:	3:oNUWJRW2SSxPyuUA:oNNJA2lxPytA
MD5:	4597423D7779AE7F4FA8A6B862260DD2
SHA1:	745488A3ABF6049DE33048A5EDE992FE4270EFEB
SHA-256:	C7E01DA4600D50612BBDAB98A956011520318AD65E0450663E192B798B47CEE6
SHA-512:	A7CB95E50AEEA29743EE77230265EBA8B32391048CC445C717CA757A664B31710BA04A7C0F5A0FC85DA642149418380052DE9F90AC8FEF44BAE289F8F772AC70
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\Desktop\Swift Payment-3134101002.exe

C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1495040
Entropy (8bit):	7.453387490513826
Encrypted:	false
SSDEEP:	24576:J1oxcVmGXEzFfx8Dgkfx8DgT+rw8ojngl1F4aw1jhzxSbj5mZUYLL:cxQ+F58Dgk58DgJbIFYdxQj4ZUA
MD5:	3221D82B7169D545F01F2E2BA94ADE25
SHA1:	96326C074C61D3D176F4C6760CE5027B565FAD03
SHA-256:	41A5F782DA40BEA08F41A9510A299BFA071C7F84547085F65006C25002802449
SHA-512:	C3699599F6649AF0919906EA4CC40039C11C22D16A4FAE4CDAF23779A1811F405317B9058C3F7CBAA17340E0DAD261A3251700C2658F5E10F7AA76242FFD4B10
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a............................~.... ... ....@.. .......................@............@.................................0...K....@..,.................... ....................................................... ............... ..H............text........ ...................... ..`.sdata....... ......................@....rsrc...,....@......................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20210802\PowerShell_transcript.536720.IwZ5ajft.20210802164132.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5807
Entropy (8bit):	5.388031589896704
Encrypted:	false
SSDEEP:	96:BZu/ZN1qDo1Z2Zm/ZN1qDo1ZV71zjZM/ZN1qDo1ZFFCDDbjZJa:f
MD5:	508D96D6BBC567F1C717F2DC6C005DB3
SHA1:	F79EE77B4EC7C0B70A2094A8011D8A934300B1EA
SHA-256:	0228A771C8540238E866460D2A862F1BB611AEB315367227A4E46BD840EC919B
SHA-512:	71EF8C48192D588BB85865D36491068D031213767EF63F32902925CD43FDBD23123361B66920A1605B6AC97B3D98DC7F4CB7A1F2F621355F41D3C9BE9ECD8814
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210802164132..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 536720 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe..Process ID: 4500..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210802164132..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe..********************..Windows PowerShell transcript start..Start time: 20210802164626..Username: computer\user..RunAs User: DESKTOP-716

C:\Users\user\Documents\20210802\PowerShell_transcript.536720.JVTY2eBe.20210802164130.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3605
Entropy (8bit):	5.318356877927142
Encrypted:	false
SSDEEP:	96:BZe/ZN0vqDo1Z1w7Z0/ZN0vqDo1ZCqp8K0c8K0c8K08ZY:2ddy
MD5:	24FDE701767F202DCB517D8B148FC598
SHA1:	033DF7DE0AB2F439B2F5D6F4A30BDC67FEC8C3BA
SHA-256:	FBF84A2C356AA29CD560FA38DE81D50CC33F8CE3A6985F8A6E46C76FEB44A133
SHA-512:	2119D12A0E863F65DBE80184792E54019062676F8C9270F3514020B97B129F081BA27CA251E743B3A1AE274105F26C2C4AC4621173A4CD426492EF9312F3B5B5
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210802164147..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 536720 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Swift Payment-3134101002.exe..Process ID: 2896..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210802164147..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Swift Payment-3134101002.exe..******************..Command start time: 20210802164426..********************..PS>TerminatingError(Add-MpPreference): "A positional p

C:\Users\user\Documents\20210802\PowerShell_transcript.536720.K3SQstIa.20210802164132.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5807
Entropy (8bit):	5.392081511020278
Encrypted:	false
SSDEEP:	96:BZK/ZNOqDo1ZqZO/ZNOqDo1ZI71zjZ4/ZNOqDo1ZuCDD8ZL:0
MD5:	E00626F25F13D0C679ED820A84502AAE
SHA1:	79CF9942DB9C3A8EE6045622FA61DC1604EE6752
SHA-256:	9FD4C75E09295A278067F27BEB5C1D0A05A9E5506A7B2BBB7424D69E2F26E157
SHA-512:	3E71632F297843C3C17A5EAEE03F3FC5628AE08A66C2FF20D1D2FDB3DFEF93F7D1C907D2C8B4FB4D18A6D5FD2FF9806261EEF3C7AA80C4C50AF25CA79D1A6C3C
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210802164150..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 536720 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe..Process ID: 5908..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210802164150..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe..********************..Windows PowerShell transcript start..Start time: 20210802164543..Username: computer\user..RunAs User: DESKTOP-716

C:\Users\user\Documents\20210802\PowerShell_transcript.536720.b2b1JaRZ.20210802164247.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5807
Entropy (8bit):	5.392856142812632
Encrypted:	false
SSDEEP:	96:BZ6/ZNaqDo1ZGZ4/ZNaqDo1Z171zjZH/ZNaqDo1ZpCDDVZG:N
MD5:	B6101E7BB87EBD02C2932CDB18FF5DCD
SHA1:	BF3CE5A808786047C51D083A58E4DE817BC18886
SHA-256:	4C68AAE17234B6882FE9E870B581C54A467CDB459B4CF22C48BA2FAEB044BDFF
SHA-512:	5AAB833A179E998926C9EED67588977D4E8C50A1D1C702C797778A35F6515E9D6006C82EA7CE8F6CECB50BB2B337C6DB8DFBCB222643DAD888CA234F03707EBA
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210802164248..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 536720 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe..Process ID: 5492..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210802164248..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe..********************..Windows PowerShell transcript start..Start time: 20210802164530..Username: computer\user..RunAs User: DESKTOP-716

C:\Users\user\Documents\20210802\PowerShell_transcript.536720.lMSIrPJI.20210802164243.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3605
Entropy (8bit):	5.319640725470849
Encrypted:	false
SSDEEP:	96:BZF/ZN0UqDo1ZCD7Za/ZN0UqDo1Zsqp8K0c8K0c8K0DZ8:HddZ
MD5:	0A5AB307A3F607F622B35D20BCE8D51D
SHA1:	54009D83A2E9FF991180BCBE72ED29A98FCFA66D
SHA-256:	8E7F0999A9C7E9E677B5F6517AC9C5A3FBE6D89FE7AACFD34E9A819D34A2A20E
SHA-512:	6E11A6DC2A6F1BA3295BC5E01734AAA10A936F65437E913AC8D718486E220B960A64D1C3D38CF0A0728D87D586AAA7B916CD8BDCC8BED10BE4CD4C22E9AF98F6
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210802164245..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 536720 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Swift Payment-3134101002.exe..Process ID: 1692..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210802164245..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Swift Payment-3134101002.exe..******************..Command start time: 20210802164517..********************..PS>TerminatingError(Add-MpPreference): "A positional p

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.453387490513826
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Swift Payment-3134101002.exe
File size:	1495040
MD5:	3221d82b7169d545f01f2e2ba94ade25
SHA1:	96326c074c61d3d176f4c6760ce5027b565fad03
SHA256:	41a5f782da40bea08f41a9510a299bfa071c7f84547085f65006c25002802449
SHA512:	c3699599f6649af0919906ea4cc40039c11c22d16a4fae4cdaf23779a1811f405317b9058c3f7cbaa17340e0dad261a3251700c2658f5e10f7aa76242ffd4b10
SSDEEP:	24576:J1oxcVmGXEzFfx8Dgkfx8DgT+rw8ojngl1F4aw1jhzxSbj5mZUYLL:cxQ+F58Dgk58DgJbIFYdxQj4ZUA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a............................~.... ... ....@.. .......................@............@................................

File Icon


Icon Hash:	b07968fcd4ec7090

Static PE Info

General
Entrypoint:	0x560c7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6107C205 [Mon Aug 2 09:59:33 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x160c30	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x164000	0xd62c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x172000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x15ec84	0x15ee00	False	0.71893856319	data	7.48327692436	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0x162000	0x2e8	0x400	False	0.6943359375	data	5.88739726342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x164000	0xd62c	0xd800	False	0.708206741898	data	6.59783939226	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x172000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x1642b0	0x2e8	data
RT_ICON	0x164598	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x1646c0	0xea8	data
RT_ICON	0x165568	0x8a8	data
RT_ICON	0x165e10	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x166378	0x7228	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x16d5a0	0x25a8	data
RT_ICON	0x16fb48	0x10a8	data
RT_ICON	0x170bf0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x171058	0x84	data
RT_VERSION	0x1710dc	0x364	data
RT_MANIFEST	0x171440	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Casper College 2009
Assembly Version	1.0.0.0
InternalName	MessageEn.exe
FileVersion	1.0.0.0
CompanyName	Casper College
LegalTrademarks
Comments
ProductName	pacman2008_01
ProductVersion	1.0.0.0
FileDescription	pacman2008_01
OriginalFilename	MessageEn.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/02/21-16:41:47.058768	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	23890	192.168.2.5	79.134.225.73
08/02/21-16:41:51.890582	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49721	23890	192.168.2.5	79.134.225.73
08/02/21-16:41:56.612791	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49722	23890	192.168.2.5	79.134.225.73
08/02/21-16:42:03.499938	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	23890	192.168.2.5	79.134.225.73
08/02/21-16:42:10.415467	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	23890	192.168.2.5	79.134.225.73
08/02/21-16:42:17.750707	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49726	23890	192.168.2.5	79.134.225.73
08/02/21-16:42:24.307217	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	23890	192.168.2.5	79.134.225.73
08/02/21-16:42:31.204864	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49735	23890	192.168.2.5	79.134.225.73
08/02/21-16:42:37.998295	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49736	23890	192.168.2.5	79.134.225.73
08/02/21-16:42:42.962502	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49737	23890	192.168.2.5	79.134.225.73
08/02/21-16:42:50.403222	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49738	23890	192.168.2.5	79.134.225.73
08/02/21-16:42:56.846613	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49739	23890	192.168.2.5	79.134.225.73
08/02/21-16:43:04.763657	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	23890	192.168.2.5	79.134.225.73
08/02/21-16:43:11.242964	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	23890	192.168.2.5	79.134.225.73
08/02/21-16:43:17.840281	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49744	23890	192.168.2.5	79.134.225.73

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 16:41:41.102468967 CEST	49719	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:41.223292112 CEST	23890	49719	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:41.223434925 CEST	49719	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:42.116379976 CEST	49719	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:42.235563993 CEST	23890	49719	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:46.879225016 CEST	49720	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:47.002904892 CEST	23890	49720	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:47.005089045 CEST	49720	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:47.058768034 CEST	49720	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:47.201020956 CEST	23890	49720	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:47.201179981 CEST	49720	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:47.344614983 CEST	23890	49720	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:47.344969034 CEST	49720	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:47.470158100 CEST	23890	49720	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:47.470269918 CEST	49720	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:47.611408949 CEST	49720	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:51.768368959 CEST	49721	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:51.888550997 CEST	23890	49721	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:51.890170097 CEST	49721	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:51.890582085 CEST	49721	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:52.033632040 CEST	23890	49721	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:52.034034014 CEST	49721	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:52.154948950 CEST	23890	49721	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:52.155213118 CEST	49721	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:52.275207043 CEST	23890	49721	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:52.277086020 CEST	49721	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:52.353204966 CEST	49721	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:56.490068913 CEST	49722	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:56.609842062 CEST	23890	49722	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:56.611378908 CEST	49722	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:56.612791061 CEST	49722	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:56.761554003 CEST	23890	49722	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:56.763268948 CEST	49722	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:56.882885933 CEST	23890	49722	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:56.882985115 CEST	49722	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:57.004029036 CEST	23890	49722	79.134.225.73	192.168.2.5
Aug 2, 2021 16:41:57.004761934 CEST	49722	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:41:57.119256973 CEST	49722	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:01.996289015 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:02.114219904 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:02.114331961 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:03.499938011 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:03.690300941 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:03.744568110 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:03.755793095 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:03.873512030 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:03.873625040 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.192286015 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.192367077 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.513130903 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.513262033 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.528002977 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.528079033 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.528155088 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.528218985 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.646822929 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.646925926 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.647299051 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.647324085 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.647372007 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.647641897 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.647716045 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.765918970 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.766108036 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.766136885 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.766168118 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.766216040 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.766237020 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.766283989 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.766307116 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.766356945 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.766439915 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.766464949 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.766514063 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.766953945 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.767154932 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.884423971 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.884516954 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.884541035 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.884592056 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.884707928 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.884804010 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.884809971 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.884861946 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.884891033 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.884921074 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.884936094 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.884979010 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.884980917 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.885032892 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.885035992 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.885090113 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.887645960 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.887768030 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.887784004 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.887819052 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.887829065 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.887881041 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.887897015 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.887933016 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.887967110 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.887970924 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.887989044 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.888073921 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.888192892 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.888242960 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:04.888252974 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:04.888324022 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.002455950 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.002654076 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.002685070 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.002712011 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.002729893 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.002825975 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.002895117 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.002952099 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.002976894 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.002999067 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.003071070 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.003083944 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.003096104 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.003103018 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.003833055 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.003957033 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.005738020 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.005949020 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006012917 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006130934 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006164074 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006186008 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006222963 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006376028 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006402969 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006424904 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006449938 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006484985 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006491899 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006495953 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006500959 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006505013 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006654978 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006680965 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006757975 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006781101 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006814003 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006825924 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006828070 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.006834030 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006839991 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.006912947 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.007500887 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.007528067 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.007601976 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.008266926 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.008289099 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.008296967 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.008342981 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.008801937 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.009354115 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.009505033 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.009743929 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.009814978 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.009867907 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.009912968 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.009912968 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.009924889 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.009938002 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.009947062 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.010026932 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.010068893 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.010144949 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.010159016 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.010232925 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.120275021 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.120404005 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.120537996 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.120807886 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.120933056 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.121000051 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.121026039 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.121052027 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.121114016 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.121167898 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.121191978 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.121211052 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.121257067 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.121354103 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.121362925 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.121444941 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.121486902 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.121723890 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.121774912 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.121798038 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.121829987 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.121834040 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.121884108 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.122162104 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.122340918 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.123795033 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.123847961 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.124747992 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.125061989 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.125102043 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.125117064 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.125190020 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.125221968 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.125250101 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.125304937 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.125315905 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.125325918 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.125364065 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.125399113 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.125626087 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.126007080 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.126178980 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.126411915 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.126468897 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.127059937 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.127130032 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.127489090 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.127582073 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.127613068 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.127680063 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.127799034 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.127835035 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.127868891 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.127907991 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.127923965 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.127929926 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.128083944 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.128118992 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.128187895 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.128199100 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.128329992 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.128365040 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.128554106 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.128568888 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.132200956 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.132245064 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.132278919 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.132280111 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.132297993 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.132312059 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.132335901 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.132378101 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.132399082 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.132416010 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.132467985 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.132474899 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.132479906 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.132484913 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.132489920 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.133987904 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.134011030 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.134107113 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.134126902 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.134287119 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.134339094 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.134403944 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.134434938 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.134457111 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.134484053 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.134680033 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.134746075 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.134799957 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.134825945 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.134876966 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.134892941 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.237567902 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.238513947 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.238697052 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.239018917 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.240076065 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.240160942 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.240235090 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.240324020 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.240478992 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.240509033 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.240550995 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.240572929 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.240580082 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.240585089 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.240588903 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.240592957 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.243022919 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.243196964 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.244050026 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.244474888 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.244669914 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.244767904 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.245073080 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.245326996 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.245495081 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.245522976 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.245623112 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.245649099 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.245727062 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.245757103 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.245790958 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.245811939 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.245819092 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.245824099 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.245827913 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.245961905 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.246061087 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.246083021 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.246383905 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.246407986 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.246433020 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.246464968 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.246479988 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.246484041 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.246489048 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.246587038 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.247028112 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.247127056 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.247159004 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.247234106 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.247251987 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.247258902 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.247911930 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.248281002 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.248591900 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.248645067 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.249511957 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.249542952 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.249600887 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.249730110 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.249783993 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.249865055 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.249914885 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.250000000 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.250238895 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.250588894 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.250617027 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.250720978 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.251353025 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.251457930 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.251912117 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.252032995 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.252043009 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.252132893 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.252198935 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.252221107 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.252335072 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.252343893 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.252345085 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.252473116 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.252481937 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.252496004 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.252543926 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.252562046 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.252629042 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.253128052 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.254026890 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.254075050 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.254111052 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.254230022 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.254307985 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.254419088 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.254446030 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.254465103 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.254470110 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.254473925 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.355786085 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.355818033 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.355881929 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.355906963 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.357719898 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.357748985 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.357769966 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.357842922 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.357866049 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.357954025 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.357985020 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.358006001 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.358011961 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.358015060 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.358757973 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.359699011 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.360765934 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.360843897 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.362610102 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.362662077 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.363071918 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.363198042 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.363832951 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.363864899 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.363898993 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.363908052 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.363930941 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.364022970 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.364049911 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.364074945 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.364116907 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.364140034 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.364156008 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.364227057 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.364238024 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.365214109 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.365708113 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.365772963 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.365940094 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.365962029 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.366029978 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.366190910 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.366221905 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.366246939 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.366256952 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.366296053 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.366343975 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.366364002 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.366432905 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.366453886 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.366506100 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.367321968 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.367351055 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.367432117 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.368066072 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.368213892 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.368217945 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.368257046 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.368465900 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.368489027 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.368645906 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.370625973 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.370647907 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.370734930 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.370748997 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.370970011 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.371033907 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.371076107 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.371167898 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.371193886 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.371222973 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.371244907 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.371279001 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.371285915 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.371393919 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.371539116 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.371562958 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.371787071 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.371804953 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.371849060 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.371921062 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.371937990 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.372281075 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.372634888 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.372706890 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.372812033 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.372836113 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.372903109 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.372925043 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.373367071 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.373450041 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.474142075 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.474277020 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.474608898 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.474752903 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.477158070 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.477185965 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.477227926 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.477263927 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.477298021 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.477315903 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.477319956 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.477344036 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.477394104 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.477431059 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.477473021 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.477482080 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.477484941 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.477518082 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.477608919 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.479424000 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.479873896 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.480038881 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.480814934 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.481081963 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.481095076 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.481137991 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.481184959 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.481198072 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.481347084 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.481380939 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.481431007 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.481715918 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.482012033 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.482032061 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.482036114 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.482038975 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.482480049 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.483334064 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.483422995 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.483438969 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.483727932 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.483791113 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.483875990 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.483949900 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.483994961 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.484038115 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.484052896 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.484055996 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.484059095 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.484061956 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.484199047 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.484349012 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.485302925 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.485743046 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.485785961 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.485831976 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.485851049 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.485855103 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.485857964 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.485861063 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.486041069 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.486084938 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.486109018 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.486531973 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.486546040 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.486548901 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.488265038 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.488394022 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.488631964 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.488711119 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.488806009 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.488845110 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.488892078 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.488903999 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.489020109 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.489121914 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.489134073 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.489173889 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.489201069 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.489217997 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.489252090 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.489335060 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.489362955 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.489381075 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.489548922 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.489660025 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.489684105 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.489969969 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.490216017 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.490359068 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.490822077 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.490957975 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.490968943 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.490983009 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.491044998 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.491187096 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.491370916 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.592139959 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.592174053 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.592231035 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.592250109 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.592662096 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.592690945 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.592741013 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.592756987 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.594299078 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.594729900 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.595046043 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.595077038 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.595163107 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.595169067 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.595181942 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.595206022 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.595227003 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.595282078 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.595293045 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.595320940 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:05.595509052 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.902667046 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:05.904689074 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:06.022706985 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:06.114293098 CEST	23890	49723	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:06.114557981 CEST	49723	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:10.296081066 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:10.414402962 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:10.414511919 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:10.415467024 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:10.552833080 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:10.552988052 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:10.885859966 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:10.945205927 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:10.945779085 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:11.012649059 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:11.057667971 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:11.064879894 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:11.065072060 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:11.370186090 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:11.418247938 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:11.419759035 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:11.520719051 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:11.538608074 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:11.540419102 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:11.540592909 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:11.608676910 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:11.917519093 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:11.943125963 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:11.947174072 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:12.065110922 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:12.079818010 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:12.385889053 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:12.403230906 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:12.403326988 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:12.522046089 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:12.523190975 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:12.565674067 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:12.684009075 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:12.686815023 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:12.995318890 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:13.064858913 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:13.065924883 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:13.184092999 CEST	23890	49724	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:13.185472012 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:13.381319046 CEST	49724	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:17.620927095 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:17.742480040 CEST	23890	49726	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:17.745058060 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:17.750706911 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:17.889959097 CEST	23890	49726	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:17.890208960 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:18.208228111 CEST	23890	49726	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:18.208817959 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:18.403757095 CEST	23890	49726	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:18.411794901 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:18.732105017 CEST	23890	49726	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:18.735888004 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:19.063910007 CEST	23890	49726	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:19.067909002 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:19.224787951 CEST	23890	49726	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:19.225861073 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:19.553631067 CEST	23890	49726	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:19.555738926 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:19.673768044 CEST	23890	49726	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:19.674499989 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:19.793360949 CEST	23890	49726	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:19.794387102 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:19.857346058 CEST	49726	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:24.186310053 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:24.305896044 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:24.307183027 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:24.307216883 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:24.446599960 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:24.446685076 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:24.767206907 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:24.767317057 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:24.907422066 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:24.907856941 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:25.227267027 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:25.227435112 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:25.490340948 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:25.491177082 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:25.611469984 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:25.611629963 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:26.008706093 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:26.011143923 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:26.130964994 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:26.132765055 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:26.252116919 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:26.253659964 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:26.576756001 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:26.581258059 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:26.826392889 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:26.900264978 CEST	23890	49727	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:26.902415037 CEST	49727	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:31.004075050 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:31.202789068 CEST	23890	49735	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:31.203253031 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:31.204864025 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:31.340842962 CEST	23890	49735	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:31.341003895 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:31.660959005 CEST	23890	49735	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:31.662056923 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:31.779231071 CEST	23890	49735	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:31.779417992 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:32.098702908 CEST	23890	49735	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:32.104949951 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:32.417507887 CEST	23890	49735	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:32.417952061 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:32.648530006 CEST	23890	49735	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:32.648839951 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:32.967856884 CEST	23890	49735	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:32.967931986 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:33.148266077 CEST	23890	49735	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:33.148422956 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:33.243247032 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:33.266694069 CEST	23890	49735	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:33.269057035 CEST	49735	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:37.876663923 CEST	49736	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:37.997323990 CEST	23890	49736	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:37.997565031 CEST	49736	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:37.998295069 CEST	49736	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:38.124388933 CEST	23890	49736	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:38.126398087 CEST	49736	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:38.247947931 CEST	23890	49736	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:38.251878977 CEST	49736	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:38.481816053 CEST	49736	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:38.565804005 CEST	23890	49736	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:38.567574978 CEST	49736	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:42.750685930 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:42.872972012 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:42.873155117 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:42.962502003 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:43.104906082 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:43.105032921 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:43.433032990 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:43.433116913 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:43.597431898 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:43.598989010 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:43.915359974 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:43.915606976 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:44.241894007 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:44.241998911 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:44.363106012 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:44.363480091 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:44.484932899 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:44.485045910 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:44.804656982 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:44.804797888 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:44.926743984 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:44.926904917 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:45.046591997 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:45.046855927 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:45.364310026 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:45.364408970 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:45.660945892 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:45.683475971 CEST	23890	49737	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:45.684111118 CEST	49737	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:50.141360044 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:50.343683958 CEST	23890	49738	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:50.343854904 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:50.403222084 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:50.544680119 CEST	23890	49738	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:50.544794083 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:50.863137007 CEST	23890	49738	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:50.863264084 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:50.983911991 CEST	23890	49738	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:50.983994961 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:51.365494967 CEST	23890	49738	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:51.365669012 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:51.683042049 CEST	23890	49738	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:51.683121920 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:51.991492033 CEST	23890	49738	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:51.992862940 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:52.364027023 CEST	23890	49738	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:52.364371061 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:52.374149084 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:52.481992960 CEST	23890	49738	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:52.482443094 CEST	49738	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:56.634243965 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:56.802222013 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:56.802315950 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:56.846612930 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:57.008443117 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:57.008557081 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:57.342444897 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:57.342573881 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:57.462367058 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:57.514844894 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:57.619172096 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:57.938488960 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:57.938607931 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:58.058769941 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:58.058878899 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:58.443592072 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:58.443746090 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:58.567873001 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:58.608669996 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:58.728184938 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:58.780632973 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:59.320408106 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:42:59.641673088 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:42:59.641801119 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:00.043330908 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:00.043411970 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:00.322134018 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:00.443883896 CEST	23890	49739	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:00.443954945 CEST	49739	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:04.585262060 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:04.702776909 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:04.703212976 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:04.763657093 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:04.906183958 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:04.906380892 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:05.234399080 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:05.245815992 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:05.245917082 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:05.351510048 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:05.351689100 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:05.361751080 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:05.671931982 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:05.746329069 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:05.746733904 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:05.862926960 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:05.863013029 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:05.942560911 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:05.942673922 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:05.980159998 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:05.980283022 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:06.060180902 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:06.109313965 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:06.299267054 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:06.299381971 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:06.416296959 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:06.468722105 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:06.498786926 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:06.584986925 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:06.625014067 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:06.798593998 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:06.815774918 CEST	23890	49742	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:06.815891981 CEST	49742	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:11.053270102 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:11.241839886 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:11.242018938 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:11.242964029 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:11.384345055 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:11.384469032 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:11.761687040 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:11.761974096 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:11.882836103 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:11.883383036 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:12.201491117 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:12.201586962 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:12.522406101 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:12.522747993 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:12.543387890 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:12.594296932 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:12.642566919 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:12.642730951 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:12.981498003 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:12.981601954 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:13.239408970 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:13.239667892 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:13.359246016 CEST	23890	49743	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:13.359399080 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:13.422899961 CEST	49743	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:17.721836090 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:17.838838100 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:17.839157104 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:17.840281010 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:17.975315094 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:17.977508068 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:18.288166046 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:18.288448095 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:18.406133890 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:18.407108068 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:18.761904001 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:18.762670040 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:18.879869938 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:18.881386995 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:19.002818108 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:19.003010988 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:19.119896889 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:19.173188925 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:22.955609083 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:23.001393080 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:26.474283934 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:26.517374039 CEST	49744	23890	192.168.2.5	79.134.225.73
Aug 2, 2021 16:43:27.956149101 CEST	23890	49744	79.134.225.73	192.168.2.5
Aug 2, 2021 16:43:28.001821995 CEST	49744	23890	192.168.2.5	79.134.225.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 16:41:41.054807901 CEST	55016	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:41:41.091090918 CEST	53	55016	8.8.4.4	192.168.2.5
Aug 2, 2021 16:41:46.771965981 CEST	64345	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:41:46.809206009 CEST	53	64345	8.8.4.4	192.168.2.5
Aug 2, 2021 16:41:51.733905077 CEST	57128	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:41:51.766741991 CEST	53	57128	8.8.4.4	192.168.2.5
Aug 2, 2021 16:41:56.451141119 CEST	54791	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:41:56.488117933 CEST	53	54791	8.8.4.4	192.168.2.5
Aug 2, 2021 16:42:01.961852074 CEST	50463	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:42:01.994751930 CEST	53	50463	8.8.4.4	192.168.2.5
Aug 2, 2021 16:42:10.186383009 CEST	50394	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:42:10.218887091 CEST	53	50394	8.8.4.4	192.168.2.5
Aug 2, 2021 16:42:17.589596033 CEST	53813	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:42:17.618062019 CEST	53	53813	8.8.4.4	192.168.2.5
Aug 2, 2021 16:42:24.055679083 CEST	63732	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:42:24.091873884 CEST	53	63732	8.8.4.4	192.168.2.5
Aug 2, 2021 16:42:30.967924118 CEST	59261	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:42:31.002733946 CEST	53	59261	8.8.4.4	192.168.2.5
Aug 2, 2021 16:42:37.348054886 CEST	57151	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:42:37.381407976 CEST	53	57151	8.8.4.4	192.168.2.5
Aug 2, 2021 16:42:42.710858107 CEST	59413	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:42:42.748768091 CEST	53	59413	8.8.4.4	192.168.2.5
Aug 2, 2021 16:42:49.929044962 CEST	60516	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:42:49.962647915 CEST	53	60516	8.8.4.4	192.168.2.5
Aug 2, 2021 16:42:56.599541903 CEST	51649	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:42:56.631890059 CEST	53	51649	8.8.4.4	192.168.2.5
Aug 2, 2021 16:43:04.450381994 CEST	52929	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:43:04.485606909 CEST	53	52929	8.8.4.4	192.168.2.5
Aug 2, 2021 16:43:10.854367971 CEST	64317	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:43:10.892431021 CEST	53	64317	8.8.4.4	192.168.2.5
Aug 2, 2021 16:43:17.681235075 CEST	61004	53	192.168.2.5	8.8.4.4
Aug 2, 2021 16:43:17.716440916 CEST	53	61004	8.8.4.4	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 2, 2021 16:41:41.054807901 CEST	192.168.2.5	8.8.4.4	0xa7b8	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:41:46.771965981 CEST	192.168.2.5	8.8.4.4	0xdd89	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:41:51.733905077 CEST	192.168.2.5	8.8.4.4	0x7e1b	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:41:56.451141119 CEST	192.168.2.5	8.8.4.4	0xc259	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:01.961852074 CEST	192.168.2.5	8.8.4.4	0xfffe	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:10.186383009 CEST	192.168.2.5	8.8.4.4	0x1fe7	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:17.589596033 CEST	192.168.2.5	8.8.4.4	0x73ef	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:24.055679083 CEST	192.168.2.5	8.8.4.4	0x85d3	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:30.967924118 CEST	192.168.2.5	8.8.4.4	0xe93	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:37.348054886 CEST	192.168.2.5	8.8.4.4	0x1933	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:42.710858107 CEST	192.168.2.5	8.8.4.4	0x8906	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:49.929044962 CEST	192.168.2.5	8.8.4.4	0x57c	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:56.599541903 CEST	192.168.2.5	8.8.4.4	0x5926	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:43:04.450381994 CEST	192.168.2.5	8.8.4.4	0x430b	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:43:10.854367971 CEST	192.168.2.5	8.8.4.4	0xdf09	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)
Aug 2, 2021 16:43:17.681235075 CEST	192.168.2.5	8.8.4.4	0xced8	Standard query (0)	yota890.hopto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 2, 2021 16:41:41.091090918 CEST	8.8.4.4	192.168.2.5	0xa7b8	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:41:46.809206009 CEST	8.8.4.4	192.168.2.5	0xdd89	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:41:51.766741991 CEST	8.8.4.4	192.168.2.5	0x7e1b	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:41:56.488117933 CEST	8.8.4.4	192.168.2.5	0xc259	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:01.994751930 CEST	8.8.4.4	192.168.2.5	0xfffe	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:10.218887091 CEST	8.8.4.4	192.168.2.5	0x1fe7	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:17.618062019 CEST	8.8.4.4	192.168.2.5	0x73ef	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:24.091873884 CEST	8.8.4.4	192.168.2.5	0x85d3	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:31.002733946 CEST	8.8.4.4	192.168.2.5	0xe93	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:37.381407976 CEST	8.8.4.4	192.168.2.5	0x1933	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:42.748768091 CEST	8.8.4.4	192.168.2.5	0x8906	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:49.962647915 CEST	8.8.4.4	192.168.2.5	0x57c	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:42:56.631890059 CEST	8.8.4.4	192.168.2.5	0x5926	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:43:04.485606909 CEST	8.8.4.4	192.168.2.5	0x430b	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:43:10.892431021 CEST	8.8.4.4	192.168.2.5	0xdf09	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)
Aug 2, 2021 16:43:17.716440916 CEST	8.8.4.4	192.168.2.5	0xced8	No error (0)	yota890.hopto.org	79.134.225.73	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Swift Payment-3134101002.exe PID: 896 Parent PID: 5768

General

Start time:	16:41:11
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Imagebase:	0xc90000
File size:	1495040 bytes
MD5 hash:	3221D82B7169D545F01F2E2BA94ADE25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 2896 Parent PID: 896

General

Start time:	16:41:27
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Imagebase:	0xf50000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3228 Parent PID: 2896

General

Start time:	16:41:28
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5908 Parent PID: 896

General

Start time:	16:41:28
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Imagebase:	0xf50000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2952 Parent PID: 5908

General

Start time:	16:41:29
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5452 Parent PID: 896

General

Start time:	16:41:29
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9EC.tmp'
Imagebase:	0x12b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3888 Parent PID: 5452

General

Start time:	16:41:29
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff797770000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 4500 Parent PID: 896

General

Start time:	16:41:30
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Imagebase:	0xf50000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: Swift Payment-3134101002.exe PID: 5848 Parent PID: 896

General

Start time:	16:41:31
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
Imagebase:	0xa0000
File size:	1495040 bytes
MD5 hash:	3221D82B7169D545F01F2E2BA94ADE25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 980 Parent PID: 4500

General

Start time:	16:41:30
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Swift Payment-3134101002.exe PID: 5260 Parent PID: 896

General

Start time:	16:41:32
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
Imagebase:	0x4d0000
File size:	1495040 bytes
MD5 hash:	3221D82B7169D545F01F2E2BA94ADE25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.504645095.0000000003D3A000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.492657764.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.502833366.0000000002D3D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5872 Parent PID: 5260

General

Start time:	16:41:35
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp54AF.tmp'
Imagebase:	0x12b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1188 Parent PID: 5872

General

Start time:	16:41:36
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6172 Parent PID: 5260

General

Start time:	16:41:36
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5992.tmp'
Imagebase:	0x12b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: Swift Payment-3134101002.exe PID: 6208 Parent PID: 904

General

Start time:	16:41:37
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Swift Payment-3134101002.exe' 0
Imagebase:	0x860000
File size:	1495040 bytes
MD5 hash:	3221D82B7169D545F01F2E2BA94ADE25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 6236 Parent PID: 6172

General

Start time:	16:41:37
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6580 Parent PID: 904

General

Start time:	16:41:41
Start date:	02/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0xd00000
File size:	1495040 bytes
MD5 hash:	3221D82B7169D545F01F2E2BA94ADE25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6812 Parent PID: 3472

General

Start time:	16:41:45
Start date:	02/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x840000
File size:	1495040 bytes
MD5 hash:	3221D82B7169D545F01F2E2BA94ADE25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: powershell.exe PID: 1692 Parent PID: 6208

General

Start time:	16:42:41
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Swift Payment-3134101002.exe'
Imagebase:	0xf50000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 2248 Parent PID: 1692

General

Start time:	16:42:42
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 1332 Parent PID: 6208

General

Start time:	16:42:42
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPiUrUItCGsY' /XML 'C:\Users\user\AppData\Local\Temp\tmpF33C.tmp'
Imagebase:	0x12b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6740 Parent PID: 1332

General

Start time:	16:42:43
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 5492 Parent PID: 6208

General

Start time:	16:42:44
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TPiUrUItCGsY.exe'
Imagebase:	0xf50000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: Swift Payment-3134101002.exe PID: 5436 Parent PID: 6208

General

Start time:	16:42:46
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Swift Payment-3134101002.exe
Imagebase:	0x5a0000
File size:	1495040 bytes
MD5 hash:	3221D82B7169D545F01F2E2BA94ADE25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000002A.00000002.453841025.0000000002D01000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000002A.00000002.446482666.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000002A.00000002.453923165.0000000003D01000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000002A.00000002.453923165.0000000003D01000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: conhost.exe PID: 5076 Parent PID: 5492

General

Start time:	16:42:45
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 2896 Parent PID: 896 powershell.exeCOMMON

Executed Functions

Function 00AFD006, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.379409016.0000000000AFD000.00000040.00000001.sdmp, Offset: 00AFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7e61784de4162e4e8cf435ce514d683212482da87bfcf8e51eea220cf0e254
Instruction ID: cd985aeace3644542f3d375d57306d693afcd6df45f81f4eac0ebdb1f87007ec
Opcode Fuzzy Hash: 4d7e61784de4162e4e8cf435ce514d683212482da87bfcf8e51eea220cf0e254
Instruction Fuzzy Hash: F2014C6140E3C45FD7138B258C94B62BFB4EF43224F0981DBE9859F2A3C2695848C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.379409016.0000000000AFD000.00000040.00000001.sdmp, Offset: 00AFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a961b0e2d5071540e8243111993b8b6641847edd0f36d5fe5f03f0d6045bf2fb
Instruction ID: 0b9c7e830b1a24a1645313af38e667bdf76fbfdac02d93a0f54d55b60b48be06
Opcode Fuzzy Hash: a961b0e2d5071540e8243111993b8b6641847edd0f36d5fe5f03f0d6045bf2fb
Instruction Fuzzy Hash: 4901F771408348AEE7214B66C8C4776BB99EF45364F18C11AFE0A5B287C7799905C6B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Swift Payment-3134101002.exe PID: 5260 Parent PID: 896 Swift Payment-3134101002.exeCOMMON

Executed Functions

Function 0292B3E8, Relevance: 2.2, Strings: 1, Instructions: 950COMMON

Download Yara Rule

Strings

r, xrefs: 0292BF0C

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: e3f9b690be5c960ce841875f0308852113231c06f2b1f1ca614751415162e947
Instruction ID: 703adf0f32a5412461ac9e6b99bccf858bbe25df40e2555cebba9f1262954f15
Opcode Fuzzy Hash: e3f9b690be5c960ce841875f0308852113231c06f2b1f1ca614751415162e947
Instruction Fuzzy Hash: 62925771A0061ACFCB14CF68C490BADBBF2FF88318F158669D45AAB655D734E885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02982A4C, Relevance: 1.6, APIs: 1, Instructions: 95networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02982AFF

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: bd679b605f2602a377d32abd088991a9b7ca72224cb22e8eba8fa294a24fffc6
Instruction ID: 52c13141456459c29980d7e09e11d8349b8d92859ca1b4af523df87ac9b51389
Opcode Fuzzy Hash: bd679b605f2602a377d32abd088991a9b7ca72224cb22e8eba8fa294a24fffc6
Instruction Fuzzy Hash: 8F317CB150A3C05FE7138B248C55B56BFB8AF07610F0984DBE985CF1A3D2249849CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02981717, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 02981797

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: d6172c6e5726fd6d5555ef3bbbd9181ca2de8ec6860bddb79c0aeba1a74c938a
Instruction ID: e59eeed2aada2049867cedb367a3393c65505cead46c74d196605fee59a29729
Opcode Fuzzy Hash: d6172c6e5726fd6d5555ef3bbbd9181ca2de8ec6860bddb79c0aeba1a74c938a
Instruction Fuzzy Hash: A621A1755097849FDB128F25DC40B52BFB8EF06210F0884DAE9898F563D374D918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02982F5A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02982FCA

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 71a1da19431264f71d40e1d70d33e6d48ed85acbc580a67d7b729c89142872b6
Instruction ID: af6e2b3eee10dff8ace71d692ad65e31ea8ee2ee4a3a05a9c0130244dae7e7ef
Opcode Fuzzy Hash: 71a1da19431264f71d40e1d70d33e6d48ed85acbc580a67d7b729c89142872b6
Instruction Fuzzy Hash: 7511E4B1800204AFEB21DF55DC41FA6FBACEF08710F0488AAED458B151D374E445CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02981953, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 029819C9

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 91bf3a7f19b8aa734133049398c9ff84a3d65e8154ff2543f46d1bccd293e9f1
Instruction ID: 3f96d55dec6b48677852bdaa48d8f9fcafeef328b92f2b908cfd8a46dbe586d3
Opcode Fuzzy Hash: 91bf3a7f19b8aa734133049398c9ff84a3d65e8154ff2543f46d1bccd293e9f1
Instruction Fuzzy Hash: D221AE724097C4AFDB238B20DC41A62FFB4EF16214F0D80DBE9848B563D265A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02982A9E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02982AFF

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 8e8f7b613b5a3765a27aea0794a85b00c2c64246fe7cd703eaca749f626f56a9
Instruction ID: 8275a3240b1a989fa59a7c1814b1896b1c25414cfe16a8da20beee43b89f5ce5
Opcode Fuzzy Hash: 8e8f7b613b5a3765a27aea0794a85b00c2c64246fe7cd703eaca749f626f56a9
Instruction Fuzzy Hash: B011BFB1900244AEEB20DF65DC85FA6FBECEF44720F1884AAED499B241D374E845CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0298174E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 02981797

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 05b5a538d349badf1ce30aaba5624c4d54cd018921932e09c75147926c67e5ea
Instruction ID: f95fc75e12f597f35443750c57634489a1e9129a9b5b5fea13b123c0a2a80d0c
Opcode Fuzzy Hash: 05b5a538d349badf1ce30aaba5624c4d54cd018921932e09c75147926c67e5ea
Instruction Fuzzy Hash: A7117C759006449FDB20DF55D884B66FBE8EF08220F08C4AEED8A8BA12D375E459DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0298366E, Relevance: 1.5, APIs: 1, Instructions: 41timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNELBASE(?,?,?), ref: 029836A6

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 02b47aa03539bca30201779274dc769beb2c9b731259e5bae766130cafd2859c
Instruction ID: 1e4c601f396abc6d3b2cfb853cc8920536b2694f01dfddd45934ec22a2065b71
Opcode Fuzzy Hash: 02b47aa03539bca30201779274dc769beb2c9b731259e5bae766130cafd2859c
Instruction Fuzzy Hash: B001DF719006448FDB209F19D885B65FBA4EF04720F0CC0EADE4A4B711D375E848CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02981476, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 029814A8

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 3422272b4aad0932d51ceaa8d766b3f47310381932d310a3f7600875637aeae9
Instruction ID: 60e4b0eb4fabed296fa3651fa7a28e6d5cd28b173998313e561997ecd31bcf51
Opcode Fuzzy Hash: 3422272b4aad0932d51ceaa8d766b3f47310381932d310a3f7600875637aeae9
Instruction Fuzzy Hash: 44016D759042449FDB10DF26D884B65FBA4EF44220F18C4EADD4D8F646D379A845CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0298198E, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 029819C9

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 4e590579c9685bd533188ab4b0300f105500b9f897dcf42715e270677432e3fd
Instruction ID: 192e871a26595c25304ad919ad3cc3d788d2a10dd05f24905ced916d7eac5987
Opcode Fuzzy Hash: 4e590579c9685bd533188ab4b0300f105500b9f897dcf42715e270677432e3fd
Instruction Fuzzy Hash: 9501AD318006449FDB209F49E884B25FFA4EF48320F18C49ADE8A4B616D376A459DF72

Uniqueness

Uniqueness Score: -1.00%

Function 02928B88, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ef0646fec87b5b61b5a6bdbe0b8c91126ce5e51276e525b5895b3c9de92e81
Instruction ID: c0e727711281946a016ca1ebe27688e079f83241de602f94c4590412aba52c17
Opcode Fuzzy Hash: 15ef0646fec87b5b61b5a6bdbe0b8c91126ce5e51276e525b5895b3c9de92e81
Instruction Fuzzy Hash: D3129A70E05229CFD714EF69D48476DBBB2FF84304F24896AD4269B289DB749C49CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02923850, Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ffbfc6834f40d8e21122b5e6748a2c2f752f3082c59488003adf8550778e8e
Instruction ID: e3c23905e81dbea570786f1eb4b6df99ff8c5219d31acd933a751eeb13ef80b1
Opcode Fuzzy Hash: c7ffbfc6834f40d8e21122b5e6748a2c2f752f3082c59488003adf8550778e8e
Instruction Fuzzy Hash: 5EF12771A04225DFCB15CF68C8445BDBBB6FF85300B1984EAD805AF219C779DC4ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 02929788, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6192d067d0b340392f7ed404496067344e7f966691549b1a345e33cd889756fd
Instruction ID: 9724f2257978b4d5f3177eb5f343353d7af8e1070f5670defe66fa902998f5d7
Opcode Fuzzy Hash: 6192d067d0b340392f7ed404496067344e7f966691549b1a345e33cd889756fd
Instruction Fuzzy Hash: B4816F71F011259FE714DB69D880A6EB7E3AFC4310F2A8475E81AEB359DE319C05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02922FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3ae90bea1087c214346c1e0753ce879d0cbc8751bd71857d7a5bc4cb5a21f0
Instruction ID: 5868fb37858634d8aece77320eaf7134be1bc32c251215cd496076afb854835b
Opcode Fuzzy Hash: 0f3ae90bea1087c214346c1e0753ce879d0cbc8751bd71857d7a5bc4cb5a21f0
Instruction Fuzzy Hash: CA818C71F011259FD704DB69D890A6EBBE3AFC8310F2A84B5E806EB359DE359C05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0292984F, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4eaff9a6e3f0084a63f82c9683649c821cfa08b5518a26b93a0eb6927e2def
Instruction ID: 0afb91c6f13ef3caf1706a8bad5d064b84290153d3dfd76a5521e9476d672feb
Opcode Fuzzy Hash: 1b4eaff9a6e3f0084a63f82c9683649c821cfa08b5518a26b93a0eb6927e2def
Instruction Fuzzy Hash: 07511B72F015259FD714DB6DC880A5EB7E3AFC4310F2A8175E419EB369DE359D018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0292F320, Relevance: 8.0, Strings: 6, Instructions: 467COMMON

Download Yara Rule

Strings

X1#r, xrefs: 0292F5EE
0"r, xrefs: 0292F68C
,:#r, xrefs: 0292F4AB
0"r, xrefs: 0292F682
,:#r, xrefs: 0292F4B5
X1#r, xrefs: 0292F5F8

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: ,:#r$,:#r$0"r$0"r$X1#r$X1#r
API String ID: 0-1141016533
Opcode ID: f087b269192245e7468f84c98cfd9eed278f88bb9f311765566c5f981f465498
Instruction ID: dd5dcf8fe01333ee27092f5cd9b7f9c769638ee634ee3a61c32d1a30e2a9815d
Opcode Fuzzy Hash: f087b269192245e7468f84c98cfd9eed278f88bb9f311765566c5f981f465498
Instruction Fuzzy Hash: 65126034A00220DFC724DF68C584A697BF6FF88311F268499E8469F769CB75EC85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 029209A0, Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

X1#r, xrefs: 02920A50
X1#r, xrefs: 02920A98
X1#r, xrefs: 02920A5A
X1#r, xrefs: 02920AA2

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: X1#r$X1#r$X1#r$X1#r
API String ID: 0-1348021360
Opcode ID: 5c64b70661af5faf967e106c72b137a5a97abfb7cccd2edcd169f9c593a76d19
Instruction ID: 77b9219b461847fe60b77ace30c0655dc72f50e409257f3ec08fce4d34992db8
Opcode Fuzzy Hash: 5c64b70661af5faf967e106c72b137a5a97abfb7cccd2edcd169f9c593a76d19
Instruction Fuzzy Hash: 2F41D531B00215EFCB15DB68D888AAEB7F2FF84300F158469E5469B365DB71AD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029243C0, Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

X1#r, xrefs: 029243A2
X1#r, xrefs: 029243AC

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: X1#r$X1#r
API String ID: 0-3249040823
Opcode ID: bb7e43eebec799f82dcca67be0c194d68c86759050d2f1f0d84d927b17892fdd
Instruction ID: a9f3e8759a36e483e2f6360d710b7e3dc35c09f7b58aab96cbd25933b7405f08
Opcode Fuzzy Hash: bb7e43eebec799f82dcca67be0c194d68c86759050d2f1f0d84d927b17892fdd
Instruction Fuzzy Hash: CA41CE31600214DFCB01EF68ED449AD7BB2FF8531471984A9E406DB37ACB31AD5ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029212A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$g r, xrefs: 02921349

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: $g r
API String ID: 0-1745030754
Opcode ID: 5eed36c50ab51e3f7e997bb91026ebff287e3dfa42c42ccd674a46cb28e41e8d
Instruction ID: 66723dd65f1d27f748e643b476fd898e34076f31015d28c8ad3da5b683a6c845
Opcode Fuzzy Hash: 5eed36c50ab51e3f7e997bb91026ebff287e3dfa42c42ccd674a46cb28e41e8d
Instruction Fuzzy Hash: B922E634A00615CFCB24DF28C490A6ABBF2FF88300F1485A9D85A9B75ADB35ED55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02981AD4, Relevance: 1.6, APIs: 1, Instructions: 127networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 02981BCA

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 2c807a50ad9a5435a5b2e8db9d07077b5ec932622c07663cad9d09f54afcb35b
Instruction ID: e157163dcb70f0e4ee57d285f0a72fcc52d05ba669c32cdac805e0b2492551b7
Opcode Fuzzy Hash: 2c807a50ad9a5435a5b2e8db9d07077b5ec932622c07663cad9d09f54afcb35b
Instruction Fuzzy Hash: 5D41046540E7C05FD3138B358C61A61BFB4EF47614B0E85CBD884CF5A3E259590AC772

Uniqueness

Uniqueness Score: -1.00%

Function 029810B8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0298115B

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1dc21a08cb4d895865021e800ba9d19ef74cd52c04040e2adc4aba598c5db407
Instruction ID: 4bbb73ff6e1fdd5496fcb5c7b2fb6df6cbbe0fec4ec458a6de66870dc8f150e4
Opcode Fuzzy Hash: 1dc21a08cb4d895865021e800ba9d19ef74cd52c04040e2adc4aba598c5db407
Instruction Fuzzy Hash: 0A31D3725043446FEB228B25CC44FA7BFACEF05310F0888AAF985CB152D324A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02980390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0298045E

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 51135e20f4eabd1c12c6d597ae5e0f7e147e354e963d14506cf3ccdf9c5cadff
Instruction ID: c06b9eba30f001df65aa42380982ccfb3bf15c5feb914fc7b70a497c38726eb1
Opcode Fuzzy Hash: 51135e20f4eabd1c12c6d597ae5e0f7e147e354e963d14506cf3ccdf9c5cadff
Instruction Fuzzy Hash: 7331C4B10043446FEB228F21CC41FA6FFB8EF06710F04859EFA858B192D365A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02980E58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 02980F1A

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 2ee5fdc8583bc7f586167aab1f3eccbc0bccff802f157849b86932d21299bc38
Instruction ID: 6b97714b65fff53090f0d254a3653d2f68b2d8b89a163b1a367514e7fc4fbb3b
Opcode Fuzzy Hash: 2ee5fdc8583bc7f586167aab1f3eccbc0bccff802f157849b86932d21299bc38
Instruction Fuzzy Hash: 1F315C7140E3C05FD7038B258C51B62BFB4EF47610F0E85DBD9848F5A3D225A81AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 029807F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 02980899

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ea057024e69976667323aee6ce96ba72e5c19a9fb53e6af01b2ee863b434d67f
Instruction ID: ebadd5bf8e0e1124eb225848fcbee254c87c1b63dd3428f375c40fd1f39f0e20
Opcode Fuzzy Hash: ea057024e69976667323aee6ce96ba72e5c19a9fb53e6af01b2ee863b434d67f
Instruction Fuzzy Hash: 8031AFB1505380AFE722CF25CC44F66BFE8EF05610F0884AEE9858B252D375E849DB71

Uniqueness

Uniqueness Score: -1.00%

Function 029827D4, Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02982871

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: a9ccdf3de219e3e6d96921b6abbe45f9997e937d3cb29476df69d77c2b8151fa
Instruction ID: 13948c7c8c301744a09504d084807f94fde7554d89ced6d67d8831dae387a0a1
Opcode Fuzzy Hash: a9ccdf3de219e3e6d96921b6abbe45f9997e937d3cb29476df69d77c2b8151fa
Instruction Fuzzy Hash: 8331C5725093806FEB128B25DC45BA6BFB8EF06710F0884EBE985DB153D224A845CB71

Uniqueness

Uniqueness Score: -1.00%

Function 029831E9, Relevance: 1.6, APIs: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 0298329D

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 68a1731528b74194ccaf68847f0466f6db444554a3900cb56e55bd238c00dffc
Instruction ID: 28251e95be75e8f1995e7f0e436196526405c911f0933540c59fb6b321f1bf01
Opcode Fuzzy Hash: 68a1731528b74194ccaf68847f0466f6db444554a3900cb56e55bd238c00dffc
Instruction Fuzzy Hash: 1A317F7250E3C45FD7039B358C61A66BFB4EF47610F0A80DBD985CF2A3E6246919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 029811B9, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 0298125C

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: ac214d4cd8436c8c9200cbdc63c30cb8f29543432013d0772ca46dea0475205b
Instruction ID: 7d526bcd65baa042004f7e14c456b085878285b4aeab038661dbd2ff4deb8afe
Opcode Fuzzy Hash: ac214d4cd8436c8c9200cbdc63c30cb8f29543432013d0772ca46dea0475205b
Instruction Fuzzy Hash: EA31E3715093806FEB12CB25DC55FA6BFB8EF46710F0984DBE984CF1A3D224A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 029800F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0298019D

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8ac5b69fc0372097808280d24720e357cb9d54d141f574adfec9039d676e8d2b
Instruction ID: 677548e93b7eba317f0a29cb581d52c7dfb1a5e01c475b71e16cef58db0e5aba
Opcode Fuzzy Hash: 8ac5b69fc0372097808280d24720e357cb9d54d141f574adfec9039d676e8d2b
Instruction Fuzzy Hash: 8A3191715097806FE712DB25DC85B66FFF8EF06210F0884AAE985CB293D374E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02982C37, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02982CDD

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 4e54679274f2d3c3bfef731cf00c0263956b1f1be3fffb725eda2edc62ea7818
Instruction ID: 64cb65992017df3573092450847c47864eb552aa5e16f7055cf8e7a3060429f8
Opcode Fuzzy Hash: 4e54679274f2d3c3bfef731cf00c0263956b1f1be3fffb725eda2edc62ea7818
Instruction Fuzzy Hash: 5E31A071409384AFEB12CF25DC55BA6BFB8EF06310F0884DBE9848B153D325A549CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02982368, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 0298241A

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: fb9869b4f4c0978b950200428ac54cd7be8298219f9bd547a021f5f3d58f5b03
Instruction ID: 6fbf7e77c1c0eba01e03031ada7ebeadc011e35dbb22e15a4a826788fe5dcd95
Opcode Fuzzy Hash: fb9869b4f4c0978b950200428ac54cd7be8298219f9bd547a021f5f3d58f5b03
Instruction Fuzzy Hash: 0F31C4B2404784AFE722CB15DC45F56FFF8EF06320F08859AE9848B252D365A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 029804AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 0298055C

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6249779be79e5edb61b77fc62f742f4f877f16b5ede076241762cbe06e77e612
Instruction ID: 51903304d673a08d41542c2450a34b8ae32840790a0af9b552acdeadca8393c3
Opcode Fuzzy Hash: 6249779be79e5edb61b77fc62f742f4f877f16b5ede076241762cbe06e77e612
Instruction Fuzzy Hash: FC31B1715097846FD722CB25DC44B92BFF8EF06710F0C85DAE9858B1A2D324E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 029810DE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0298115B

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 419b742415388a8919a0ac67d2960a8ac5922694912537f4791c41ca5814aa9c
Instruction ID: 44b21adf6954b744db1d7fe3c8309cd6d486261f3075b3afc5dcab07e92728a4
Opcode Fuzzy Hash: 419b742415388a8919a0ac67d2960a8ac5922694912537f4791c41ca5814aa9c
Instruction Fuzzy Hash: 6321C172500204AFEB219F65DC45FAAFBACEF04310F04886AED46CB651D730A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02982E41, Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02982ED6

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: b728c2a621dff26653626bb03c3d7bead163269820583a6967b4f793a18fc084
Instruction ID: af889086d0d2445c558e0f1dd1bee9f89ca55c1113c2a08f253a21464a8cdd75
Opcode Fuzzy Hash: b728c2a621dff26653626bb03c3d7bead163269820583a6967b4f793a18fc084
Instruction Fuzzy Hash: 7F219CB2404244AEEB228F55DC40FA6BFACEF45710F0889AAF9859B152D234A449DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 029802AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 02980353

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 52434a26184ba5e78b36d2e822e5798a2ea9def090dfa2ec62688c0087dad26a
Instruction ID: fca000a609192ab921ec0ecae727a8e9f6940bd8c6cf2d7922aa0bf82cd6795e
Opcode Fuzzy Hash: 52434a26184ba5e78b36d2e822e5798a2ea9def090dfa2ec62688c0087dad26a
Instruction Fuzzy Hash: 4421A6714097846FEB228B11DC41FA6BFB8EF06710F0884DAE9858B192D265A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 029833C9, Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 0298346F

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6941dbb02bfabbe4212c6aaaafa99d3a4c01be3fc68aaf047e54610bab86ec98
Instruction ID: f85ccbf9dfec711033ae1b2f478871fa218ef3663effa6fad9f4fdfa6924635a
Opcode Fuzzy Hash: 6941dbb02bfabbe4212c6aaaafa99d3a4c01be3fc68aaf047e54610bab86ec98
Instruction Fuzzy Hash: 8421F5714013446FF7229B15CC85F62FFACEF46B20F18809AFD459B192D364A949CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0298310B, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 0298319F

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 5fc16cf108624954d30ea5c0fe7ee69afa22bcf14c7abd1f64eb9fa5213edcef
Instruction ID: 18df6314e0b82fa3bb3e15a4a2a0b59ee27b376122649f055c85335b1abdf79a
Opcode Fuzzy Hash: 5fc16cf108624954d30ea5c0fe7ee69afa22bcf14c7abd1f64eb9fa5213edcef
Instruction Fuzzy Hash: B721D1B14097846FEB12CB24DC55B96BFB8EF06710F0884DBE9848F153D274A549CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02982286, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 02982311

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 3b7e79a76cf66c1ebe11c4bc18c2d8772fd9fe9135463e27ac091723d6e66462
Instruction ID: 418166d6a4642103021aaba789f98db356b3f10ee685899f3b12454313191b98
Opcode Fuzzy Hash: 3b7e79a76cf66c1ebe11c4bc18c2d8772fd9fe9135463e27ac091723d6e66462
Instruction Fuzzy Hash: 0D21A3715053806FE721DF25CC45F66FFA8EF05610F0884AEED858B252D375A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 029808F0, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02980985

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: f12a26d668e775e7b6347cfc05eb0b23ec4ec730a8b0291058f76f844251d365
Instruction ID: c4f1512940d8410038bd97e80a633112735ac797c2f6cbc8263e73cb46f258b4
Opcode Fuzzy Hash: f12a26d668e775e7b6347cfc05eb0b23ec4ec730a8b0291058f76f844251d365
Instruction Fuzzy Hash: D721F8B54097846FE712CB25DC51BA2BFB8EF46720F1880DAED848B153D224A949C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 02981BF6, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 02981C82

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 65a6d1d72a38bda97294e571ca77be672e80228470fa0e0026520154724e13f7
Instruction ID: 1c6dabb8f82b6285dcb3f97caa1422a961d6caa8b9971850a155c08ed4f31d9b
Opcode Fuzzy Hash: 65a6d1d72a38bda97294e571ca77be672e80228470fa0e0026520154724e13f7
Instruction Fuzzy Hash: 8621AD72405780AFE722CF65DC44F56FFB8EF05310F08849EEA898B652D375A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02982F3A, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02982FCA

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: c9b4ca11998e0216f381dc506786e8a2c25e6ce9c69eb587fb89d6ff31d52241
Instruction ID: da734d4ad5116a7c1dedfca22b2aa67d2e931b572047e292891ce50c94044dfb
Opcode Fuzzy Hash: c9b4ca11998e0216f381dc506786e8a2c25e6ce9c69eb587fb89d6ff31d52241
Instruction Fuzzy Hash: 38219CB2404344AFEB228F55DC45FA6BFB8EF05710F0884AAE9859B152D234A449CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0298081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 02980899

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 14d20ed4bd9ae08fda340c12fd1c02a88a506b578ca3d0362e3b5b8964e031dc
Instruction ID: bd4c5bfc7517a475aad74faaa4db31679532f4c9db851bf84b94085de5b04c94
Opcode Fuzzy Hash: 14d20ed4bd9ae08fda340c12fd1c02a88a506b578ca3d0362e3b5b8964e031dc
Instruction Fuzzy Hash: A421AF71500744AFEB21EF65CC45B6AFBE8EF08710F18846EE9858B652D376E448CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 029803CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0298045E

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1b030fbf9f2b04cddd256cbaa6e509935dc4f61373e9c381882178c6a8328178
Instruction ID: 99521397ac566567ad4375a2123e981e3b4ff2d16a0115a605569521b262c266
Opcode Fuzzy Hash: 1b030fbf9f2b04cddd256cbaa6e509935dc4f61373e9c381882178c6a8328178
Instruction Fuzzy Hash: 8121C571500204AEFB219F15DC41FB6FBACEF04710F14895AFE468A291D771A949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 029809C0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02980A51

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 17412c05167d0499be7106c5f944cebbb2bab9bb90ddccc091e67c9a5a52f48b
Instruction ID: fa20f612f9eb200acc84e20896be644124acd6ba568af90c6bc0c2e5a31a2fc0
Opcode Fuzzy Hash: 17412c05167d0499be7106c5f944cebbb2bab9bb90ddccc091e67c9a5a52f48b
Instruction Fuzzy Hash: 242192714093846FEB228F25DC45F56BFB8EF46714F0884DBE9848B153C274A449CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02980D79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02980E10

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: adcf6578405301dc4e45ee2152a9cf9eab4fc8916b879feabc8b569424e25bd3
Instruction ID: 688b0bc5fd5cc9cdad2700183c9f42d3ee1b65e1c324e8706a0e2b773b8050c4
Opcode Fuzzy Hash: adcf6578405301dc4e45ee2152a9cf9eab4fc8916b879feabc8b569424e25bd3
Instruction Fuzzy Hash: 2721CFB2504740AFE7228F15CC81F67BFBCEF05710F08849AE9859B292D320E848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0298012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0298019D

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a9a5beddd46253254eb858247f4ab8be6cd54bdcc6464c3daed5bae84e9a7bdc
Instruction ID: c5d513fd6c3b71d5ab273b71c3a912b1d31b5bab52e1478df9bfa3da25244fc7
Opcode Fuzzy Hash: a9a5beddd46253254eb858247f4ab8be6cd54bdcc6464c3daed5bae84e9a7bdc
Instruction Fuzzy Hash: B121A471500244AFE720DF25DC45B6AFFE8EF05320F1884AAED458B641D374E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 029812BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 0298134B

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8d5612309bc439470b59ec01e474f531b8370bbdcfac69cb046c959638a556ea
Instruction ID: 56bae21a22696c4376bc35ead7ffd8a6bce046be515e81a27c4a0521656dab80
Opcode Fuzzy Hash: 8d5612309bc439470b59ec01e474f531b8370bbdcfac69cb046c959638a556ea
Instruction Fuzzy Hash: 242105715043846FEB21CB25CC45FA6FFA8EF05720F18809EFD458B182D364A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02980723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0298079F

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 688b4d725fe0104a1a67a93d2b46cf2a27d20707f367fbe4a95af8ac1f23229d
Instruction ID: eeacd6ab7a1b099b1d234a67582855ead002fd3f87d08b7e57914f5cb6c97b32
Opcode Fuzzy Hash: 688b4d725fe0104a1a67a93d2b46cf2a27d20707f367fbe4a95af8ac1f23229d
Instruction Fuzzy Hash: AD21B0725093849FD712CB25DC45B56BFE8EF06214F0980EAE885CF653E324E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 029822A6, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 02982311

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: aafbf98f9b4940eb885253f9c44f8d2c473761bf23b0e21687f254b52314eae9
Instruction ID: 9662a10b0226b268a6f86f8f6544063baa3d9646ef6e1719ab77f07a11cb04dc
Opcode Fuzzy Hash: aafbf98f9b4940eb885253f9c44f8d2c473761bf23b0e21687f254b52314eae9
Instruction Fuzzy Hash: 8121E7B1900240AFE721DF25DC45B6AFBE8EF04710F1884AEED498B241D375E804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 029817E4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02981850

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 041f2cd8c389ff5c75d8f309ff202fdad086cb3dabcd32c88036afd73243e380
Instruction ID: d74c4bd9454ad4e21d1b5504a64d91ea565a71ea2a9a2e8d8453417c8bd01068
Opcode Fuzzy Hash: 041f2cd8c389ff5c75d8f309ff202fdad086cb3dabcd32c88036afd73243e380
Instruction Fuzzy Hash: 2921C3725093C45FDB028B25DC55792BFB4AF07224F0D80DBED858F663D2649948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02981899, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,BEF1A9D7,00000000,?,?,?,?,?,?,?,?,72BE3C38), ref: 0298190A

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: a00d507f5e820bd589b11637043045c17e735d52618a722ab2ea513a129527f8
Instruction ID: 390dbe4c8ccf91ed671d23b0a1940121740deab6fa151f37e1b262eeef530c7b
Opcode Fuzzy Hash: a00d507f5e820bd589b11637043045c17e735d52618a722ab2ea513a129527f8
Instruction Fuzzy Hash: 0F2183715093845FD712CF25DC44B96BFE8AF06210F0980EAE985CB163D3249849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 029823A6, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 0298241A

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 8fa52e4eb6ae011420a8e35aae0931e02663ec776ab894520387df7e2b95b2ba
Instruction ID: d184811f2f6d2d22046cbbe9974d1f29275bfdac2c90bff8cd09b74993fd016b
Opcode Fuzzy Hash: 8fa52e4eb6ae011420a8e35aae0931e02663ec776ab894520387df7e2b95b2ba
Instruction Fuzzy Hash: 9221D272900244AFE721DF25DD45F66FBE8EF08320F14845EED898B641D375A549CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02981C16, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 02981C82

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 9c376bb09ca9d29833ffd9718c3a9ec2f5575c7b4bd58b3d6fe9de9f2055da36
Instruction ID: b31f58a1ac9e2696a8254f971ecc644b293bee8b302fda63b09f4d8ccc2a25ca
Opcode Fuzzy Hash: 9c376bb09ca9d29833ffd9718c3a9ec2f5575c7b4bd58b3d6fe9de9f2055da36
Instruction Fuzzy Hash: E121D171500640AFEB21DF55DC44F66FFE8EF08310F18886EEA898B642D375A405CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02982E66, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02982ED6

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 71a1da19431264f71d40e1d70d33e6d48ed85acbc580a67d7b729c89142872b6
Instruction ID: 6912c1d03a5fe4939be45df4365c8295781c745672933913a25235b85cac8c8d
Opcode Fuzzy Hash: 71a1da19431264f71d40e1d70d33e6d48ed85acbc580a67d7b729c89142872b6
Instruction Fuzzy Hash: D811D2B2800204AFEB21DF55DC45FA6FBACEF04310F04886AED459B511D330A445DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 029801F4, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02980264

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d8402251bf0b8486495656417f8174fc13dc7bd8a08417b60849c2f39bb5b76b
Instruction ID: f7e5d87241e666a2071bf793aac18ddb5d2b0a58ae8153d93894921d0b02a09a
Opcode Fuzzy Hash: d8402251bf0b8486495656417f8174fc13dc7bd8a08417b60849c2f39bb5b76b
Instruction Fuzzy Hash: B421D5B28057849FD712CF54DC85B66BFA8EF42320F0980EBED848B653D3749809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02980D9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02980E10

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 611b984873d7cec4d8a569e6648ab388f65f429fedbd1a0d55bc81dfb3016f45
Instruction ID: bc9237da2e527149e5596f64d6c405ca88d3e3c4f5c6b4c55e36a2bc942cc44b
Opcode Fuzzy Hash: 611b984873d7cec4d8a569e6648ab388f65f429fedbd1a0d55bc81dfb3016f45
Instruction Fuzzy Hash: 2D11D0B2500704AFEB319E15CC81F67FBACEF04710F08845AED458B242D370E448CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 029804EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 0298055C

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6612f6eaec9e5d3e8296c09d36ba8d0db24c5e402daaece427ddcfe5d6f9a409
Instruction ID: ca77d426defbf925ce750cc7f5976c3ff436095446ccba7025db33e378eb23ef
Opcode Fuzzy Hash: 6612f6eaec9e5d3e8296c09d36ba8d0db24c5e402daaece427ddcfe5d6f9a409
Instruction Fuzzy Hash: D21181B1500604AFEB20DF16DC85F67FBECEF44710F18849AE9468B651D360E449CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02980CB4, Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 02980D1E

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 3ea1135529eb319f88c9a5344347911d83a7b266b673e45c7eab622dfcd59923
Instruction ID: 998dbdba60148536b2a301e0c943d12e49503978530ee6105c6ca487d5ee819e
Opcode Fuzzy Hash: 3ea1135529eb319f88c9a5344347911d83a7b266b673e45c7eab622dfcd59923
Instruction Fuzzy Hash: 5F116D715053849FD721CF25DC85B66BFE8EF05210F0984AAED89CB652E375E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 029815AC, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 02981616

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3ea1135529eb319f88c9a5344347911d83a7b266b673e45c7eab622dfcd59923
Instruction ID: 6e3aaa97b9bc88a271648006b0fa75833f2e75c9b9aa776e8853fd4faeb378bb
Opcode Fuzzy Hash: 3ea1135529eb319f88c9a5344347911d83a7b266b673e45c7eab622dfcd59923
Instruction Fuzzy Hash: 90117F725053849FD721CF25DC85BA6BFE8EF05210F0D84AAED89CB652D374E849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02982812, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02982871

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: f108acc7dc743ea8c90f0945cb36b61de81f1ed7f3f2403ef5dfa838d92c88e3
Instruction ID: 7ff326e0d10bd1ebbeb34bdc0d90d6ffe9d33833ea468546b5ae5ab9dcc4dbcf
Opcode Fuzzy Hash: f108acc7dc743ea8c90f0945cb36b61de81f1ed7f3f2403ef5dfa838d92c88e3
Instruction Fuzzy Hash: B3110871900244AFEB21DF65DC45F6AFBA8EF44720F18846AED458B641D374A444CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 02982C76, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02982CDD

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 31eaae90a80d6a39cc1bdef4fa89d4a39b29a87c470f3ee07b2d91c324d472c8
Instruction ID: d281b9814007becaef185ca6ad5ef15b878ac3b9911a382073964f8a385d3e89
Opcode Fuzzy Hash: 31eaae90a80d6a39cc1bdef4fa89d4a39b29a87c470f3ee07b2d91c324d472c8
Instruction Fuzzy Hash: 7611D0B1900244AFEB21DF55DC85FAAFBECEF44710F1884AAEE498B241D374A448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0298138F, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 02981402

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: e9a3b232c93603578bc7aed8eefce9bd64bcf7e303580061cf4a45d31e85c186
Instruction ID: f62cdf1a992046f5f4c050b91d0358d9960605912925935efaa7a855bce8a2e7
Opcode Fuzzy Hash: e9a3b232c93603578bc7aed8eefce9bd64bcf7e303580061cf4a45d31e85c186
Instruction Fuzzy Hash: E1215E755093845FD7128B25DC44B62BFB8EF06214F0980DFED898B663D265A849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0298143E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 029814A8

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 8393983e6a4773896828d3b3b4b7fa13b231644c89250f2740e9ba77707ae371
Instruction ID: e91a6f7c39257d2178d54eee3013fe1d5df64db48edcd4cbebf0576a0ba53b62
Opcode Fuzzy Hash: 8393983e6a4773896828d3b3b4b7fa13b231644c89250f2740e9ba77707ae371
Instruction Fuzzy Hash: 3311AF7580D3C49FDB128B21DC54751BFB4DF07214F1980EBED888F253D2659849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02981206, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 0298125C

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: d8f2881a6b18db3289f794f52c821ed1e80129e267e99bd4146203fd6f05ca62
Instruction ID: 0fc21aac7f7c6c27cc3ba60a778f8cb26ca4c40a4cc9ff226ae94faf3eb42814
Opcode Fuzzy Hash: d8f2881a6b18db3289f794f52c821ed1e80129e267e99bd4146203fd6f05ca62
Instruction Fuzzy Hash: 8D11A3B1900204AFEB10DF19DC85BAABB9CDF44720F1884AAED49DB241D774A845CF72

Uniqueness

Uniqueness Score: -1.00%

Function 029802DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 02980353

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b50bee9e16dcddeffe521b8771312e449f44495f85e7838e81106350fe12ea5c
Instruction ID: 842dfc2b2e4d3af66753f57bf334f90acc17193736d787cf33062e8471c66769
Opcode Fuzzy Hash: b50bee9e16dcddeffe521b8771312e449f44495f85e7838e81106350fe12ea5c
Instruction Fuzzy Hash: 80112371500704AFEB319F15CC42F66FFA8EF04710F18849AFE855A291D371A848CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 029809F2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02980A51

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c2d4564a4ae455f425a291cd41aa5741fb77ab926db0e0770008cee73c410ac8
Instruction ID: 3e3d782e4b4bfdebc8fc738d4af24e3e45d01be590296fa2ed8e3f55d5b15078
Opcode Fuzzy Hash: c2d4564a4ae455f425a291cd41aa5741fb77ab926db0e0770008cee73c410ac8
Instruction Fuzzy Hash: 0A110672900304AFEB21DF55DC45FAAFBA8EF44720F1884AAED598B641D374A448CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 029812E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 0298134B

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f162a9c0b3d4d3abe4945f80289c35fc3d303453fd938a40d31cb9a382ed0f3a
Instruction ID: 2bf1b5e7bfff4cf013f58aa1dda228d25470fa47c23f9467897c851258359830
Opcode Fuzzy Hash: f162a9c0b3d4d3abe4945f80289c35fc3d303453fd938a40d31cb9a382ed0f3a
Instruction Fuzzy Hash: F311C671500204AFFB209B15DC46BB6FB98DF44720F18849AFE498B681D7B4A945CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02983146, Relevance: 1.6, APIs: 1, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 0298319F

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: a1a9a543c010ed83c72d1989c3be549db249c48e3e9b34fec4a225eb703ae1d4
Instruction ID: 69928e18a784befcadcfcfbce4ca8872b165f3a49bf10a4b8d2fade426e0a416
Opcode Fuzzy Hash: a1a9a543c010ed83c72d1989c3be549db249c48e3e9b34fec4a225eb703ae1d4
Instruction Fuzzy Hash: C611C6B1500204AFEB21DF55DC85B7AFBACEF44B20F18C4AAED459B241D374A445CB75

Uniqueness

Uniqueness Score: -1.00%

Function 02983406, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 0298346F

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c8edff44c278fed99a884ea1de7b570b579ab282a6b55dbfbd3aacc16a019044
Instruction ID: 23686201030ac69cab4e10be6046553d163b6373b10556e67cd82dbedca5df6c
Opcode Fuzzy Hash: c8edff44c278fed99a884ea1de7b570b579ab282a6b55dbfbd3aacc16a019044
Instruction Fuzzy Hash: 2511A571500204AFFB21DB25DC85B66FB98DF44B20F18C49AEE495B681D2B4A944CB75

Uniqueness

Uniqueness Score: -1.00%

Function 02980CD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 02980D1E

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: cbca499ab60b87309b5b41d377c20b5e845310f91cc527e19639177ca1a0e2e0
Instruction ID: 4982280962d6b4141fef005b41559c8d3612b95e1be79cf89f572912b0e5e804
Opcode Fuzzy Hash: cbca499ab60b87309b5b41d377c20b5e845310f91cc527e19639177ca1a0e2e0
Instruction Fuzzy Hash: 8F118EB1A003048FDB20DF29D885766FBE8EF04220F0884AADD59CB642E375E448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 029815CE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 02981616

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: cbca499ab60b87309b5b41d377c20b5e845310f91cc527e19639177ca1a0e2e0
Instruction ID: b8e157f78631c734456c4c3801b8f0825b5ea0658940ffb30da970b71800a7bc
Opcode Fuzzy Hash: cbca499ab60b87309b5b41d377c20b5e845310f91cc527e19639177ca1a0e2e0
Instruction Fuzzy Hash: 7F115EB1A002448FDB10DF29D885766FBE8EF04220F1C84AAED5ECB642D374E845CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0298364E, Relevance: 1.6, APIs: 1, Instructions: 53timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNELBASE(?,?,?), ref: 029836A6

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 1695a3766fc0f26b168b3c522f622cd6e5225edfbaddfab3e2406b12a7548443
Instruction ID: 27300202c6a99c3a3e07b89f0350f2568410a2969defdc559e774c2fdd93a740
Opcode Fuzzy Hash: 1695a3766fc0f26b168b3c522f622cd6e5225edfbaddfab3e2406b12a7548443
Instruction Fuzzy Hash: D511A071509384AFDB128F15DC45B66FFB8EF06220F0880DAED858B662D375A858CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02980932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,BEF1A9D7,00000000,00000000,00000000,00000000), ref: 02980985

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: da5f14db38312fc41585aee4a32afa3ee2036bebc54831d42cb746436430dbca
Instruction ID: e6da63db372f92eed1d2208c0746bf5e0ebda41d872773a7b34c81a6062ce2ef
Opcode Fuzzy Hash: da5f14db38312fc41585aee4a32afa3ee2036bebc54831d42cb746436430dbca
Instruction Fuzzy Hash: C301D2B1500204AEF720DB19DC85B7AFBACDF54720F18849AEE459B241D379A848CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0298075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0298079F

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 7a992d31bb4648be9847e7560ce0824e401e4111f3de7f4510bbd4e042d1a9f4
Instruction ID: c10e08120b06bfbdf644588e53329385d3764208509fd4cfcc9c10fc686567d0
Opcode Fuzzy Hash: 7a992d31bb4648be9847e7560ce0824e401e4111f3de7f4510bbd4e042d1a9f4
Instruction Fuzzy Hash: FC115E75A012448FDB50DF29DC85B6AFBD8EF04220F1C84AADD49CB646E374E848CF61

Uniqueness

Uniqueness Score: -1.00%

Function 029818CA, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,BEF1A9D7,00000000,?,?,?,?,?,?,?,?,72BE3C38), ref: 0298190A

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 0caed9df4bef8f655c859ee03ecab835b01e6cb79e986f9417fc6a833c4ef2a7
Instruction ID: f430f49b4e5b182e6ffaef759caf2c3048b9584aaf39b784f60b90c630ae539f
Opcode Fuzzy Hash: 0caed9df4bef8f655c859ee03ecab835b01e6cb79e986f9417fc6a833c4ef2a7
Instruction Fuzzy Hash: DC1184759002448FDB10DF65E884766FBE8EF04220F08C4AADD59CB652D375E445CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02980ECA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 02980F1A

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 88acb9775bb79a206a5241a0bd06a1a1aba4114ba6398af9467becee9e279270
Instruction ID: 46cf7b83b71af35394a3e95c50b276a68206fbe9d911b6f927aa1567b266ad37
Opcode Fuzzy Hash: 88acb9775bb79a206a5241a0bd06a1a1aba4114ba6398af9467becee9e279270
Instruction Fuzzy Hash: DB01D472900200ABD750DF16DC81B26FBA8FF88B20F14812AED088B745E231F915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02983252, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 0298329D

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 529a4edb75050734de40167b2d280779cbad5612a1846882bad32d05f506f4df
Instruction ID: 3091560a69c77b3f71ff68a0fccf747b57cfbc0da263387b0ba3ccc447d30fb6
Opcode Fuzzy Hash: 529a4edb75050734de40167b2d280779cbad5612a1846882bad32d05f506f4df
Instruction Fuzzy Hash: 0B01D472900200ABD750DF16DC81B26FBA8FF88B20F14812AED098B745E331F915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 029813C2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 02981402

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: 34c6a11868009c6b9683c790910a2edd01305a91f4665ea8a62de77f12200416
Instruction ID: 2aa43d777e88bf493316abb69c958d3d5f15af1222e5d21abc2de8691046c479
Opcode Fuzzy Hash: 34c6a11868009c6b9683c790910a2edd01305a91f4665ea8a62de77f12200416
Instruction Fuzzy Hash: 9E019E755002448FDB20DF65D884B66FBA8EF04220F0CC4AADD4A8BA52D370E849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0298181E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02981850

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7f883a00edd79890970e4d0430a25260a8124d20f87060aafdebb4f01a74e498
Instruction ID: b2168106c423a162262523424b6abdcf5856fe51278d9533fe308e11877fb0c8
Opcode Fuzzy Hash: 7f883a00edd79890970e4d0430a25260a8124d20f87060aafdebb4f01a74e498
Instruction Fuzzy Hash: AB018F759006448FDB10DF19D886766FBA4EF44220F18C4ABDD4A8F642D374A848CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02980232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02980264

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: eec3766bdc5564dbafcea567f5f980eb3d227700473c1498243a675154f1ea88
Instruction ID: 2a4dd5b64a6430785fa0ffad015cb50913b83f201b066c1075180d7187f18f3a
Opcode Fuzzy Hash: eec3766bdc5564dbafcea567f5f980eb3d227700473c1498243a675154f1ea88
Instruction Fuzzy Hash: 58018F759002449FDB509F29D885776FBA4EF44220F18C4ABDD598B642D3B5A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02981B7A, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 02981BCA

Memory Dump Source

Source File: 0000000D.00000002.498930483.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: be52d3b48d2d19481aec14e090c5768888fcdff28991d443c73e840c7a4c0802
Instruction ID: 7ca42b1592829a8f7217956a6ddeb8bc4672fa8983db57245df9785a54b32b8e
Opcode Fuzzy Hash: be52d3b48d2d19481aec14e090c5768888fcdff28991d443c73e840c7a4c0802
Instruction Fuzzy Hash: 6F01A272500604ABD250DF1ADC82B26FBA8FF88B20F14811AED094B745E271F956CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 029220D0, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

r*+, xrefs: 0292230F

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 3c49172a32afeab74da73d0a56558615e6a6c9663d51881a857fc767e669187f
Instruction ID: 95bc98b112b8dad5d5bce5aafd7c72a042bf5899dc35f612799b33129d590704
Opcode Fuzzy Hash: 3c49172a32afeab74da73d0a56558615e6a6c9663d51881a857fc767e669187f
Instruction Fuzzy Hash: 62719530E08225DFCB44DFA8C841ABEBBB1FF45300F50846AD906DB259DB759D49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02929AB0, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

, xrefs: 02929BDB

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f4674f5ad3fcc535a8ebf3e6e48bb44bcbd6678dde54b8c9a47473f42d5ca02f
Instruction ID: 3f474efe34666540836d69cac831454e9f1b42b9faa822349206399375ac26b9
Opcode Fuzzy Hash: f4674f5ad3fcc535a8ebf3e6e48bb44bcbd6678dde54b8c9a47473f42d5ca02f
Instruction Fuzzy Hash: 7B51D171F04225CFEB04DF69D8401AEBBE2EBC5214F25897AC11ADB248DB35DC4ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 029202E8, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

`5#r, xrefs: 029203A5

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: `5#r
API String ID: 0-945842197
Opcode ID: 19a9a9c3937372762d0a15525e911b8c0d0faf6aff93d0b53a983ffcc18595bb
Instruction ID: 34374c0badc8aad6656b7fd04ab1a994a8da8b4dba90b75f3a6c63b71945d8fe
Opcode Fuzzy Hash: 19a9a9c3937372762d0a15525e911b8c0d0faf6aff93d0b53a983ffcc18595bb
Instruction Fuzzy Hash: 73519330B092158FDB08DF68C5507AD7BF2EF99310F288469D90AEB395DB35AC45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02921458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$g r, xrefs: 029214C7

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: $g r
API String ID: 0-1745030754
Opcode ID: 1820876c5efe7295d247ea964807e6d94d1731a0372cd8c2e7da667525b06d7e
Instruction ID: 702bf7a9aa3bcf93a795c57daeadc09822d9d47fe41b3f720f4e6405d724a5cd
Opcode Fuzzy Hash: 1820876c5efe7295d247ea964807e6d94d1731a0372cd8c2e7da667525b06d7e
Instruction Fuzzy Hash: CA51C434A04218CFDB54DF68C894B9DBBB2BF49304F5440E9D40AAB36ACB359D99CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02922D58, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

, xrefs: 02922E76

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1f295870f4ed5cfeda7bc5c6bde9f96a5e30e59aac51d1d680e487048448698b
Instruction ID: b7b66b9cdb77d9257437101e30732afb02aca499e76a650c0e8abb8797c933f4
Opcode Fuzzy Hash: 1f295870f4ed5cfeda7bc5c6bde9f96a5e30e59aac51d1d680e487048448698b
Instruction Fuzzy Hash: D841C370E042258FCB10CF69C8405BEBBB2FFC5214B69C976C816DB649C735E84ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 02921290, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

$g r, xrefs: 02921349

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: $g r
API String ID: 0-1745030754
Opcode ID: 5a000ed14934432d86a21deb8988539647d5b59a3a1b203afb4e2bc8ad20b16f
Instruction ID: e96a07f88862ed3a49d41b73876c328c8b7d4473566276bc110f04493f3ccc99
Opcode Fuzzy Hash: 5a000ed14934432d86a21deb8988539647d5b59a3a1b203afb4e2bc8ad20b16f
Instruction Fuzzy Hash: 0F41D774A04229CFDB64DF68D844B9DBBB2BB49340F1444A9D40EAB35ADB309D94CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 029289E0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 02928AF7

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: e68774075135e14fd8df0c94e6383fddeef227521ece0aa29d793f554fbc0e58
Instruction ID: 76c9ca305c949a6beb71308bd70b4e0483f63019aaa4e23dff466801e239512f
Opcode Fuzzy Hash: e68774075135e14fd8df0c94e6383fddeef227521ece0aa29d793f554fbc0e58
Instruction Fuzzy Hash: 9C414B70E04219DFDB44DBA8C1856AEBBF1FF45304F1084AAD416E7268DB359A49CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0292E078, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

l!r, xrefs: 0292E123

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: l!r
API String ID: 0-3732080880
Opcode ID: 56921d48f14d7cc22717323dab2faf46900a50af5ef8efc2b38131d2c75a2f1d
Instruction ID: 876c220e38f264ee955f3066d62fcae2e982194bf9df3c72820cc76c8d2d675d
Opcode Fuzzy Hash: 56921d48f14d7cc22717323dab2faf46900a50af5ef8efc2b38131d2c75a2f1d
Instruction Fuzzy Hash: A021B331A08134CBCB19CA68D4407BEB7E5AB8C710F144879D846D7349DF31AC4AC7A0

Uniqueness

Uniqueness Score: -1.00%

Function 029205B9, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8]q, xrefs: 029205D6

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: 8]q
API String ID: 0-1408181585
Opcode ID: 29993a990b6202244b3e39eacadc9251ea634c629e5d57f83f858fb5d2f187f5
Instruction ID: e33da46f20e69eb8f6d2ea0672355be9faf2a28ce9c4d86e5af3ae9aaccee536
Opcode Fuzzy Hash: 29993a990b6202244b3e39eacadc9251ea634c629e5d57f83f858fb5d2f187f5
Instruction Fuzzy Hash: 9001A2307443601FC75A267C94216BE379BAFC6650768446EE006EB395CEAE6C4383F6

Uniqueness

Uniqueness Score: -1.00%

Function 029205C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8]q, xrefs: 029205D6

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: 8]q
API String ID: 0-1408181585
Opcode ID: 12e90b582162793099471e7bd3735411d7dc5e8b8ef211b92a8540dae6d47a34
Instruction ID: da08ee23a642973737f2c372798c98c329f100c413c170a914ea4935efa4d72d
Opcode Fuzzy Hash: 12e90b582162793099471e7bd3735411d7dc5e8b8ef211b92a8540dae6d47a34
Instruction Fuzzy Hash: DFF090207403241FCA08367DA8126BF628B9BC5691B54442EB10BEB384CEB9AC4283F6

Uniqueness

Uniqueness Score: -1.00%

Function 02924710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1#r, xrefs: 02924747

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: X1#r
API String ID: 0-183898247
Opcode ID: 4cb9a4ee1b01ced3ff55c60fa422737b9d08e3663deaede6ec8b341626f4c2bd
Instruction ID: 644c70610c8aa92ac728f7088fb9208440ca7d54527123fd4b947215481b91cf
Opcode Fuzzy Hash: 4cb9a4ee1b01ced3ff55c60fa422737b9d08e3663deaede6ec8b341626f4c2bd
Instruction Fuzzy Hash: 97F02B323012704BC72523B9540037E36DE97C9751F54043ED509CB784DD76CC4587A0

Uniqueness

Uniqueness Score: -1.00%

Function 02927770, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Hu!r, xrefs: 02927793

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: Hu!r
API String ID: 0-524943494
Opcode ID: 495d0463512bcd36b50a7ffb76a6c85824266b7ba06c5302db7c1baef0931d30
Instruction ID: 5ee2ee5e133d09150a06e3f9e41c67e57153a96ba33ee17d79831a430eb2a562
Opcode Fuzzy Hash: 495d0463512bcd36b50a7ffb76a6c85824266b7ba06c5302db7c1baef0931d30
Instruction Fuzzy Hash: 94F0E93174812057C56436AC6C91EBEB98FEBC5730760462DE51AAF3CDDE509C0583B6

Uniqueness

Uniqueness Score: -1.00%

Function 02927761, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Hu!r, xrefs: 02927793

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: Hu!r
API String ID: 0-524943494
Opcode ID: bbe6d2558e67bc8a18d03d3668900c784af189dbe34174a6cd392a5693bfaaa0
Instruction ID: 8541bc1ea1ecd7490216c685ddada6277438c79bc6987c81922650a05e8a12f6
Opcode Fuzzy Hash: bbe6d2558e67bc8a18d03d3668900c784af189dbe34174a6cd392a5693bfaaa0
Instruction Fuzzy Hash: 71F0C83074C2504BC755677CA8507BC7A87AFC6320B6446ADD51ADF2D9CE554C05C376

Uniqueness

Uniqueness Score: -1.00%

Function 0292A41F, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Hu!r, xrefs: 0292A443

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: Hu!r
API String ID: 0-524943494
Opcode ID: 8c0fd8fa3075830c4120d03a13c053b53827af1d140f13f747b3c8c109c84565
Instruction ID: 48d32e1751635d68b1d33befbac3ae795f3d16c97e7bb335fc94f052408d6537
Opcode Fuzzy Hash: 8c0fd8fa3075830c4120d03a13c053b53827af1d140f13f747b3c8c109c84565
Instruction Fuzzy Hash: 5BF0E27274812057C664366CAC94A7D6A8BABC53707608729E91EDF3CDDE64CD0583B2

Uniqueness

Uniqueness Score: -1.00%

Function 0292A420, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Hu!r, xrefs: 0292A443

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: Hu!r
API String ID: 0-524943494
Opcode ID: e95a257469cb33cef1d619d2adea0da4fa02ba627d58dbe484e30c1317a01ef2
Instruction ID: 0c38998bcd9b1139a61d29b504a90b198442fba96e79763d32b24540315a9229
Opcode Fuzzy Hash: e95a257469cb33cef1d619d2adea0da4fa02ba627d58dbe484e30c1317a01ef2
Instruction Fuzzy Hash: 4AF0E27274822057C664366CAC94A7E7A8BABC53707608729E91EDF3CDDE64DC0583B2

Uniqueness

Uniqueness Score: -1.00%

Function 029262A8, Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

l!r, xrefs: 029262C6

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: l!r
API String ID: 0-3732080880
Opcode ID: eabf4ccf1e918f45e128f80903471d15f8397a8e12951b943083d45889e606b6
Instruction ID: 8251e1a1662c6b9d521e02e6b2fae63971d68195d6e8c7cc00b4e531d8c93c1e
Opcode Fuzzy Hash: eabf4ccf1e918f45e128f80903471d15f8397a8e12951b943083d45889e606b6
Instruction Fuzzy Hash: 41E020307C63542FD703277D5C102A93B9DAF8322134544A5E446CF391DE154C0383F9

Uniqueness

Uniqueness Score: -1.00%

Function 029262B8, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

l!r, xrefs: 029262C6

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID: l!r
API String ID: 0-3732080880
Opcode ID: 5c6aa18cba50de73586cfa29df74b475844006b1ed736cdcb5676de4030a3f81
Instruction ID: eb0311db7521af5fdd3fff9128d21e35ace3c5a8a0ffdf501d3b2c8b70d27f45
Opcode Fuzzy Hash: 5c6aa18cba50de73586cfa29df74b475844006b1ed736cdcb5676de4030a3f81
Instruction Fuzzy Hash: 4AD0A735FC16242B9A15767D2C116BE378DABC16623044828F40AD7380DE11DC0143F9

Uniqueness

Uniqueness Score: -1.00%

Function 0292AEC0, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d5e526fe4f28a780e534130a35a20230e5d4394a220b3151ece91de4194d18
Instruction ID: 9d94547c1bb88a3ff130bd29265e8486db8c4f112ffabe7e6419b9645e0d1e64
Opcode Fuzzy Hash: 34d5e526fe4f28a780e534130a35a20230e5d4394a220b3151ece91de4194d18
Instruction Fuzzy Hash: 51910570B006158BD708EB68C855B6E7BA2FFC5304F50856DE10A9B2D9CFB09D46C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 029284D0, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847b42a00901f77bb649431c1f9f0dad148bbb4543e996ef2b3538bc4981aa66
Instruction ID: 4ef00e3b3dfbd9368209f167437a540889e5373e00e1e8d92256533f460a276e
Opcode Fuzzy Hash: 847b42a00901f77bb649431c1f9f0dad148bbb4543e996ef2b3538bc4981aa66
Instruction Fuzzy Hash: A6A15C75D00229DFCB14DFA8C9849ADFBF5FF48310F24856AD41AA7258D731A85ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 029263A0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce81c125e106c8d399ec61d1635269c4738d0cb91df7aef0ed60c4da751a582
Instruction ID: 10b39e6a601b4d2fb241ad4d73cc32c847ed1e96e509d29e2ad0104c636eec0d
Opcode Fuzzy Hash: 2ce81c125e106c8d399ec61d1635269c4738d0cb91df7aef0ed60c4da751a582
Instruction Fuzzy Hash: 09818031A00629CFCF15DF14C890ADAB7B6BF85304F55C595D80AAF219DB71AE8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 02924DB8, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a0b50daa2e43ecfc40b422b3e88143720553c0ee3f7aca55d6df46b86c0901
Instruction ID: 3804a164958ef2d32ed72cecd8278601db697a72d8bf28c8cd43799b118bdd3b
Opcode Fuzzy Hash: 06a0b50daa2e43ecfc40b422b3e88143720553c0ee3f7aca55d6df46b86c0901
Instruction Fuzzy Hash: 1F619030605255CFC705EB68D9809BE7BA2FFC4310B15986AD506CF65EDB31AC4ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 0292EC48, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c25e3ee92717d5fb51e409f4883c92ce34f0ef880de0d278dcfa96b1c269c52
Instruction ID: 9f4eed9611222573c9d20b578d7af47c409ebb16a6b2f7b9f958203aa3f4ecbb
Opcode Fuzzy Hash: 7c25e3ee92717d5fb51e409f4883c92ce34f0ef880de0d278dcfa96b1c269c52
Instruction Fuzzy Hash: 3D714834A00219DFDB14DF69D484BA9BBF6FF48314F188869D496A7764CB30F889CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0292E4E0, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1b96c73686b539b1e024bd6902a5c7e7384500c64f3db0690a1126ab8c9a31
Instruction ID: 0fed231d150077c88a35510537f0cd585f2cefb0ddfa77cedcc501266ead404c
Opcode Fuzzy Hash: cd1b96c73686b539b1e024bd6902a5c7e7384500c64f3db0690a1126ab8c9a31
Instruction Fuzzy Hash: 2B518071A01128DFCF14DF94C8809ADB7BBFF84314B158419E806AF259DB30BD4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 029278D8, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcf1470b070e1cbf62921ff351b52f25eb4911a8a91e2c0ea5adc5946728716
Instruction ID: cc3d75caf3d7555bf93c04943ec278fdf9e93063f4943b8adba7af518898d110
Opcode Fuzzy Hash: 7dcf1470b070e1cbf62921ff351b52f25eb4911a8a91e2c0ea5adc5946728716
Instruction Fuzzy Hash: BB311631904669CFDF15CF54C8546DABBB2EF89304F118894D909BB209DBB06B8ACFD1

Uniqueness

Uniqueness Score: -1.00%

Function 02927528, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecec2977e05b5758fbb531f886732d78189d35bca78148bbb2dfcc5d841e8a41
Instruction ID: b6e7738beb8980e00d8a4415efae8a9b247000ae38921451a53dae12bf6bfabe
Opcode Fuzzy Hash: ecec2977e05b5758fbb531f886732d78189d35bca78148bbb2dfcc5d841e8a41
Instruction Fuzzy Hash: 3A513E71B002248FCB18DBB9C5506AEF7F7AFC8310B258569C40AAB359DE31AD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0292F310, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5769482b74d200ba3e1e096ed575a69d629d6dba68fb25d69793aca7798264
Instruction ID: 62656de352987bb2c2224fa6871eb48ea1de997487c05342ecb8e6a4534bc0f0
Opcode Fuzzy Hash: 9f5769482b74d200ba3e1e096ed575a69d629d6dba68fb25d69793aca7798264
Instruction Fuzzy Hash: AA511D34600214DFD714DB68C998F697BF2EF89305F1980A9E806DF7AACB759C58CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02927E11, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f4e4f12fc1c9fc9a307ad83498de14793313e4a1ef66f38f884d1ae4473e90
Instruction ID: e4389843bf93f83e6521a84538d84d8fd678cbce6fd6b4dc55641633cc189ea3
Opcode Fuzzy Hash: 86f4e4f12fc1c9fc9a307ad83498de14793313e4a1ef66f38f884d1ae4473e90
Instruction Fuzzy Hash: 39517E70A00225CFDB14EB78C584AACBBF2FF44304F2586A9D40A9B299DB30EC45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02920688, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ce2a39914fb1491e400832050b3e08366074f622c1364c76d10a97a95aad06
Instruction ID: b7d9495b0e04d8b7466c4b1a1816fdc2645ebb0885f600a9dbcdb055016f5fa7
Opcode Fuzzy Hash: 85ce2a39914fb1491e400832050b3e08366074f622c1364c76d10a97a95aad06
Instruction Fuzzy Hash: 7B413930688314ABD7146B38EC0D6AD3BB6BB80316B148569F412CB3B9DF754C468BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0292EC38, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0bce912808cc16c5d4ff04b6179f158ad7b56f57246513feb73b8d7dcb4804
Instruction ID: a1e47210349cfe4e56b5ba77ca1a57f89ce0ceeb7f623c2d32b5d20d99eea4c9
Opcode Fuzzy Hash: 7d0bce912808cc16c5d4ff04b6179f158ad7b56f57246513feb73b8d7dcb4804
Instruction Fuzzy Hash: 5B516D35A04614CFDB24DF69D4C4BAABBF1FF48314F148869D4A6A7664CB31F889CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02920BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0072537b26d4b45b67f0133dbb0bdc375d44bc0896a6ee8cecaea28a318f917
Instruction ID: 8f51bfb4b65e733d295f253b3160b5e7b5d22f9d64c74fabe40ba138abafc892
Opcode Fuzzy Hash: d0072537b26d4b45b67f0133dbb0bdc375d44bc0896a6ee8cecaea28a318f917
Instruction Fuzzy Hash: 2D41D631B051148FCB15DB28C414AAE7BE6EFD5310F15846AE806EF3A5CEB69D0EC791

Uniqueness

Uniqueness Score: -1.00%

Function 029293D8, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc1b76847b7f81ef7a3640ffb3400d43da226bb32e556548d1ab03c71f8a958
Instruction ID: 95f5d1821a7fd81ee397f205d6ac1689ac3a6ddf99df79f0c7c62fb533b46ee5
Opcode Fuzzy Hash: cfc1b76847b7f81ef7a3640ffb3400d43da226bb32e556548d1ab03c71f8a958
Instruction Fuzzy Hash: 6F41357060D3B1CFE7124B68D894A347FB9AF43214F2945A7D49ECB6A6C7259C0CC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02925920, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34806b94092b0de162e6aa7e42ff1ca879532a4826edbd7fd44f19a91a3fca5
Instruction ID: 9fa9535ccab22288abf5e3ea05324691b12dde6dcff2cc27b2dc334b202cf9bb
Opcode Fuzzy Hash: b34806b94092b0de162e6aa7e42ff1ca879532a4826edbd7fd44f19a91a3fca5
Instruction Fuzzy Hash: 92418234B043219BDB096B75D81533E369A6FC4610BD6C829D402EB39CEF35DD0A87A1

Uniqueness

Uniqueness Score: -1.00%

Function 029270A8, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a624dec4d326d05b9ed5794a12fba49f8bbe2e440a4766dda01105dbf392f27a
Instruction ID: 924764677192b7f0b9de83657c0448b9a8937898889f9560ad42890b65043b7b
Opcode Fuzzy Hash: a624dec4d326d05b9ed5794a12fba49f8bbe2e440a4766dda01105dbf392f27a
Instruction Fuzzy Hash: 4641C035A01250CFCB05EF79E55026EBBB2FB8D700358416DD80ADB78ADB369C15CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02920690, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ed1abdf7ddb4fd4c59e56b848810b135d75bbbebb90d997b2c114aab231d0c
Instruction ID: 7f8bd1ad39c1b0e1863952a086cdaf33d3f3adfe4c15d133512e01ebfd68107c
Opcode Fuzzy Hash: e1ed1abdf7ddb4fd4c59e56b848810b135d75bbbebb90d997b2c114aab231d0c
Instruction Fuzzy Hash: 49412730684314ABD7147B38EC0D6AD3AA6BB80716B148469F416CB3B9DF704C468BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0292FD70, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99a424d8bd4077d352f81b1f69be3951c6ce0aaa32073c26ebd275edde65219
Instruction ID: 246c3144165962382b1822b58d623167205679f21e015fd144d0122cd80f4358
Opcode Fuzzy Hash: f99a424d8bd4077d352f81b1f69be3951c6ce0aaa32073c26ebd275edde65219
Instruction Fuzzy Hash: 2B41E735A00214CFDB05DB68C480EADBBB6FF88324F158599D515AB76ADB31EC85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0292F000, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9705e44787132f17101891506a97e3cd9abfd85c5c7f8b0a5055fc97c06cdb3d
Instruction ID: 6c2502041d15289362b5151e525b13ab1cb0388902c7fd9b1099f0b7d69d66e9
Opcode Fuzzy Hash: 9705e44787132f17101891506a97e3cd9abfd85c5c7f8b0a5055fc97c06cdb3d
Instruction Fuzzy Hash: 6631F436A04124DFCF01EBA8D8449EE7BB6FFC9310B050865E902AB665DF716D1ECB91

Uniqueness

Uniqueness Score: -1.00%

Function 029270B8, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf73030d501aad3c4d7c80f5ad948bdbbfeef73ca3d3f5267a343c04bf103070
Instruction ID: bb1731feee43e7f6b85e559c35ea542e48a04b026b4d6399cbf96eefdfa1de9d
Opcode Fuzzy Hash: cf73030d501aad3c4d7c80f5ad948bdbbfeef73ca3d3f5267a343c04bf103070
Instruction Fuzzy Hash: 27419E34A01214CFCB15EF69E55026E77A2FB8C700358416DDC0ADB78ADF36AC15CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0292B250, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4cc4dd4d0b733da2366b921d85cb0d96142123257fd9ae3c293e638c3fd0a88
Instruction ID: 79c829130c05210f6e9b451380abe943db8fa1f4986f92c952e8d7b068249e6e
Opcode Fuzzy Hash: f4cc4dd4d0b733da2366b921d85cb0d96142123257fd9ae3c293e638c3fd0a88
Instruction Fuzzy Hash: 5731F471B006298BCB14DBADD5942AEB7F6FB88314F20442DE456D3744DB35EC42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0292F8F5, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6de10254383783f538bec0b4fd4447664f0ff66624cec1feb1408153c437415
Instruction ID: 1d245ea96e6dcee699566ab823e8c51ed022321b46751f7c255921100f02b6bc
Opcode Fuzzy Hash: c6de10254383783f538bec0b4fd4447664f0ff66624cec1feb1408153c437415
Instruction Fuzzy Hash: 3C41C938A002109FD714EF28D498B6977F2FF89715F2980A9E806DF7A6CB75AC44CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0292D530, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ccbdae9598a4ae4638e8cc5ec6b7e8d78228b43b9851e24857e0b47a04532d
Instruction ID: 6d2712a79ed9663fc56a8b511f2b42990ed149bd94f81bad2418110bb5389d5e
Opcode Fuzzy Hash: d6ccbdae9598a4ae4638e8cc5ec6b7e8d78228b43b9851e24857e0b47a04532d
Instruction Fuzzy Hash: CF417FB06053508FCB459B28D4146557BA1EB8631D32888ADE01ADF39ADFB29D4BCBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0292E4D1, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c7bcbbf7814e5f15207c65eb36ca41df1b59ebbcc9b9a9cbfd9c5e47b5e574
Instruction ID: fa815de32f05d13d3074b32f5a686dbee825ce7577b36de5ad10a6debc6a05fb
Opcode Fuzzy Hash: b8c7bcbbf7814e5f15207c65eb36ca41df1b59ebbcc9b9a9cbfd9c5e47b5e574
Instruction Fuzzy Hash: A331B431A15228DFCF05DF94D8909EDBBBAFF44300B104469E546AB265EB31AD09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029202DB, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6419a83318b9e06efbfc0d710eb933473d75501b80a0db562510caefe08515e
Instruction ID: 5fbe74fc8120e90433dae0f8ea0706af6568fa95b038e4aa43cc9dd6f915a09b
Opcode Fuzzy Hash: d6419a83318b9e06efbfc0d710eb933473d75501b80a0db562510caefe08515e
Instruction Fuzzy Hash: 0741AA30A05215CFDB08CB68C550BAE7BF6EF99310F288468D806BB3A4DB75AC44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0292F867, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b2f993159e635374356715ec337f0ea2b3ccf2fac00bf28f7df4dca4fc1951
Instruction ID: 7bb88c4c97f2140bbc260ad396c9b5526602379dd5757026c0c632cd750fc98d
Opcode Fuzzy Hash: 17b2f993159e635374356715ec337f0ea2b3ccf2fac00bf28f7df4dca4fc1951
Instruction Fuzzy Hash: C741E938A002109FD714EF28C498B6977F2BF89715F2940A9E806DF7A6CB75AC54CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0292F010, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2379e45a676ad3a4c4fd3cdd379103a0bea3368514bddca8889c9c43386b6a
Instruction ID: aea244a674ea8d7610120f11c829de7704596651bbb87ab71f05d2dcc4906032
Opcode Fuzzy Hash: 2b2379e45a676ad3a4c4fd3cdd379103a0bea3368514bddca8889c9c43386b6a
Instruction Fuzzy Hash: 5A31C632A04124DFCF05EFA8D8449AE7BB2BF89320B050865E906BB655DF71AD1DCBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0292F8AB, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcee999c9849c3eb5671ffd5b899af655076e9a5fdc90e43c36d93a33628d02
Instruction ID: 174651d2d9febdde7919700fea674f17ee811f728d6e2d4fe9e99446612d35d5
Opcode Fuzzy Hash: 2dcee999c9849c3eb5671ffd5b899af655076e9a5fdc90e43c36d93a33628d02
Instruction Fuzzy Hash: C041CB38A002109FD714EB28C498B6977F2BF89715F2980A9E846DF7A6CB75AC44CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0292F960, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0df44e5a9a6a206c087d0bca57a1cbff5073daf9105f28bdd1f4a4b5b3ceea
Instruction ID: 0591d1e071763357ef33791df4cd05468802538431e047ac1a1651ac446c44f6
Opcode Fuzzy Hash: 5b0df44e5a9a6a206c087d0bca57a1cbff5073daf9105f28bdd1f4a4b5b3ceea
Instruction Fuzzy Hash: B741EE38B00210DFD754EB28C458B6977F2EF89715F2940A9E806DF7AACB75AC45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0292FB38, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364242ea65b1782e853f0cd492124acc157ff92dcd028835d63bb528c05198a3
Instruction ID: b3286c9ff6ca86e4f3b6da442b9495f0813bdd2502a41352179817c294c7b369
Opcode Fuzzy Hash: 364242ea65b1782e853f0cd492124acc157ff92dcd028835d63bb528c05198a3
Instruction Fuzzy Hash: E0319A71D042489FCB06CFB8C8506EEBFF2EF89300F14846AD519EB666D7359906CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0292E3C8, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c847e4e5cb55db54fb5095b865dd31b825fdba22014fdd2b1d353e749c0b8aa3
Instruction ID: 47df219bf223e8fe6ade8b5157504ffdc394bc5c5855b9056c1ed1d8bc46a56a
Opcode Fuzzy Hash: c847e4e5cb55db54fb5095b865dd31b825fdba22014fdd2b1d353e749c0b8aa3
Instruction Fuzzy Hash: 09314C71A01225DFCB54DF68C584AAEFBF5FB8C314F248569D449A7248DB31AC49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0292751D, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb5abae2c8a87800fb7f1ba5f6a2841d8f4df54e98506ac0a0537ab961ed639
Instruction ID: 7a0ff069fb1751a3f0b1514533ca54dc6de6eec2ceab2b4ef8ccd85277bb5971
Opcode Fuzzy Hash: fdb5abae2c8a87800fb7f1ba5f6a2841d8f4df54e98506ac0a0537ab961ed639
Instruction Fuzzy Hash: D4312271E002198FCB04DBB9C4545EEFBF6BF88354B144969C816EB359DB31AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029245C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf8b732d5fa82b478d9a0e797a65a15ed0553de3e5ace57adeb2743f4fda227
Instruction ID: b1f74195204f0e734019f67db411bf7d2bed568cea6f19c45eda899d270801fa
Opcode Fuzzy Hash: cdf8b732d5fa82b478d9a0e797a65a15ed0553de3e5ace57adeb2743f4fda227
Instruction Fuzzy Hash: 9E219171F40129AFDB50DAA9D881BFFB3BDFB88204F105526E619D3149EB705918C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0292AEAF, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc00d444cad29d75485006671e11976f725e800ded71707a04edd465117e30a
Instruction ID: a801c594f8f7c4b4633dcfb78c67e2e8c5330c48cb0a3eebd854ed8157a81f4e
Opcode Fuzzy Hash: bdc00d444cad29d75485006671e11976f725e800ded71707a04edd465117e30a
Instruction Fuzzy Hash: 2C315B31B002158FDB089BA8C859B7EBBE2AF89304F154079E11ADB2A5CF758D058B51

Uniqueness

Uniqueness Score: -1.00%

Function 029250D0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8060c3b272bdcf681dc0243b47fed1918ec290d40914a16c22c97c075c68f3bf
Instruction ID: 28a6f74f15882f834b5c1f92b4ee0dfca57bfefa5649632fb3637a37d6965847
Opcode Fuzzy Hash: 8060c3b272bdcf681dc0243b47fed1918ec290d40914a16c22c97c075c68f3bf
Instruction Fuzzy Hash: AE21FD72D45329CFDF05CFA8C8546EEBBB2EF85314F958869C409AB25AE331554ECB80

Uniqueness

Uniqueness Score: -1.00%

Function 029289B0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6286b9b23863c64bc5f7e570e98070c1c20193813663b7826212abdfe02d97b3
Instruction ID: 02435b87959dddda7f11107b5fa957770693e3b464cc282a35c02ba272a23d99
Opcode Fuzzy Hash: 6286b9b23863c64bc5f7e570e98070c1c20193813663b7826212abdfe02d97b3
Instruction Fuzzy Hash: 8B317A70E09319DFCB44DBB8C5556AD7BB0FF05304F1048AAC806DB2A9DB395E49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 029250E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37aeec8cb655532cce04c1062fcef5e16f9507ad0e8cedcbd10fe8b22af56445
Instruction ID: fc3526ae513763dcaf040bc9e37ee9bf1dd610b68a489e521a22eaba1a2224d3
Opcode Fuzzy Hash: 37aeec8cb655532cce04c1062fcef5e16f9507ad0e8cedcbd10fe8b22af56445
Instruction Fuzzy Hash: 15217170E003299FDB08DFA5C4146AEBBF6AFC8300F558429D506EB359DB70A94ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02920006, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378a9fc4aa752f50952417209e155ae6e87608a367a3af2b9373295d2a29739d
Instruction ID: 9663fca987321c9c6b648dff08a0f578c8e492550614f645a873049dbe4c6d33
Opcode Fuzzy Hash: 378a9fc4aa752f50952417209e155ae6e87608a367a3af2b9373295d2a29739d
Instruction Fuzzy Hash: DD31217054E3C19FC706AB74D8695597FB1EF42300B0945EEE086CB69BDB788849C763

Uniqueness

Uniqueness Score: -1.00%

Function 0292E1CD, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b32049da24bb7fdda93cba5aa5c2efe418e353eff07b4588d14bd525cba537
Instruction ID: 5ccd2b385aea7c38c3cbd215776cd5784d18ed21978931fce12f3d148d57fc81
Opcode Fuzzy Hash: 16b32049da24bb7fdda93cba5aa5c2efe418e353eff07b4588d14bd525cba537
Instruction Fuzzy Hash: 083149306017058BC758AB38D46126E77A3BFC5304B68896CD04B9B795DFB6E8078BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0292E927, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda8d8378966d24a0647a0b76412b7226e1e3a9e0e7f6e71d14a1a648542f88f
Instruction ID: bd7dd0a6fe7106e8231c28e22d6ce24d2173296db4f4221c13f00fe494fdb6c1
Opcode Fuzzy Hash: dda8d8378966d24a0647a0b76412b7226e1e3a9e0e7f6e71d14a1a648542f88f
Instruction Fuzzy Hash: F9316C71A01215CFCB54DF69C4816AEBBF6BB88300F20442DE54AA7794DB35EC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02924FF0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d824f52cdde4f500aef684a90bb8f35396e70afa8511d3b7cdfc56682a11aef9
Instruction ID: 0d73a4ed997b04b68dc7e50ae8ca785844451e6848221324d09a2f41577d212b
Opcode Fuzzy Hash: d824f52cdde4f500aef684a90bb8f35396e70afa8511d3b7cdfc56682a11aef9
Instruction Fuzzy Hash: F021F172A942248FCB04EBB89C457AE7BE1FB88300B994579C409DB24DEB30490ACBD5

Uniqueness

Uniqueness Score: -1.00%

Function 02925830, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec966a60dc6971f0bfc089a703889c96a0a3e675b21c6e50427deda15fb9d80a
Instruction ID: c17f358bfd9f23a8653ef148ebfe8e9131e4c1954ba528e2fd271a7e85b1c7f7
Opcode Fuzzy Hash: ec966a60dc6971f0bfc089a703889c96a0a3e675b21c6e50427deda15fb9d80a
Instruction Fuzzy Hash: 34214731B061208FCB08A7B5D8004BEBBA7AFC8324B95487AD007DB399DD714C09C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 029243D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c10acef39f29ca049468f2b9447f864740fc32ea8aca6d6557984075785040d
Instruction ID: 27a7a0e029c2403220dc9e506c8077b6fc4b3e218278e39c5c554b855fe6a1b6
Opcode Fuzzy Hash: 4c10acef39f29ca049468f2b9447f864740fc32ea8aca6d6557984075785040d
Instruction Fuzzy Hash: FA317C35500215DFCB00EF68ED4499D7BB2FF8430471984A8E406DB27ACB31AD6ADBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02928820, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efcafe8d09dd22e668863bf5bb2a9866defbbbc282ee2a7f6028fc8334c07487
Instruction ID: 51678985c6013a3bfed2c79d03fa6e8835984bc993147e5e44ba09f2a78ca22d
Opcode Fuzzy Hash: efcafe8d09dd22e668863bf5bb2a9866defbbbc282ee2a7f6028fc8334c07487
Instruction Fuzzy Hash: B6318970A44214EFC749EF78F41896D3BA6FB85315310886AE417DB399DF398C05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0292E938, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb23b098ca57c3b4c006cfe408dc60b6cf4206bfed6bd3961cf5e598216cc11a
Instruction ID: 103f976fb078837dd4c6219d3b707ef90d1856aa872516006edd5ed2298b2890
Opcode Fuzzy Hash: cb23b098ca57c3b4c006cfe408dc60b6cf4206bfed6bd3961cf5e598216cc11a
Instruction Fuzzy Hash: 78311830A01719CFCB54DB69C4806AEB7F6BB88600F604429E54AA7794DA35EC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02925B50, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22edb36f6004b55970bf55e2854a7d344fd88ec48a409f86808cebb1d7d7cfbd
Instruction ID: 01ecf5cf46b9b2595450973f816f3a7b4751d73d868116e5c21f9e0eba837967
Opcode Fuzzy Hash: 22edb36f6004b55970bf55e2854a7d344fd88ec48a409f86808cebb1d7d7cfbd
Instruction Fuzzy Hash: 5D21B271F042159FCB08EB7984501AEBAE6AFC8350F55887ED407EB345EE358C4A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 029255E8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22d10b14fa3f11713bd97592ce106d7eca9b0a0c0acb72903819dbc7a33d3a3
Instruction ID: ca603f354c1b3f004f055f1bd01da7453d85661a9af011948a743c916659f17c
Opcode Fuzzy Hash: c22d10b14fa3f11713bd97592ce106d7eca9b0a0c0acb72903819dbc7a33d3a3
Instruction Fuzzy Hash: 9C21D630B402149FDB289B78C8557EE7AE6BB88710F550079E506EB3D4DEB14D0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 02926058, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b95b1b3c2311ff7dd037e5e5ab98f9a9dbfcb9a83bf11894b9c39dad8119e60
Instruction ID: 76e1538b898329721517fdd2490ee27afc35c43e5133bb7557f46db14bf16987
Opcode Fuzzy Hash: 4b95b1b3c2311ff7dd037e5e5ab98f9a9dbfcb9a83bf11894b9c39dad8119e60
Instruction Fuzzy Hash: 7421F3307443548FC724DB7AC85476ABBE2BFC5710F1484A9D24ACF6E9DA329C0987A1

Uniqueness

Uniqueness Score: -1.00%

Function 0292A670, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d91f7980fe4458bdedfe511a113105feaf0fcab139ce23460b179937fe07b7c
Instruction ID: d9c3544d5a338bd77272b7a1d695b71330bba69669074c53f84123004118feca
Opcode Fuzzy Hash: 9d91f7980fe4458bdedfe511a113105feaf0fcab139ce23460b179937fe07b7c
Instruction Fuzzy Hash: 05216031B046159FCB14EB74D951AAEB7B6FB88740F104D69E007AB348EB70A849CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02928830, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e5b7ddb4002730f62f15220fd7edf3ba8dbd0e9309cfabfaa1b7360303b2c8
Instruction ID: 77519a9fcab8341913c2325de5f3962386bb9b4ba0b51b54aace0b06f657dc3b
Opcode Fuzzy Hash: c1e5b7ddb4002730f62f15220fd7edf3ba8dbd0e9309cfabfaa1b7360303b2c8
Instruction Fuzzy Hash: 4E215770A40214DFD758FB78F44896D7BA6FB84315310892AE427DB398DF399C05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02926EE3, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738e0a9db13f35da345b164e37a13d45aa0c622924877ac72bd00c82019599e3
Instruction ID: 51d94e993502f685a19d79cd7937b0f801a927df3d13beac8c67db2502ab713f
Opcode Fuzzy Hash: 738e0a9db13f35da345b164e37a13d45aa0c622924877ac72bd00c82019599e3
Instruction Fuzzy Hash: A3312D30A00305CBD714AB78E65526D3BA2EB853153148A6DE11BDB389DF76AC078BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02925B60, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79857c8bed29706e1fa99424202d741d8199e807f7b78a9fa5cd7c0e95f1c072
Instruction ID: 20a3f2de1828be27d496027ef0a871bb8d4c028b9e9674da58e4e7273e96a7d0
Opcode Fuzzy Hash: 79857c8bed29706e1fa99424202d741d8199e807f7b78a9fa5cd7c0e95f1c072
Instruction Fuzzy Hash: 1E21A171F001159FCB0CEB7985501BEBAE6AFC8350F55883AD40BE7384EE358D4A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0292FB60, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1c595df63cd67c6df83ea8d433ec2dbf3909e845ef7c9c80b2bd1b19cef68c
Instruction ID: 5ba4a8bce4b13017e579ddf54d1f4e493c7922ad779c4e2e8f40d81b792b1354
Opcode Fuzzy Hash: 5b1c595df63cd67c6df83ea8d433ec2dbf3909e845ef7c9c80b2bd1b19cef68c
Instruction Fuzzy Hash: 36212B75D00608EFDB44DFB9C840AEEBBF6EF8C300F108429D916A7265DB329915DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02922C58, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1277f6e1cfc6ecb3cbc373289a571693753e43948b13a0d82a28821c388d11c4
Instruction ID: 5a53102510be2b29bd953a78b820ab86dbd523515172e0439a8910c4d6a130f8
Opcode Fuzzy Hash: 1277f6e1cfc6ecb3cbc373289a571693753e43948b13a0d82a28821c388d11c4
Instruction Fuzzy Hash: BC21F830E09361DFC715CB24DC94979BBA9FF45210B1589E7EC46CB259C7719C08C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 029221E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5287dad305072e48266a6d26a6e3fed222b3ecc29effa5e34ffcda79fe655311
Instruction ID: 4730e0f9475dfb87b7c381917cfbbb0b288e4bdb66497775541298ffc831dfa6
Opcode Fuzzy Hash: 5287dad305072e48266a6d26a6e3fed222b3ecc29effa5e34ffcda79fe655311
Instruction Fuzzy Hash: E8315E70D08219DFCB48DFA4C5456BD7BB1FF44300F50446AD802D72A9DB769E49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 029225DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ae6c0427aace7d98086a33d5751103516a7be6d148a830b501619a83d12a52
Instruction ID: c253b9dfe69d4e9a3c19f92391288c11d4bf644e2d0b9e6b69bb6b556e4246ff
Opcode Fuzzy Hash: 48ae6c0427aace7d98086a33d5751103516a7be6d148a830b501619a83d12a52
Instruction Fuzzy Hash: D3318C70E04355CFDB60EF65D84439ABBA2BF84314F14C129C405AF369DBB8994ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 02928DC6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b4cb1934e860e63824218b55c0a0ad16ec3f55da79d4a87a80ad3b4366183f
Instruction ID: 1660a76d256eac6b2edb7be74ffc518eab6faa10b1b8e69b84b0977500bcd75e
Opcode Fuzzy Hash: 37b4cb1934e860e63824218b55c0a0ad16ec3f55da79d4a87a80ad3b4366183f
Instruction Fuzzy Hash: 13316B70E01269CFEB10EF69D44435EBBE2FF85314F24C52AC4159B258DBB89849CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0292EF00, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2fb91db0419488c87ec4846c8a4705e383b40f8f8639fb2432c5363aa34e11
Instruction ID: 650881d4e2880da16c561f11fe22391c289318b59ad5625283a9c41edbc02414
Opcode Fuzzy Hash: 8a2fb91db0419488c87ec4846c8a4705e383b40f8f8639fb2432c5363aa34e11
Instruction Fuzzy Hash: 3721B530A04266CFCB15CB28C4807E9BBF1BF84354F28457DD489DB299D732A846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0292B240, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9b4514ad996a1d5fc3c9dd33242bc2f86cfb8a3bcc117272ba1fc3387a27eb
Instruction ID: bf23dabeef4ea8c28cfdcb5ac55e788015ae9a989aacad782d87430d45a2bf85
Opcode Fuzzy Hash: 8c9b4514ad996a1d5fc3c9dd33242bc2f86cfb8a3bcc117272ba1fc3387a27eb
Instruction Fuzzy Hash: FB21C0B2E0462A8BDB04DB99D8945AEFBF6FB8D314F10812AE455E3344D334AD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0292EF10, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e02bcd7181fe597addaafa41a3463f6ad2a6e9e94fceaca7a498294ed0652d
Instruction ID: e1980190fd459f0f694b7dffb8309f661078825fd4cf5c8fc2dc274c7ff932a0
Opcode Fuzzy Hash: 29e02bcd7181fe597addaafa41a3463f6ad2a6e9e94fceaca7a498294ed0652d
Instruction Fuzzy Hash: 35215030A05225CFCB65CB698480BEAFBF5BF88354F284579D489DB358DB31A846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0292FEC6, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05633e5f36807d90ade45d3bd0107287cc4bb05a846a524767a42b437fad880d
Instruction ID: fc2da927d00ca8f5f6a2db86551a5f76ffdc77bb196c568625f7727a61a9be38
Opcode Fuzzy Hash: 05633e5f36807d90ade45d3bd0107287cc4bb05a846a524767a42b437fad880d
Instruction Fuzzy Hash: A431A339600204CFDB05DBA8C580EADBBF6BF88324F165194DA15AB366D731EC85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 029254F8, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfca0a976eff8a36969523046dc62d115589677645072a6ab207a037507d3a39
Instruction ID: 8c7309f7f618f3323507d33c22d6abcbf8542c051ecaa49e949a2dc06c08347c
Opcode Fuzzy Hash: cfca0a976eff8a36969523046dc62d115589677645072a6ab207a037507d3a39
Instruction Fuzzy Hash: 6E21C031A112548FCB14EFB8EC41AEE7BB6BF88315B54446AC109DB259EB315912CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02925840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc4b197e14c27011a185f8b1efde0d6fe6d0d8bfc9bd9a9d4b0d36a0739a879
Instruction ID: 14a8d765b1155717c76c11ec47bd3cd8b865ca14280e0e30403707c1512b5962
Opcode Fuzzy Hash: cbc4b197e14c27011a185f8b1efde0d6fe6d0d8bfc9bd9a9d4b0d36a0739a879
Instruction Fuzzy Hash: C211BE30B021249BCB0CB7BAD85053FB6EBAFC8320B95493994179B399DD719C0987A1

Uniqueness

Uniqueness Score: -1.00%

Function 02929F30, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c08b12ffa51f8769e8e5d09301d9e4f5fada1072d987f2f368d7bfbd84bd74
Instruction ID: 81d714b5c98bcc70df7b47ae85aafcb07822c927e6c30dda2d6aff8ee8589c1c
Opcode Fuzzy Hash: e1c08b12ffa51f8769e8e5d09301d9e4f5fada1072d987f2f368d7bfbd84bd74
Instruction Fuzzy Hash: 33212C70B002018FD748EBB8D46456D3BE7EF8A6297604068D40BDB3A5EF25AC4ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 0292A660, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cffe1919672c8ef2820ca24536630d14f6f610e13a3970f3a3d4ff9b44cc9c2
Instruction ID: 76de61504c179164f7feeb19077bd80c6e07aeb6a19a6743135910df48e13265
Opcode Fuzzy Hash: 5cffe1919672c8ef2820ca24536630d14f6f610e13a3970f3a3d4ff9b44cc9c2
Instruction Fuzzy Hash: 1711B432B04225DFDB149B74D9516AE77B6FB88340F104C6AD503EB389EB719C08CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0292E7D0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba884fc973e1fb3fad0a4beb392f47abf1147037b98f7920ab980fb9948f23c2
Instruction ID: 6fc5b7d36fa4e75fb5ab4963a6d87406c6e7e72e5b711a8f2c83ca36141f3122
Opcode Fuzzy Hash: ba884fc973e1fb3fad0a4beb392f47abf1147037b98f7920ab980fb9948f23c2
Instruction Fuzzy Hash: 9D215130A01124DFCB54DB98C5846BEB7F5FF88310B20846AD4C6E7208D731BD09CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02925000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e12d75f1079ef7392537acb938a77f6a150e7009c71bf16a42ce03cd8859afa
Instruction ID: 9e973ec6f3b68f5f89c50728530940376342f44b7c3d068a088f165720773f4d
Opcode Fuzzy Hash: 1e12d75f1079ef7392537acb938a77f6a150e7009c71bf16a42ce03cd8859afa
Instruction Fuzzy Hash: 4711B731B401258FCB48EBB89C5076E7BE5AB84610B954475C80ADB389DF305C46CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0292E3B8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be28619bf92ab97ef64cb289d49024986669555723b4f8302193fbea4a528307
Instruction ID: 365ec44f6d4e2102889cc782eff36b38a43039737d11d618fce68cca11db821a
Opcode Fuzzy Hash: be28619bf92ab97ef64cb289d49024986669555723b4f8302193fbea4a528307
Instruction Fuzzy Hash: D8216D71E04218DFCB14CFA9D5847AEBBF6EB8C355F249439D449E7248D734A84ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 0292E7C1, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a81199d31b210842868d150249455e7677daaa45622a76ce4c96a9b17b72e2b
Instruction ID: 72b3634a8790fd70d2bf8e9493b311ea2e2d69dfb45fb36a54263df0d10793b8
Opcode Fuzzy Hash: 8a81199d31b210842868d150249455e7677daaa45622a76ce4c96a9b17b72e2b
Instruction Fuzzy Hash: B4117F74A01124DFCB64DF59C5C46AAB7F9FB48310B20846AD5DAE3208D331BD0ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029248C8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fb27e9e1caf373b6eb4a439d59742980a12a90f0f201e94e6f8d096e1d11d9
Instruction ID: f94d976882d560ef0f53a2014cf242b5da5875dad46438278b0dcfa9623cc2b2
Opcode Fuzzy Hash: 96fb27e9e1caf373b6eb4a439d59742980a12a90f0f201e94e6f8d096e1d11d9
Instruction Fuzzy Hash: 9D11CA35F041289BCF05DA68D9505FE7BB7BBC4B10F045429D507B7244DE311E0AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02929F40, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5caafc2ed34690ae24bd8aba86b3a2c7b093179995dd3748066e535d96fd89a0
Instruction ID: d24cfa04b2700e9cec78ce4db816750564bb692bbd0d3e1ca18057c3e59b1d83
Opcode Fuzzy Hash: 5caafc2ed34690ae24bd8aba86b3a2c7b093179995dd3748066e535d96fd89a0
Instruction Fuzzy Hash: 50112B34B00101CFD748EBBCD46452D3BE7EFC9615B604068D51BDB3A4EF20AC4A8B56

Uniqueness

Uniqueness Score: -1.00%

Function 0292CA88, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801b74b712306507beac76fc4f7de5cd25f947ba51d5fb3a68d07591cb1986ca
Instruction ID: 5f547a269b0029e0138287a0515a000f9a01462576615c1558b118408321deaa
Opcode Fuzzy Hash: 801b74b712306507beac76fc4f7de5cd25f947ba51d5fb3a68d07591cb1986ca
Instruction Fuzzy Hash: E8117331B041209BC748EB69D854A6E77EBEFC8750719806AE80ADB359CF32EC06C791

Uniqueness

Uniqueness Score: -1.00%

Function 0292F208, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43143deadc591bbf93c06f12427a32f226ba38dc6c30da17f4441b814e727311
Instruction ID: 42ee90957dda05a61ff39294ec0426d1a64581a9be8507170492a29170a9eab6
Opcode Fuzzy Hash: 43143deadc591bbf93c06f12427a32f226ba38dc6c30da17f4441b814e727311
Instruction Fuzzy Hash: 78112274508368AFCB429B65AC00B9A7FF5EB4A300B158097E049DB1AAD7308919CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0292CBA8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c9c145517e61b23fd7e2ac44ce4f96ad389cbe425ce1558f22563755dfb373
Instruction ID: 41e8d098cf846faa321b54e3a716cd38534fe944e5e91021268ec327c7e039b7
Opcode Fuzzy Hash: 34c9c145517e61b23fd7e2ac44ce4f96ad389cbe425ce1558f22563755dfb373
Instruction Fuzzy Hash: FE1101302082409BC618E738901062D7B9BDBC6309B458C6EA48FDB399CF32E80BC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02920B18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d82efbccc8f7f85a68b84c3c20679bac5bea5cc492cf7d5ed9f07b77ce22d7a
Instruction ID: e73eb4b0524bde47bfa6d6075af00e25620caec0c0549ac939c910450c58a34b
Opcode Fuzzy Hash: 7d82efbccc8f7f85a68b84c3c20679bac5bea5cc492cf7d5ed9f07b77ce22d7a
Instruction Fuzzy Hash: AE11C431F98135EBCF30567498517BE72A99B64788F104C6E9843EB688FA70C90CC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02924520, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8af71544fa6cf2c183fd9dce2fbf4f37bc268b95b67d096599a683ab8e40d58
Instruction ID: 8819f6b77aacab38f3b1690ccc8749fbdda38757628906a5efb935eefa8990bf
Opcode Fuzzy Hash: c8af71544fa6cf2c183fd9dce2fbf4f37bc268b95b67d096599a683ab8e40d58
Instruction Fuzzy Hash: A101C032E041248BCF04DA59D4106EFB7AA9FC9721F04403AAD46EB348DA729D59CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0292FC58, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58fa0386132281be75642fb136bcd064a20bc0e082350d5fd0c2b38c5ac187c
Instruction ID: f1af8b058c536401ff71abbe6090fec8532269bfa03e1830d82742b8bc9eb50b
Opcode Fuzzy Hash: f58fa0386132281be75642fb136bcd064a20bc0e082350d5fd0c2b38c5ac187c
Instruction Fuzzy Hash: 3F11B630A08359CBDB15DF64C4447AFBBB2AB84314F14587EC906A7B88CB755948CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02990845, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498970907.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542a607eaddb991b5acc1e80845c1236d95f5e8d8d54fc5a77fea40c812389ee
Instruction ID: 87ecf575fc8a9ac62dd32151af2192191259445d506190173a21fb4b2806770a
Opcode Fuzzy Hash: 542a607eaddb991b5acc1e80845c1236d95f5e8d8d54fc5a77fea40c812389ee
Instruction Fuzzy Hash: 6F215B3510D3C08FDB078B68D860B55BFB2AF4B218F1985DAD5898B663C336881BCB52

Uniqueness

Uniqueness Score: -1.00%

Function 0299087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498970907.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5139e1654bac09c401402de4772be83dc7e24f355b00704a1713f131a05acc
Instruction ID: ebdac832d61592ecd53cf695ab12913efb56620dd46fa48489d1718e09149a93
Opcode Fuzzy Hash: db5139e1654bac09c401402de4772be83dc7e24f355b00704a1713f131a05acc
Instruction Fuzzy Hash: F0112931304244DFEB05DB18C444F26BBE5EB98728F24C99CE9590B742C77BD853CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0292CBB8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da82281bd377f350250b4bf04e92510a1c3d3dd3ce71df25db5bab201608e05f
Instruction ID: f0d230c6f1af9ebbd70974b1e565537e1daa30eaf6e9cfa7201faf8dec09ea38
Opcode Fuzzy Hash: da82281bd377f350250b4bf04e92510a1c3d3dd3ce71df25db5bab201608e05f
Instruction Fuzzy Hash: 2411BC303082549BD218E728901057DBB97DBD27087458C6EA44B9B395CF72EC4BC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0292572F, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee534610f58304216743a29b87a49a0ba0eb919e9707a8cefea34db74638cc36
Instruction ID: 1419f2db161940dba49141247a244361955267e16cd139ea9cb3658f220e57ec
Opcode Fuzzy Hash: ee534610f58304216743a29b87a49a0ba0eb919e9707a8cefea34db74638cc36
Instruction Fuzzy Hash: 95119D30A84344CFC728EF74E8407AE7BB5BF44344F60446AD405EA299E7369D42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029246A9, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42941d937df0a18ac375cc25589d620e628d7ae44e0e74a0e677076c5ba0a51f
Instruction ID: 1dc92d9f94e3e001d126f72554806f3470565fcc8581ff2ef1776967b5d6f52a
Opcode Fuzzy Hash: 42941d937df0a18ac375cc25589d620e628d7ae44e0e74a0e677076c5ba0a51f
Instruction Fuzzy Hash: 5F01F93224A3604FC7125B75A8047F93FB8DF83675B1814FFF84ACB256E626484ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 029248B9, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819ec92f1ad0daccca79880b024c1b72693eeea58bf4badec75c480e4a934558
Instruction ID: 52dde7da287163c289b32bd2f39f5dce15a11e175123a73c31f84fb53ba63596
Opcode Fuzzy Hash: 819ec92f1ad0daccca79880b024c1b72693eeea58bf4badec75c480e4a934558
Instruction Fuzzy Hash: 6501D631B012249FCB09DE78D8545AE7BA6BB85B10B41583DD403BB284DE241D0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0292C7A0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93934775042d5d9ea3de4545d95696b83750121e8ac95dc88455d38d67792f49
Instruction ID: 85302b4d3ebc37f3e68ff37072f5e39cb7ef714ea1fba866b8a50b680100c60b
Opcode Fuzzy Hash: 93934775042d5d9ea3de4545d95696b83750121e8ac95dc88455d38d67792f49
Instruction Fuzzy Hash: D911E574740250DFE319BB38E5187393BEBE7DA315B0545A8E40ADB389CB759C42CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0292FF21, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4389a037d33718fb95db7f4a2a2194e07dde65bcbe857edcbccf7864fa2b6b68
Instruction ID: 498acbc001e613d0b74907aeb2a0b511a6cb272166febd486ae4978684264a61
Opcode Fuzzy Hash: 4389a037d33718fb95db7f4a2a2194e07dde65bcbe857edcbccf7864fa2b6b68
Instruction Fuzzy Hash: 65112270B0132ACFDB01EF68CC44AAEBB7AEF86B00F144976E5159B245CB709C08C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0292DED8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4869d13d16cb44f0b70ba16dfa46189d2015a17ad1d1c9954997a58bf9ea17
Instruction ID: 4698bd8d83aada87a9ebf42544615a33aa6c3e31b37a342e7f03798374663b96
Opcode Fuzzy Hash: cc4869d13d16cb44f0b70ba16dfa46189d2015a17ad1d1c9954997a58bf9ea17
Instruction Fuzzy Hash: 4301F572B01320AFCB0827B5980426F3BAAEBC9754B24483AE406C7395CD358C0687B0

Uniqueness

Uniqueness Score: -1.00%

Function 029211DF, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8ea45713569b9952483d73d06c83029e6a68f62293900eebd022cd01cd8914
Instruction ID: 9eda7a6d2e62bddbc898b518d691668376d882c1b2414bf3a697e17385c7cbdc
Opcode Fuzzy Hash: 4b8ea45713569b9952483d73d06c83029e6a68f62293900eebd022cd01cd8914
Instruction Fuzzy Hash: 901130303092A0CFC7469738D4589697BF5AF8620072945EBE046CF6BACA755C19CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02925CCF, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36a51826d89fa6b6da559a7d3661181b97a817c81b8a370eabd8d4668803078
Instruction ID: 958a13a9715517b0c8a991a1c9b9714508d085679137ed1eee844d737e4d76bd
Opcode Fuzzy Hash: b36a51826d89fa6b6da559a7d3661181b97a817c81b8a370eabd8d4668803078
Instruction Fuzzy Hash: DA01C071E042208FCB41DB7C94443AEBBF5EF89324F51047AC409D7206E63958058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0292C791, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33dd33a7e36545d65d7552d68c31598d1cf02f64c2e9f20a2db3d3cda7b4920e
Instruction ID: 81649e5596ad8b8fef515ac61d12f83ec394b447b72bda983f8693d047c52ea2
Opcode Fuzzy Hash: 33dd33a7e36545d65d7552d68c31598d1cf02f64c2e9f20a2db3d3cda7b4920e
Instruction Fuzzy Hash: B011E5B47003A0DFD3266738A4187293FEBEB9A325B0601A6D45ACF3D9DB749C46C754

Uniqueness

Uniqueness Score: -1.00%

Function 02929E97, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98497c82e628bbc37f2417a78e975ae313927364ecdeca9e1a709a17c3399739
Instruction ID: 6a9dbd22acc6bfd08cbfc05213f2ddd410c3f50c7dcc2e99e1ecc35980b77c27
Opcode Fuzzy Hash: 98497c82e628bbc37f2417a78e975ae313927364ecdeca9e1a709a17c3399739
Instruction Fuzzy Hash: B4016D30B00241CFD749E7B8E06412C3BE7EF8921575500A9D50BCB3A5EF649C0A8B11

Uniqueness

Uniqueness Score: -1.00%

Function 02924789, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec037bd873bda895493833170d5dbb1eb2f5aed385ebf238bc6e28302492f98b
Instruction ID: f7acb702aa00590da3c244dd89eca78fac4c94694abc63b0044df642c8adafd3
Opcode Fuzzy Hash: ec037bd873bda895493833170d5dbb1eb2f5aed385ebf238bc6e28302492f98b
Instruction Fuzzy Hash: 24012131E412588FCB55EF7994542AE7FF2FF89310F20447ED40AD7241EA394A46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0292DEE8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f4a9210046e0d96f72047f3bd3b185782d48e5177bdb2c83a3348b25f29865
Instruction ID: 3e49ac498ea32846689ad01ca6bddbbf096165bf873f7195dbc95dc7964c8fe1
Opcode Fuzzy Hash: 06f4a9210046e0d96f72047f3bd3b185782d48e5177bdb2c83a3348b25f29865
Instruction Fuzzy Hash: 9D01F771B01324AFDB0827B5980856F769BFBC8760B244839E407C7354CD318C0683B0

Uniqueness

Uniqueness Score: -1.00%

Function 02925740, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0631cede05e9ab34c631adc06fd12aec59532edcb1653347b9c6dc907814001e
Instruction ID: 04b9180ce7d7b20d6ba0e390c64f104a8f788bf3484a380881204639ffb6e2d2
Opcode Fuzzy Hash: 0631cede05e9ab34c631adc06fd12aec59532edcb1653347b9c6dc907814001e
Instruction Fuzzy Hash: 29118E30A40208CFD718EF75D8407AE7BB9BB48340F604429D405EB288D732AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02928438, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948aa6034e9a9593e126d747f898cad30e32b9a73e6d6f51bed05cfbbb04aa81
Instruction ID: f9b231e58a4edd18f9ec7a5f84dc589ccc752cf00579cb20bdcb7bcdd10ac323
Opcode Fuzzy Hash: 948aa6034e9a9593e126d747f898cad30e32b9a73e6d6f51bed05cfbbb04aa81
Instruction Fuzzy Hash: 55012471A041249BCB14DB54C950BBFBBB6BBC4354F18482EC00FA7288CB716D09C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0292A5B0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fae3e43df915bdd6f12554b134453837eb3d5c9deb5b842a7023097c1aeb481
Instruction ID: 11f38ca16b9666342728b8f1e2589ecd7a6dcf814ac05e52ece73946bda9d6d2
Opcode Fuzzy Hash: 1fae3e43df915bdd6f12554b134453837eb3d5c9deb5b842a7023097c1aeb481
Instruction Fuzzy Hash: DC019E32A04624CBDB149B58C550ABFBBB9AB85214F14486EC507E7388DF31AD09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02929D09, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0bb32dc79355a63071c706d0d55ad83099ce6f649c0693b9bad3f5539783d9
Instruction ID: d19b0c0a19bf2f01d85c3597958eeeeec074b8aee056a7ad130046674314ef02
Opcode Fuzzy Hash: 5f0bb32dc79355a63071c706d0d55ad83099ce6f649c0693b9bad3f5539783d9
Instruction Fuzzy Hash: 5A016D74B00101CFD749E778D02462D3BE3EF8922576540B8D80BCB3A4EF249C4ACB46

Uniqueness

Uniqueness Score: -1.00%

Function 02929D18, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed469a41ecaadf485a32f6cdbbccc13aa575c29bbace961f060e38ffc0c0f9ed
Instruction ID: 5c32678695166abea79f3deb990bff4e679654cfc82d5b35faf29043ef351a97
Opcode Fuzzy Hash: ed469a41ecaadf485a32f6cdbbccc13aa575c29bbace961f060e38ffc0c0f9ed
Instruction Fuzzy Hash: 63012170F001108F9748F77CD02452E37E7EFC96647644068D50BDB3A4DF24AC4A8B56

Uniqueness

Uniqueness Score: -1.00%

Function 02925508, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8db02bf6c250d57745afbd78c41e5b57dc813376dd14969d5cdbb4084fda7b
Instruction ID: 4664f93da0dee81f021f8d57d184ac9725678d51313231fe1e2d61659f555488
Opcode Fuzzy Hash: 5a8db02bf6c250d57745afbd78c41e5b57dc813376dd14969d5cdbb4084fda7b
Instruction Fuzzy Hash: FB112930A512489FCB08EFB9EC45BAE7BBABB88300B544829D50ADB259DB315951CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02929EA8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b463adebac40c66736dba4fd4640af6153bf1f5daf58754fe1eb07b431417a
Instruction ID: 68c5b8c3dcff42cbd9ccfb12117f5968f086b6b65aecd5528954fd55a201260d
Opcode Fuzzy Hash: 16b463adebac40c66736dba4fd4640af6153bf1f5daf58754fe1eb07b431417a
Instruction Fuzzy Hash: 52014F30B00110CFD748E7BCD46492E3BEBEFC96147504478E50BC73A4DE65AC098B55

Uniqueness

Uniqueness Score: -1.00%

Function 0292451F, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb942bebaebb564fd0343d53f1d33cb42c22704432cd32eb73f42f29497c816
Instruction ID: 4a319cc5c9dc792d682e338871cbe24bbf02a31943a9c15f48b6e235e86dbfea
Opcode Fuzzy Hash: 1bb942bebaebb564fd0343d53f1d33cb42c22704432cd32eb73f42f29497c816
Instruction Fuzzy Hash: 4001D632F041208BCF149A2994106BFB3AA5FC9611F14457EAC87D7348DE718C19CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0292AC60, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ae8ed60c9347c02ce695a85ccd4be8b4bee577708263ab32d86f40d99810c3
Instruction ID: 97159f3e3e1d5b35214d43ae1cb6d7d132ec9fa25221d2f3cbea26bb62b96ba4
Opcode Fuzzy Hash: 86ae8ed60c9347c02ce695a85ccd4be8b4bee577708263ab32d86f40d99810c3
Instruction Fuzzy Hash: 60014F72E002198FCF50EFB8A80579EBBF8FB84314F10453ADA18D7284EB3059448BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0292ADD0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3204ca8ed68a510738234a99e2e92edabbc1ee01219f06b7813822ca33f40af
Instruction ID: b5702660b205644beeb82ac2eb82096805bfcfdff7728e512fe1cde53df25e8f
Opcode Fuzzy Hash: f3204ca8ed68a510738234a99e2e92edabbc1ee01219f06b7813822ca33f40af
Instruction Fuzzy Hash: C6012431600244CFC305E738E41865A3BAAEF853293044569D54BCF2ADDF70CC0AC392

Uniqueness

Uniqueness Score: -1.00%

Function 02924798, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c439b170b0673f10a22d2f48bd8a1a1e428bb3661fb79293925677e78844272a
Instruction ID: 3298f957a8242136533d556818f4330ac42df33c3d9345a5588efba87ca9fb3a
Opcode Fuzzy Hash: c439b170b0673f10a22d2f48bd8a1a1e428bb3661fb79293925677e78844272a
Instruction Fuzzy Hash: 1F012871F401188FCB54EBBD88402AE7AE6EB88350F204439C50AE7280EE354A468BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02929C20, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f5b9f21b75a29e560ca121b9dee8f89f7d4394ecabb9a733e34b890ff2b0d2
Instruction ID: 71a6e111b35798f8eb9db060c64bc0249f4e63d1c112b62dedbc9df395db7691
Opcode Fuzzy Hash: a5f5b9f21b75a29e560ca121b9dee8f89f7d4394ecabb9a733e34b890ff2b0d2
Instruction Fuzzy Hash: 81014F74B00240CFC749AB78E42856D3BE7EF8A22531140A9E817CB3A1EF399C468B16

Uniqueness

Uniqueness Score: -1.00%

Function 0292A5A1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa56c1db727b05e07d739ce6db57201ee7e05449de8f68928e934e2932e87223
Instruction ID: 2a95198afc7a319d90a8d8861485f4d37909fae2b806e50f62ab72855446892f
Opcode Fuzzy Hash: aa56c1db727b05e07d739ce6db57201ee7e05449de8f68928e934e2932e87223
Instruction Fuzzy Hash: 6B01BC72A04624CFD7189B28C150B7F7AE66B84304F14482DC507EB788CF359E4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 02926DD8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2c5775c7bed1b4796df0580e5a38d60e57c29fd29cd67cd4b9492421a023bf
Instruction ID: 5c4d90c3bd56793bbe0c8022cbaaf0789964d47bb87a0c722787a7c014c3e14a
Opcode Fuzzy Hash: dc2c5775c7bed1b4796df0580e5a38d60e57c29fd29cd67cd4b9492421a023bf
Instruction Fuzzy Hash: CA01BC70E003188FCB10EFB8D9407AEBFF5AB44304F24416ED504E6685E7719999CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02926DE8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea1e498d54e8af73accbc49488119ace529eb41c3eebb40c611d065d9449988
Instruction ID: dc5ce36c593ee5e5fdb98f2ee562c79097b66db11ab823a2af49fa6476c76719
Opcode Fuzzy Hash: cea1e498d54e8af73accbc49488119ace529eb41c3eebb40c611d065d9449988
Instruction Fuzzy Hash: 14016D71E002189FDB50EBB9ED417AEBBF8EB84710F14413AD508D7285EB3099A4CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 029905CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498970907.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474ec5b90590c1034df5ae7ad283dd8b05c67886e0beea52b80b85b786f04feb
Instruction ID: 3117af41fb0de89c868facad2b347804706e14e352e769045dceeeabfb71e05c
Opcode Fuzzy Hash: 474ec5b90590c1034df5ae7ad283dd8b05c67886e0beea52b80b85b786f04feb
Instruction Fuzzy Hash: 3901D6B65097846FD7128F16AC50872FFA8DF86630709C09FEC498B612D225A848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02928428, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612b126ab2c02b412fabe568166f84d7f53e2031e08a14d6993e3b59c1884ee5
Instruction ID: 60daacab793f18c256273acb9cf8adcd4aee0cde36b81948dd4ef3eee867d2db
Opcode Fuzzy Hash: 612b126ab2c02b412fabe568166f84d7f53e2031e08a14d6993e3b59c1884ee5
Instruction Fuzzy Hash: BA01B570A042248BD709DB24C96077E7BF27F84358F18485DC45BAB689CB755D09CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0292AC50, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0112f5e5f05594b84b79dfb868dca121b7b0ca5e260bd7858a3c2fd9000cf9
Instruction ID: cbe45530882ea495c0a3d27a053825cf56a2604a9e3e70336b8b3e14ee15222d
Opcode Fuzzy Hash: 9e0112f5e5f05594b84b79dfb868dca121b7b0ca5e260bd7858a3c2fd9000cf9
Instruction Fuzzy Hash: 62014B72A00219DFDF50EFB8A8057AABBF9FB44314F10456AD918D6288E7348D45CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 02929E17, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2914bd0e42960e161f52a11ab532f30d2fb961fb903cb14a93cddc4e040a0af
Instruction ID: 34224894dac4b3c0377decd5f826b6166e4686af79248599770c9c0eb3944bbe
Opcode Fuzzy Hash: d2914bd0e42960e161f52a11ab532f30d2fb961fb903cb14a93cddc4e040a0af
Instruction Fuzzy Hash: 5D018C75B40111CFD789A7BC906452C3BD3EF896243A601A8D54BDB3E4EE24DC0BC706

Uniqueness

Uniqueness Score: -1.00%

Function 02921218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0498d014d1d18f82bcb099f83d4b1138970a51d48e1245abacbc510c47e21f4e
Instruction ID: 04666ca1a066091244241e8bc8a34efa112756f2cbc215fa6cb3b5e7422736b5
Opcode Fuzzy Hash: 0498d014d1d18f82bcb099f83d4b1138970a51d48e1245abacbc510c47e21f4e
Instruction Fuzzy Hash: F2011230304120CBC644972CD15896977EAAFC5710B2444AAF40ACB66ACF719C19CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 02925E1F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a21d6ae49a7e26bf2a879968f2efc62c4e9b63d3846784623557853940cfd5c
Instruction ID: ae89963a832f2bd5b562e6d4e03db42b6ef0ddae221d64f110f607e3a9104d6d
Opcode Fuzzy Hash: 5a21d6ae49a7e26bf2a879968f2efc62c4e9b63d3846784623557853940cfd5c
Instruction Fuzzy Hash: 3BF0C2B5E413159FCF61EBB9A8411EEBBF9EB84724B90417AD009D2210F6358516CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0292F240, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae50b76e9c310d61cb865bc3d5d6faf7efababbd517ce760a8f89c1c3c05a23
Instruction ID: 647e1fd1577660d3e77609b4286f7234ec67906e4f6092dd405897183c64c8a6
Opcode Fuzzy Hash: 0ae50b76e9c310d61cb865bc3d5d6faf7efababbd517ce760a8f89c1c3c05a23
Instruction Fuzzy Hash: DD01D135804268EFCB82DFA498049DEBFF5EF0A310B1580A7E459D7161E7318A18DFE1

Uniqueness

Uniqueness Score: -1.00%

Function 029267C0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afee2bbb8ffb880f10de84156afcfbd91be2625b0cfdc53d852b0833846a8e0
Instruction ID: fe4b28302fc21c6918882030d2c1360f1fa63eb10a80db1cbedbf0aa55230941
Opcode Fuzzy Hash: 9afee2bbb8ffb880f10de84156afcfbd91be2625b0cfdc53d852b0833846a8e0
Instruction Fuzzy Hash: FFF02B31A04725DFCB149B28DC401AABBFDEB85354F0044EAC907CB685EB326A05CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0292A701, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6816f7abf73e3b8f4f7e4837d5d3763c2ffb30079843fe8bb74b89b3e762a31e
Instruction ID: 9584b02b40553915301be52fc481f4e5127b6f7fc61d9c01c5fa58d14e13939f
Opcode Fuzzy Hash: 6816f7abf73e3b8f4f7e4837d5d3763c2ffb30079843fe8bb74b89b3e762a31e
Instruction Fuzzy Hash: AEF0A434F402149BCF04EB74E982A9E7736FB88700F208959E5029F289DF709D0587F1

Uniqueness

Uniqueness Score: -1.00%

Function 02926390, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1be8960b4d5044c8c8e3d57e05de92a78ea1385f397748b2b497a884489eda
Instruction ID: d4692826d6b6281fca3324551449842593307f1b73a1d4943506d77aafda0c6e
Opcode Fuzzy Hash: fa1be8960b4d5044c8c8e3d57e05de92a78ea1385f397748b2b497a884489eda
Instruction Fuzzy Hash: 9BF02B31A04624DFC700A639A9105AEB7ADDB85664F400479D917D7645FB325D05CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0292ADE0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f8e4f95336bf21598f6903f329ddf2a497130334a966bfee973fa0e3a6359f
Instruction ID: 7e4d928c36e44f5ef34e20c1ad5580110a57641486921fcbe15db6cbe5a62644
Opcode Fuzzy Hash: 87f8e4f95336bf21598f6903f329ddf2a497130334a966bfee973fa0e3a6359f
Instruction Fuzzy Hash: 77F0A931600218CBC610F778E0086697BEAEBC93257148879E50BCB36CDF71AC0A87A2

Uniqueness

Uniqueness Score: -1.00%

Function 02929E28, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b4648535daeecd6e0b38b6c700fbad2c607c4fb5c3a6a1e5778e530d7c2cec
Instruction ID: 5bd8b19f2fc66112bec6b0f524dcd9f10db80d7f95b3075ea5ff3d890ba99a44
Opcode Fuzzy Hash: 01b4648535daeecd6e0b38b6c700fbad2c607c4fb5c3a6a1e5778e530d7c2cec
Instruction Fuzzy Hash: 94F05471700010CF9748F7BC902852D37D7EFCD6257A54078E50BDB3A4DE64AC4A875A

Uniqueness

Uniqueness Score: -1.00%

Function 029267D0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec342b9a5cf23ce0c9f795b10800c89f51ccdd2f849e7482bce66a394962a704
Instruction ID: 2dad1199737ff685f800a226dccc159020ff37d92ada16f5cb60551599ad8d81
Opcode Fuzzy Hash: ec342b9a5cf23ce0c9f795b10800c89f51ccdd2f849e7482bce66a394962a704
Instruction Fuzzy Hash: 69F0E931B045749B8B1456699C106BF7BED97C57A0F004866C907D3B48EF315A09CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 02929DA8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae12bea110fb0ee957ef399c30a2ed406ddff52680b6189bbf195ddca8c3911
Instruction ID: 18168ffe4c3a51d1e60c70eebefaf23a5e62f36db963c826c547f45246a0514d
Opcode Fuzzy Hash: 7ae12bea110fb0ee957ef399c30a2ed406ddff52680b6189bbf195ddca8c3911
Instruction Fuzzy Hash: 39F0C230B04310CFD749BBB8E02455D3BE6EF8A264B5100A9D80BC73A1EE388C86CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02928948, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f0b4ff4a629c1fa7adef671f2e2d75be117dc35f8152093dbc71a5f8611faa
Instruction ID: ccc4616703d535847141b221ffa8e658242fc4b47a3e4bad5f2d8cf11b09c903
Opcode Fuzzy Hash: 81f0b4ff4a629c1fa7adef671f2e2d75be117dc35f8152093dbc71a5f8611faa
Instruction Fuzzy Hash: 91F0FC7ED093658FDB2747B4E9183547FB1DB56251F0A0097C840E735AD6254D48C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02929778, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbcdc158114537d5770a835e118349e4dff22183c876f301db2a8cebe40d285
Instruction ID: 36bf575ffb6c37484c2c3ac177b5f4ad927979ad80dac2a42b70ae92db52d3b1
Opcode Fuzzy Hash: 9bbcdc158114537d5770a835e118349e4dff22183c876f301db2a8cebe40d285
Instruction Fuzzy Hash: 76F0C275F002068BFB04AFB8E0052AEB7E6DB80305F608875D901D7268FB359916CB81

Uniqueness

Uniqueness Score: -1.00%

Function 029284C0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c81320bb476ddf313e1b28ed31e02554763198c4f9b566ec95b9f1007f7b6bd
Instruction ID: a173ff528c56ca179ba5814f30cc607f300ef701b965848b009d79ff8b893f0e
Opcode Fuzzy Hash: 8c81320bb476ddf313e1b28ed31e02554763198c4f9b566ec95b9f1007f7b6bd
Instruction Fuzzy Hash: 2CF09030A09265DFC711CB7898448BABFF5FF9121072548ABD519CB62AD6319809CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0292FED9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff250bc82fdcf11ead47ba8b589b022fdefe23241e5e87bfe07776bd17d2eea
Instruction ID: e5e4b566a2adf5ead231014d7f70e2b89b599f2baefd54365644919bedfb32d5
Opcode Fuzzy Hash: 3ff250bc82fdcf11ead47ba8b589b022fdefe23241e5e87bfe07776bd17d2eea
Instruction Fuzzy Hash: 0AF0BB7210E3B1CA9727C62054205B3777A6A437203544AABD887C7D9ED720A84DC792

Uniqueness

Uniqueness Score: -1.00%

Function 0292EB58, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e0c05563bd4ad6205e8714974674ff36777c9c93c79c51b8de13167870939f
Instruction ID: c27e79b6332df3b982c81b6f5a1951f0a836f52ea649855a3d70a3e340ab4775
Opcode Fuzzy Hash: f4e0c05563bd4ad6205e8714974674ff36777c9c93c79c51b8de13167870939f
Instruction Fuzzy Hash: B8F027396042214FC725861A88606A8BBA9CBCB610310846FC59BCB346EF71EC0B87F4

Uniqueness

Uniqueness Score: -1.00%

Function 0292CA79, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f59df2828ccd45201168a247a7ce34ab04c51bc3c4ddf3a629d15f5c64c1537
Instruction ID: d4d2bd9418a1c71123f5b5b69b017d2acebca47656dc1ebbcdf55a9881377095
Opcode Fuzzy Hash: 6f59df2828ccd45201168a247a7ce34ab04c51bc3c4ddf3a629d15f5c64c1537
Instruction Fuzzy Hash: 6AF0E573B4452117C259726D9C0176F399B87C4B70759422AE80AD7389CE22AC0282F9

Uniqueness

Uniqueness Score: -1.00%

Function 0292B390, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7158c5182459f35feb04c56bfcb87ee1ef07785d7d66beaee40cbe07e4b96455
Instruction ID: ce0ba40e7018b9f139e4f1e203cd3b57700e80970a21c4a3fde77282795221b2
Opcode Fuzzy Hash: 7158c5182459f35feb04c56bfcb87ee1ef07785d7d66beaee40cbe07e4b96455
Instruction Fuzzy Hash: A3F02E72505B104FC3219E5B9811342BBF9FFC1A183158A6FC089C7106E770A90D47E1

Uniqueness

Uniqueness Score: -1.00%

Function 0292EBA8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b42b564cfaeb5d129ab4b206f2940ae21411184b09cc62ae2c75a24c7f6a390
Instruction ID: a38a789c1f2b16860db8a63041601060aed221678ddb489642d89ffcc8265ddd
Opcode Fuzzy Hash: 4b42b564cfaeb5d129ab4b206f2940ae21411184b09cc62ae2c75a24c7f6a390
Instruction Fuzzy Hash: FEF0E232A09134CBDB31965AE4C03F5B798EB80212F10587FD8DB86589CB756C08C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 029255D9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aaa9b55f93d296eed5d3bb350ee88c1d7c863881cb3de5834eb740e0dabc4ff
Instruction ID: b3188573f3f158c39c44d29f39a5e1e44232ed4e724b028c46426f952b85420b
Opcode Fuzzy Hash: 0aaa9b55f93d296eed5d3bb350ee88c1d7c863881cb3de5834eb740e0dabc4ff
Instruction Fuzzy Hash: 51F0ED72B013186FCB426A3CA8141EFBBE9EB85338F2004BEE505D7241FA62591686A0

Uniqueness

Uniqueness Score: -1.00%

Function 02920908, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69348373cd537ff78ace6ba4df1a4666acaf75a77a36a80e9ec38bb77c7ed5d4
Instruction ID: 1393386a4a348d2cd08a07d755d91aa41cb6a550097a7ca1d537df58a2c3d602
Opcode Fuzzy Hash: 69348373cd537ff78ace6ba4df1a4666acaf75a77a36a80e9ec38bb77c7ed5d4
Instruction Fuzzy Hash: 90F02730914324DFD3509BB8D80896B3FF9AF76350B020CA79803EB218CA796C0EC791

Uniqueness

Uniqueness Score: -1.00%

Function 0292BFA1, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e63c9eb643e03f585a9020a6f9f3cd8266ac4a1a757830467430bff29bbe3f
Instruction ID: 4ad6847b606563b7d57c07049873c5fb6710436f52f523f9976601499afcc7fb
Opcode Fuzzy Hash: 25e63c9eb643e03f585a9020a6f9f3cd8266ac4a1a757830467430bff29bbe3f
Instruction Fuzzy Hash: 04F09072A00B214ED328DB1FE41039BFBD29FC8215B04C83BD49EC2628E73495098B80

Uniqueness

Uniqueness Score: -1.00%

Function 0292A3A1, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cebf9542c9006959c4c402ad2fa4e6f2ca111426d220267d42a6a0f0aed7f7
Instruction ID: 59029fc5fddb0476e43ced450dda6a2ed48f1d209ad8b36840ad881ec8482cf3
Opcode Fuzzy Hash: d8cebf9542c9006959c4c402ad2fa4e6f2ca111426d220267d42a6a0f0aed7f7
Instruction Fuzzy Hash: 08F0C2716093848FC309A774A4241783F63DBC232931884AED04ACB2D3DF69980BC755

Uniqueness

Uniqueness Score: -1.00%

Function 029293C8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b4f9a0653800ecf47a97f0f0ddd58a279fcb33b83b977123566bc8703eaee5
Instruction ID: b554f79bc83f6c3e0a2df512322407e03d4c3fa7532216be5192f7801bb8ad55
Opcode Fuzzy Hash: 14b4f9a0653800ecf47a97f0f0ddd58a279fcb33b83b977123566bc8703eaee5
Instruction Fuzzy Hash: 3BF0BE3051D2B0CFE720470894A85707BE49F02206F2988ABD09E8F966D269CD48C751

Uniqueness

Uniqueness Score: -1.00%

Function 02925CE0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7809419af6f3b1d5938efbecb4172098d89117ad15523674dad055aed7f3e7
Instruction ID: 80827a498593cb28fe86f271b566943ac33f33463390cd5734fbe412f34b4601
Opcode Fuzzy Hash: fc7809419af6f3b1d5938efbecb4172098d89117ad15523674dad055aed7f3e7
Instruction Fuzzy Hash: 13F03771E001155F8B80EBBD994469FBFF9EFC8760B55013AD509E3345EB3459018BE5

Uniqueness

Uniqueness Score: -1.00%

Function 02929DB8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2773bd94e776e256307c7ce4e8f159860b1728e3b89a21e3e56a921287597727
Instruction ID: 275c281ace5a35cf5eb8c6ab900a33de5f541bc634ebf081998aed018b78f900
Opcode Fuzzy Hash: 2773bd94e776e256307c7ce4e8f159860b1728e3b89a21e3e56a921287597727
Instruction Fuzzy Hash: E1F08234B00214CFD748F7B8E01856D3BE7EF89624B600068E80BD7394EE349C458B46

Uniqueness

Uniqueness Score: -1.00%

Function 029245B9, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e71fd2da3d6b5f9ee3e887b8f110620c32402df67c1bc24eaa98c184e57affb
Instruction ID: 180f1e13523c90e888ab2f2b2a023cb75f5d6cfd92203f17662e19ea75f68b1c
Opcode Fuzzy Hash: 6e71fd2da3d6b5f9ee3e887b8f110620c32402df67c1bc24eaa98c184e57affb
Instruction Fuzzy Hash: 30F0BE30E893699FCB51CBB89C05AEEBFF8AF89210F1541AED508D7152E2744918C771

Uniqueness

Uniqueness Score: -1.00%

Function 02920918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc790804083635b49e48d448777958b3600a74708a061210e2f478f0d845249b
Instruction ID: cb655b8f1608cf2a3ae9a34db073cc5a99cf4414cf0c7e5d4292e02334f53d3d
Opcode Fuzzy Hash: dc790804083635b49e48d448777958b3600a74708a061210e2f478f0d845249b
Instruction Fuzzy Hash: 17E0E536A152389A9B2056F8EC045AFBBA997B5650F0048379D0BB3208DD71580E8291

Uniqueness

Uniqueness Score: -1.00%

Function 02925FD3, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422e6cfe2be05d2edbec14ab081d8decfea825622fb2e2b50f4eaf3f8b3c146e
Instruction ID: 2764219f6fcf55c00e6690ad6b2e7416f32317306de2921688e2437020e42bf4
Opcode Fuzzy Hash: 422e6cfe2be05d2edbec14ab081d8decfea825622fb2e2b50f4eaf3f8b3c146e
Instruction Fuzzy Hash: 2EF03A71E007099FCB50DFB9D8595EEBFF4EB49210B104476D109E3600E7354916CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02924700, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63452c69198c3c5e62f75ab2b9be6277e46c9dcaaf6a3e99d779d0dd99796393
Instruction ID: 3631867fcf61f90fea3bdefcf9d16199e2ccee8bb5936cc337b49c507c2552e2
Opcode Fuzzy Hash: 63452c69198c3c5e62f75ab2b9be6277e46c9dcaaf6a3e99d779d0dd99796393
Instruction Fuzzy Hash: 95F0223624A3A08FC713127478107B93BB98BC7664F1514BFD802CF65AE96A4C8B8B50

Uniqueness

Uniqueness Score: -1.00%

Function 02926120, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e241ce9d4c07147288956f6095f733e54b5f3b02f74e24febf0f5a74f12f8559
Instruction ID: 3eeab56f3e136f931fede46d584c487302678888eb92a7c74312a58bb3b25872
Opcode Fuzzy Hash: e241ce9d4c07147288956f6095f733e54b5f3b02f74e24febf0f5a74f12f8559
Instruction Fuzzy Hash: A5F0A0307463A5AFC3076678542076ABBAA9FCB764B1404BEE145CB2E2CD624C438379

Uniqueness

Uniqueness Score: -1.00%

Function 02990938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498970907.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca624cdde786d3cca110bd12d8713cf029306db999023d3cee470ff76f838c00
Instruction ID: 8f6fcedb6c8157c3bff6d46b3b881888a725e283631fa6b4baed27833461daf2
Opcode Fuzzy Hash: ca624cdde786d3cca110bd12d8713cf029306db999023d3cee470ff76f838c00
Instruction Fuzzy Hash: 77F01D35204644DFC706CF04D540B15FBA6EB89718F24C6ADE9591B752C737D823DA81

Uniqueness

Uniqueness Score: -1.00%

Function 0292F250, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61318b415e503b47f96029356b31997a7b5b38e2f16a3bf403e190b6a487ce8
Instruction ID: 66d5755e7704f8fc39502d7cfed58c87b28757522b13af5f412f2a5454890b63
Opcode Fuzzy Hash: c61318b415e503b47f96029356b31997a7b5b38e2f16a3bf403e190b6a487ce8
Instruction Fuzzy Hash: A5F09035800218EFCB81DFA8D8049EEBFF5EF09310B1080A6E559D7120D7318A24DF90

Uniqueness

Uniqueness Score: -1.00%

Function 029287C0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9427c9f75e39bd09e87f9b05cd6f1ee4638d5aed4df1efc7bb34542fcc9ebfdb
Instruction ID: 2bb019e3c943b933c8d343625133ac41d56aac5d0c32f4af6a2cd4b4f3179ebf
Opcode Fuzzy Hash: 9427c9f75e39bd09e87f9b05cd6f1ee4638d5aed4df1efc7bb34542fcc9ebfdb
Instruction Fuzzy Hash: 9DF0583040A31ACFC701BF68E880A953B65FB413147108C5AE422CF12CE7B5AD0ACBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0292EBE8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f144b78b01c4152a455e0ef0cccf8888f86f8be354732215e9281d2f025f8d
Instruction ID: dff566eb093cc894b7be3342df4f6e136433f469bf023ba0e207a1cb0bbcb595
Opcode Fuzzy Hash: c2f144b78b01c4152a455e0ef0cccf8888f86f8be354732215e9281d2f025f8d
Instruction Fuzzy Hash: D7E02B62E0817057EB35519EA8C87B67DC8A785320F15197AEDDB8B249C9503C48C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 0292A3B8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546d7335d0b6466c55f0045180287825356c31887b653f5042125484331daa96
Instruction ID: 110f58fed8efb538b651d674c114c42afd7ca55127797f31d847ea99b49ae4cc
Opcode Fuzzy Hash: 546d7335d0b6466c55f0045180287825356c31887b653f5042125484331daa96
Instruction Fuzzy Hash: 6DF03032604204CF8708B668A4149797B9ADBC6325358C87DE10FDB345DF76EC079BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0292CDAE, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e02515a12c747f3a0b42d03c2b496b78d5b654eb20cfd21d28bfbccff108e2c
Instruction ID: c7dd28133d6a92644407e3554337d9e497b511c1ec4c8cd009bab77e64b33536
Opcode Fuzzy Hash: 3e02515a12c747f3a0b42d03c2b496b78d5b654eb20cfd21d28bfbccff108e2c
Instruction Fuzzy Hash: B2E0D8677082B05B8615112D842577D3AAAEEC552131F149BD14BD7396CC159C0AC3A3

Uniqueness

Uniqueness Score: -1.00%

Function 02920D46, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c88f9649b44661c9462abcf5f2cf76550de7384d7a09676c4c3853e7ee8aeb
Instruction ID: 71b787073c410054f9230804ea5cdcfdb31761540e0a75215da55adf8eb8599a
Opcode Fuzzy Hash: 56c88f9649b44661c9462abcf5f2cf76550de7384d7a09676c4c3853e7ee8aeb
Instruction Fuzzy Hash: DEF01231714111CFCB409B28D448B987BD1FF89215B14946AE546CB26ADF719C498751

Uniqueness

Uniqueness Score: -1.00%

Function 029276FF, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9aec090bdc16123be4c25dcf793277f68cb7833e778bd37ce727e7e7e474d4d
Instruction ID: 420f1e5d84e575946d100feb36c038a85d2598ba0425e9b8ee4c7d88b4842676
Opcode Fuzzy Hash: c9aec090bdc16123be4c25dcf793277f68cb7833e778bd37ce727e7e7e474d4d
Instruction Fuzzy Hash: A2E03930F412206BCB44B3B999203AE76968FC4A14F90407DC906DB7C9EE314D0A8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 029257A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb57452bfa92b1bddb01658b5995387297ef6decacaf38d17ccf7258b6770488
Instruction ID: 97549ac97f1090a45c9ca2e3423981a89f9df6f1a0f7b184b87af1aabe917d64
Opcode Fuzzy Hash: eb57452bfa92b1bddb01658b5995387297ef6decacaf38d17ccf7258b6770488
Instruction Fuzzy Hash: 67F0A030F84210CFDB48BB78E8103AC3BA6AF84204BA18425D116DA288EF312C09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0292E328, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7a719e6246a2a1ccb247aec146b3e48839a346d8e2383be492969f4cae95b9
Instruction ID: 819fd5cedd555ff906d9e01a2e19efea8be99417f8490addcc40556c9c40231c
Opcode Fuzzy Hash: ce7a719e6246a2a1ccb247aec146b3e48839a346d8e2383be492969f4cae95b9
Instruction Fuzzy Hash: 9CF0EC352187518BD712D324D17021D7F55CB86261314889EC5EECB2D2EF25A80AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 029905F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498970907.0000000002990000.00000040.00000040.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e2f314982ada1300d693f885b5cf28ceb896642dcb87c44f5b1df2d58d62d1
Instruction ID: 232ce0504498bcea1207d78f1018b67c3d6d5fb41a81e8534ac92d273bc385ac
Opcode Fuzzy Hash: e7e2f314982ada1300d693f885b5cf28ceb896642dcb87c44f5b1df2d58d62d1
Instruction Fuzzy Hash: 02E092B66006044BD650CF0AEC81466FBD8EF84630B18C47FDC0D8BB11E175B548CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 029246B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6d7e36039e6d02934934a9a621ee9823c1eb8576b915b915c6f37402090588
Instruction ID: 099e2abd67c96e32a20213401c0016d678da597be132804e7256844c7590b951
Opcode Fuzzy Hash: ad6d7e36039e6d02934934a9a621ee9823c1eb8576b915b915c6f37402090588
Instruction Fuzzy Hash: BFE08C313802209BDA2066FCB4287BE3699EF84760B141466F10ACB668DE5BDC0683D2

Uniqueness

Uniqueness Score: -1.00%

Function 0292BFF8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction ID: 165720a323ed71979b41607c3071ea80402198311cd2f2228d8d6ef7abb54b8e
Opcode Fuzzy Hash: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction Fuzzy Hash: F6F0AC36640B109F8730DF5AD544C17F7F9EF896213118A6EE59A83A14D771F808CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02925FE0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3585eaa8355523899c10b41831f48f7ae16580d9f941712b7f9d5da39b4680
Instruction ID: f34ea4fa001ad4753a77fcdc02bed6bacb3df2f7208b5ba8a2057d11cc665855
Opcode Fuzzy Hash: 9c3585eaa8355523899c10b41831f48f7ae16580d9f941712b7f9d5da39b4680
Instruction Fuzzy Hash: 28E0C971E0030A9FCF50EFB9D8595EEBFF8EB49250F104476D109E3200E6355A158BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0292E338, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb75bac4dfaa9baac7c3b7fbe86b9385634fc1a0ce239444450efecd392ce63
Instruction ID: a79dd0acb360874cee71961dd032b5e8af48f2ab85ed271de4d745628e0058ae
Opcode Fuzzy Hash: ccb75bac4dfaa9baac7c3b7fbe86b9385634fc1a0ce239444450efecd392ce63
Instruction Fuzzy Hash: 0AE04F312006215B8624D659D56096E779ACBC6761314886ED45F9B341EF72EC0A8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02926770, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bab45dac0d9fa64ddaafffead55e171d578c6fc526c23d8db60a5a6c60704f1
Instruction ID: 9adae23ef762d9a6ccdc97d3db74646297ebb7a13f1037ce755c18ea2162f46e
Opcode Fuzzy Hash: 6bab45dac0d9fa64ddaafffead55e171d578c6fc526c23d8db60a5a6c60704f1
Instruction Fuzzy Hash: E5E0D87164C3A1DBD7011F68B8007D437DD9B41311F4504A6F50AC76A1DEDA4C8487B6

Uniqueness

Uniqueness Score: -1.00%

Function 0292EB68, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a5c361d4b2c7cfcbd68d322f9cf7da95daca1c33b2041251c4c9bad490ac45
Instruction ID: c36ff85240a59f430eb76f0edece8d3ead64488fa1c383600766a6a6694d409e
Opcode Fuzzy Hash: 76a5c361d4b2c7cfcbd68d322f9cf7da95daca1c33b2041251c4c9bad490ac45
Instruction Fuzzy Hash: 58E026313102205B8620D66EC46096EB7DACBC6720350882ED44F8B345EF72FC0A8BF0

Uniqueness

Uniqueness Score: -1.00%

Function 02926130, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e262a73510728761b406e6c94ccbdde85b1c976b1bc7c735ee7012ad9f915b0
Instruction ID: 2c4fb0dd43444bb5d607381cf6763d2381670182193349bd8bc0e299e5d30183
Opcode Fuzzy Hash: 4e262a73510728761b406e6c94ccbdde85b1c976b1bc7c735ee7012ad9f915b0
Instruction Fuzzy Hash: B7E0263074022867C205626D641172AB29F9BC9B20F100839E20987382CCA29C0283B8

Uniqueness

Uniqueness Score: -1.00%

Function 02928958, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6785193113fd34fae20736871a101ea2cb42f5c873b03ebdad4e2f15a65be0ce
Instruction ID: 610ee345fec07aa5e2bb0c6785cc54c27b6c6fca571a08987dde6235604da31c
Opcode Fuzzy Hash: 6785193113fd34fae20736871a101ea2cb42f5c873b03ebdad4e2f15a65be0ce
Instruction Fuzzy Hash: 59E09239F102318BC6A527A8E91871976E9E79C6623140026D906E7309DF708C018BF2

Uniqueness

Uniqueness Score: -1.00%

Function 0292FEE8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba56e45364579d786d3be9691d22febfc6e8cd1fef3e712d1ad24aee484310b
Instruction ID: 1e9a5ececf6b4611cff8f0ebd7cb0f9ad58e7cd960dce2d1adcb71d78ba30c3e
Opcode Fuzzy Hash: 0ba56e45364579d786d3be9691d22febfc6e8cd1fef3e712d1ad24aee484310b
Instruction Fuzzy Hash: D8E04F3220A736CB8225D55195108F3B27ABA427043505D7ED94786E0CD771F849C692

Uniqueness

Uniqueness Score: -1.00%

Function 029223A0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd4c06c5386c426283db545ed72649f18de2d6659f98111259b78f63633d80e
Instruction ID: 3b904d755eff1a5c7a7953dbf590f694ec509e69e231eeb47d42721e2c7cb8eb
Opcode Fuzzy Hash: 9dd4c06c5386c426283db545ed72649f18de2d6659f98111259b78f63633d80e
Instruction Fuzzy Hash: 1CE06D70D142298BCB18AF68D940A9EBFB4BB48700F00046ED606E7344EA701844CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0292CDC0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076ea352b25be5195222b2ef9c29995d7a89966c4d1b4c80c958369ae466136a
Instruction ID: 54d8f6dda3a1b149196b850f472c38192851d4dbc27c904997f8d0cafd9a416c
Opcode Fuzzy Hash: 076ea352b25be5195222b2ef9c29995d7a89966c4d1b4c80c958369ae466136a
Instruction Fuzzy Hash: 22E02B32304170974514611D8015B7E3A8EEFC857230B042FE10BC7398CD419C05C3F3

Uniqueness

Uniqueness Score: -1.00%

Function 029287D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0586b1318105d36b61c26050acabc00f16eb48997d01c501df8809bae2635ef
Instruction ID: f2c79af50fca0026c5e918e9d2b2d1261c4db78a7bd3858bf8d9958d5911ef90
Opcode Fuzzy Hash: f0586b1318105d36b61c26050acabc00f16eb48997d01c501df8809bae2635ef
Instruction Fuzzy Hash: 74E0757050921EDBCA04FB58E981EA93769FB50304B10891AA426CF51CE7B4AD09CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 02926349, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30fc5f72af9c021ad7d6d23f9cf29c77ce2ece26e4d1a621a144e38faf9fb4f
Instruction ID: b214e9feb482b1a70921d27875d9b9c209ac5c83491824bcdf186c52728a21bc
Opcode Fuzzy Hash: c30fc5f72af9c021ad7d6d23f9cf29c77ce2ece26e4d1a621a144e38faf9fb4f
Instruction Fuzzy Hash: 57E04F35789350AFE705DB6898158B97B95EFC5314315849EE44ADB392C9A38C0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 0292A8AC, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e921d735cd525c7ab411ae386017d769904cf4e59320c01fa6d06097ab96e6
Instruction ID: b42be0c6bd6f6d862e2e39664a952b4da824f741334764fa9666d9aadd1d0fd1
Opcode Fuzzy Hash: 99e921d735cd525c7ab411ae386017d769904cf4e59320c01fa6d06097ab96e6
Instruction Fuzzy Hash: 0DE086313096498FDF058F34E4946597FA1FBC5714B24809AD456CB15AC72989078BC1

Uniqueness

Uniqueness Score: -1.00%

Function 0292B3D9, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234974a566189255649eb0e9c53b3f9bb5e1709dd6f760365b4fd50adb78349d
Instruction ID: 5d9ccd3678df34f91c823e04b10d6d4d03b9c1b314d244a220b69fe8ff553626
Opcode Fuzzy Hash: 234974a566189255649eb0e9c53b3f9bb5e1709dd6f760365b4fd50adb78349d
Instruction Fuzzy Hash: C1E08C3321101097D2241989F881B9E33A9EBD2766F44083BE50487A04D235A805CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0292E378, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323634dd50e919b933a34699c7a6302367a64d696add88c0c5188552445a5fd0
Instruction ID: adb4d3da8825bab4f25840b51b27a4aa2dea08a2edef8f46802ca74a0f7d129b
Opcode Fuzzy Hash: 323634dd50e919b933a34699c7a6302367a64d696add88c0c5188552445a5fd0
Instruction Fuzzy Hash: FFE0DF2400C774CAC7114320628027A7FA4AB4A1137104D9BE4EBC51C9DB21A849C792

Uniqueness

Uniqueness Score: -1.00%

Function 0292AD20, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e855b5ec312f58691f841da6794504ab7935bc57f1cbe04bd5776adc801db1
Instruction ID: dc75373995b4042f8ac7b877914a2bf23cc2e4be81f2c01aa120c03da10aeaa5
Opcode Fuzzy Hash: 37e855b5ec312f58691f841da6794504ab7935bc57f1cbe04bd5776adc801db1
Instruction Fuzzy Hash: DEE0C231304228DBCB4476B8A4285297ACBAF9D712310006DD91ACB358DD328C054FA2

Uniqueness

Uniqueness Score: -1.00%

Function 029202A0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a0d0eb77836f8f98a0f13f18f07c510150a2578781919276c166736b08fce6
Instruction ID: 98d7eb9943a7db3d7b9c529c2a748882fd9158d27d7fb95a2ebec1f8f4580370
Opcode Fuzzy Hash: 96a0d0eb77836f8f98a0f13f18f07c510150a2578781919276c166736b08fce6
Instruction Fuzzy Hash: D5E08C3050A760CFC3929B34F5554D13BF1EB46710306889FE052CBA65C760AC06CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0292B3A0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c0017e25749f45ae8c06baa55f3655678dc2a57324f1038e5382d391c906ef
Instruction ID: b930a984af81bca186705df511b9e395d04c0e6adc9e1cfb3d8c86be3c4cd0a0
Opcode Fuzzy Hash: d2c0017e25749f45ae8c06baa55f3655678dc2a57324f1038e5382d391c906ef
Instruction Fuzzy Hash: FCE0EC71A01B148B8334DE5BD901457F7EAFEC5B24714CA3E919A83614DBB1A9098AE1

Uniqueness

Uniqueness Score: -1.00%

Function 02920170, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d048ed2d530c1f26e55b0e5cb6aff4ff7f2b84c1f5cd918798fe139ca09371
Instruction ID: 983f254315a1a986c3721bea4df0bc8d90cfefa7740f7aed23a7b374c8ff0132
Opcode Fuzzy Hash: 99d048ed2d530c1f26e55b0e5cb6aff4ff7f2b84c1f5cd918798fe139ca09371
Instruction Fuzzy Hash: 75E046341063088FC7072BB094180583BA1BE0A36831484EEE402CA76AEA3AE842CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02926780, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef529a030ae36b2b80d80bfeeff5dc6b8b79bb28e974089bfa32e1b8e9f4f14f
Instruction ID: 76ff8c6416795b9a692ccc37f26d9b8de0f9c14764a270c512653ad152d7359e
Opcode Fuzzy Hash: ef529a030ae36b2b80d80bfeeff5dc6b8b79bb28e974089bfa32e1b8e9f4f14f
Instruction Fuzzy Hash: E7D02B7025C3B5D3D6002FA874006E836CC9B40221F040465E90EC2754DED95C4083FA

Uniqueness

Uniqueness Score: -1.00%

Function 0292064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f1c668c33e43668d49918320ae468f391416f3176ddd79a1b50ab4b72546a0
Instruction ID: 1dd3cd2707177a6b8807561da730e25d71b5edc0588274679d574583ada91a84
Opcode Fuzzy Hash: a7f1c668c33e43668d49918320ae468f391416f3176ddd79a1b50ab4b72546a0
Instruction Fuzzy Hash: 50D05EB28493608FC3420B70580A0E47B64EBA2210B4689A2E50187931E67A6957CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0292E388, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cad4969c76dbbbcc6185285f652e017deca6263a21604602f8003e04cec1abe
Instruction ID: 7a71348b0456be97d0fcdb776610747bf916f4b35faf107041687065231d03a0
Opcode Fuzzy Hash: 5cad4969c76dbbbcc6185285f652e017deca6263a21604602f8003e04cec1abe
Instruction Fuzzy Hash: 89D05E31119634DBC7245655A2809B6BA98FB485137108C2EE5DB82648CB32B849CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 029257F6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1638cd7571ed54b6e309ca9af6ff7d39e6998cc2f965451a4d9a1c95b9cbce4c
Instruction ID: 7c7e0e932a9e333c0ea2acaad82d598e4461b65c7b229e5732c08b82f219490a
Opcode Fuzzy Hash: 1638cd7571ed54b6e309ca9af6ff7d39e6998cc2f965451a4d9a1c95b9cbce4c
Instruction Fuzzy Hash: 84D01231F05214CBCF48A7E4A9551EC7BB19BC4128B515476C117D6254DF711809C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02926358, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086a25c616f64a8c87ba5ca322af911ac3fe0f98227bcd86537ea2de2b83ec40
Instruction ID: d122431fce6294de35daae1c7f9a0713cbcce71cec7b2c3d2cac6b0219768e84
Opcode Fuzzy Hash: 086a25c616f64a8c87ba5ca322af911ac3fe0f98227bcd86537ea2de2b83ec40
Instruction Fuzzy Hash: 85D0A7343801152FA604E5ACD811C7973CEDBC5624304846DB50EE7381CC63DC0247E0

Uniqueness

Uniqueness Score: -1.00%

Function 02927898, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0543de2031f7d855bce93aed25e64ff3c18de60e8eee1f001e74ca76acb29b
Instruction ID: d05bd2111c5ef6a27af47aa0cc5a3453238092b73de622337ec183b64c5a8160
Opcode Fuzzy Hash: 6f0543de2031f7d855bce93aed25e64ff3c18de60e8eee1f001e74ca76acb29b
Instruction Fuzzy Hash: 69D0C231408330CAE33546E5A480AF2FB996B42304F040D6E804655608CA61E08CC3F2

Uniqueness

Uniqueness Score: -1.00%

Function 02922D20, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f8c0dc047641eb0915c3168f2604ea4d78305a9d5b7bbfe9b600980006ce68
Instruction ID: d193260388b06cf854602d2331cff4ba5a19a93d58e8a7211a6cfe05587ecb88
Opcode Fuzzy Hash: 65f8c0dc047641eb0915c3168f2604ea4d78305a9d5b7bbfe9b600980006ce68
Instruction Fuzzy Hash: D1E05B3044D795EFC39247649C157E07F75DF07311F5948D3D44ACD0AAD656540DCB26

Uniqueness

Uniqueness Score: -1.00%

Function 02925DF0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35c40299936bf532d86329a5f862211ef10491605783ccfb75d53a482cfbffd
Instruction ID: d2a0c35028dc22d60b6999b08eb7a5dc73db84d855ec076f45e64d4bc5ff15b8
Opcode Fuzzy Hash: b35c40299936bf532d86329a5f862211ef10491605783ccfb75d53a482cfbffd
Instruction Fuzzy Hash: 89D0A7307B2231AB8B2967B814900BD32965FC57253D0097FA006CB385ED368C1247D4

Uniqueness

Uniqueness Score: -1.00%

Function 02924339, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bca41ba82d7e3590d9c7798ef567e552700278f92fefe348582f39137412433
Instruction ID: 2cd1c455b2c70dca82b655a107d9ef2c378d3586973bb8ec0f8e43f04f909d44
Opcode Fuzzy Hash: 9bca41ba82d7e3590d9c7798ef567e552700278f92fefe348582f39137412433
Instruction Fuzzy Hash: FED05B302493859FCB431770AD1849D3FB8BF4331431540D9D805DD162DE795905D739

Uniqueness

Uniqueness Score: -1.00%

Function 02925F50, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0350ce84d5a8a1a94234a7a672c94f9fe842c9d4dae556761a932d7ff23a89ce
Instruction ID: 6a597fb166f1d7707e767b27a0a7efe9a257c96ce219c021027c4f9eaa067501
Opcode Fuzzy Hash: 0350ce84d5a8a1a94234a7a672c94f9fe842c9d4dae556761a932d7ff23a89ce
Instruction Fuzzy Hash: FDD0A73010A7806FC3E3077068646D27FBCD70351438600F2D805C6432E6280C26D576

Uniqueness

Uniqueness Score: -1.00%

Function 02925DF8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd73107b13687e50309139a52f54a46346aaaea8bb3da08580a9bd196303140
Instruction ID: 2149be0fb257c032e6160d8533c31480a59da1a5a307ee06af474e22a5161772
Opcode Fuzzy Hash: cdd73107b13687e50309139a52f54a46346aaaea8bb3da08580a9bd196303140
Instruction Fuzzy Hash: 7EC01221B661386B8A2972BA24610BE318E4AC8A263C14D2AA40A8B349EC628C1446E1

Uniqueness

Uniqueness Score: -1.00%

Function 0292EBB8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c36f24e53d022438bfb617232161385a115f7071d442718fafcc1ccbae211df
Instruction ID: 6df3546cca04a3c2f5bbda799e4cce4e2e707939c1750dbdd08bb60b293ae476
Opcode Fuzzy Hash: 0c36f24e53d022438bfb617232161385a115f7071d442718fafcc1ccbae211df
Instruction Fuzzy Hash: AAD0C93151E228DF8624AA56E4D0862B3E9EA456213104C6ED19B466098B76BC04C790

Uniqueness

Uniqueness Score: -1.00%

Function 02926751, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9a89df61b741596d5170a98b7336d9d52d8572eedb7f3a722544a3610bf9f8
Instruction ID: a4a066edb4ade6b6b0ba85611a4f2e152796ce21706c9bf0e2ea469235d29a97
Opcode Fuzzy Hash: 7c9a89df61b741596d5170a98b7336d9d52d8572eedb7f3a722544a3610bf9f8
Instruction Fuzzy Hash: C6D022BBE4C3D08FC7024A947C005C4BB78EB82222FC400EBC104862A6E29809288332

Uniqueness

Uniqueness Score: -1.00%

Function 02927348, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: cb7766a27dd94a1da5550afd33485bda68a58f286a49bedd187496d6c052dd93
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: B4D0423AA00004CFC704CB88E6849DDF7F1FB88225F29C1A6D915A7251C732ED56CA50

Uniqueness

Uniqueness Score: -1.00%

Function 02925478, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f302b3913543022f574deb4445a288e66ccec78883820ad3c199a301a20883
Instruction ID: ebdac85a98cd093a2bba3cf29fe788b6e555fbc0866bec3caec11b2a565e6149
Opcode Fuzzy Hash: 63f302b3913543022f574deb4445a288e66ccec78883820ad3c199a301a20883
Instruction Fuzzy Hash: 17D01230108354ABD72927AA7D0D7ADBF6CA70020BF868081E00FD063EDF744159D676

Uniqueness

Uniqueness Score: -1.00%

Function 02927D8E, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba692bc86a655cc222eb54778e4d011724e8429a9d89c5d139769c6f7d7f7437
Instruction ID: 6d54163f4592d9b1f4e6ffa3297f2c6adaaf73d1cd6e8a8545108e07782cccfb
Opcode Fuzzy Hash: ba692bc86a655cc222eb54778e4d011724e8429a9d89c5d139769c6f7d7f7437
Instruction Fuzzy Hash: 35D05E70900218DFCB01CFB2DD500EDB7F0EB082103140725E402EB385E7300C15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02920180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81ea34c22603bcf8fb0bd9fab6b71cb63dcd8e36710031b29d2965601c10048
Instruction ID: 0ac45133165804d40ad0326ab660369ff045f83adb953fd87e0e11bf35c6dfe0
Opcode Fuzzy Hash: e81ea34c22603bcf8fb0bd9fab6b71cb63dcd8e36710031b29d2965601c10048
Instruction Fuzzy Hash: 91D01230200304CFCB082BB0E41D41C3366AB48205300487CE806C7754DF36E891CA50

Uniqueness

Uniqueness Score: -1.00%

Function 029296A0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8643fa2c1df1d0a4dced0dfbefb0587aff22f1f8090ad0ede354d3c270e50a97
Instruction ID: 6f14b88ee7550dbdbe1c39665072f402f7f1c9bbcf3ea9160f6f3a527a61ce0b
Opcode Fuzzy Hash: 8643fa2c1df1d0a4dced0dfbefb0587aff22f1f8090ad0ede354d3c270e50a97
Instruction Fuzzy Hash: 22B0123139460E4BFBA0A7F5790472633CCC740618F900071F40DC2A44F6CAE8602148

Uniqueness

Uniqueness Score: -1.00%

Function 02922EC0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7623709499183c47fd62447c08d467daf2db3ed1eea51aaf7b1578392ef1d346
Instruction ID: 09710a845961829d1cba94d402e8b36c749344f5b3182269ff912433856d6a91
Opcode Fuzzy Hash: 7623709499183c47fd62447c08d467daf2db3ed1eea51aaf7b1578392ef1d346
Instruction Fuzzy Hash: 21B0123135430D2BEB50A7F57C58BA673CC8780619F4400B1FC0CC5A10FA46E4E13151

Uniqueness

Uniqueness Score: -1.00%

Function 02922D30, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e8abdf7d0c0a02a90c1fc7c3fa0c9974f8cbdfce44118b89a953169fb9f6c8
Instruction ID: 991ed4815377a3357ae45a44dfd57d76ab4aeea4515c0e4a9e73b79d2f76dd79
Opcode Fuzzy Hash: 30e8abdf7d0c0a02a90c1fc7c3fa0c9974f8cbdfce44118b89a953169fb9f6c8
Instruction Fuzzy Hash: DEC0923498C728F6E7941384BC2AFB47218DF0CB02EA00C03AE0F5C1AC9991A11CC86A

Uniqueness

Uniqueness Score: -1.00%

Function 02925D70, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94eebb426de9aabff3dc525674a66256d79f2402dccb7aa7e50f08a02f56f2df
Instruction ID: f24d8816bcdd1cba89a52e25bbca942dcb9dad8db2701cc3c9e337059c54b558
Opcode Fuzzy Hash: 94eebb426de9aabff3dc525674a66256d79f2402dccb7aa7e50f08a02f56f2df
Instruction Fuzzy Hash: 69C08C30204B098F8A0827B06C0D26D3B6C8F400003C14414E81ACE234EF24A00151A5

Uniqueness

Uniqueness Score: -1.00%

Function 02920660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793b72d280eac7db93a98f314eff7681013bbfbf6f5978618c8842ad8cac2883
Instruction ID: ecb3934fa34ada78b36a1aeadc68ead77761af4cbc2acab303397eb65968060f
Opcode Fuzzy Hash: 793b72d280eac7db93a98f314eff7681013bbfbf6f5978618c8842ad8cac2883
Instruction Fuzzy Hash: 3FC02B7044A334CEC20417705C09439721897E1300300CC31B50100634CD367892C871

Uniqueness

Uniqueness Score: -1.00%

Function 02924348, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff352e3cbad58bf00526ba0dee8aec0ab8d63a3aad693ef9cc8d3cfe3d4edf58
Instruction ID: 05b2d9dc8fc73a7542660ba705f2eb349af006a93b7206d6e8de072100aab49e
Opcode Fuzzy Hash: ff352e3cbad58bf00526ba0dee8aec0ab8d63a3aad693ef9cc8d3cfe3d4edf58
Instruction Fuzzy Hash: 49C02B3030070687CE4037B0780C11C36CC7B403007445014D40DCE300FE3CD400403C

Uniqueness

Uniqueness Score: -1.00%

Function 02927A5D, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d038828d244e05b1f0f358ebf51fb5798f8ea3ebc55388953833a6e622bd6cd
Instruction ID: 51b6ae626664ee7784b949cc7ed5ad3abb8bf78838b70d3c036c357a4cc68f38
Opcode Fuzzy Hash: 4d038828d244e05b1f0f358ebf51fb5798f8ea3ebc55388953833a6e622bd6cd
Instruction Fuzzy Hash: 32C09B37605109DFCF145B64FC440D8B375FB8822E7104077D119C5111C7325527CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0292CB89, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd750aed41b169726e12e28897103fe6122707bc7cc4ecbf62016800031068a
Instruction ID: 247fc8efa609e5d81d9ee2370f4cdbaa9a2a302603be21e4a33bb8c88be4d5d6
Opcode Fuzzy Hash: ddd750aed41b169726e12e28897103fe6122707bc7cc4ecbf62016800031068a
Instruction Fuzzy Hash: 69C04CB1811156D7CF264A75A4093053B54D74634AF2408EB8805C6211D279D945CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02925F60, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eff5d560558b18e8eb9091040126b5558e6408956ccb3c2033d7c7f1fb6e042
Instruction ID: 1477860cc334da04c7cff23bac222453db8b6529c4cc54184395fbdd3cbea5c3
Opcode Fuzzy Hash: 9eff5d560558b18e8eb9091040126b5558e6408956ccb3c2033d7c7f1fb6e042
Instruction Fuzzy Hash: 5EB01230244B19EB4758ABB57D5C3E5779CDA059057C64035F51FC0229EF31D806D576

Uniqueness

Uniqueness Score: -1.00%

Function 0292736C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: fe81a13646642c70c07e77e088add6ec419404bd45f6db9abddba838fd181efd
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 4FB092B7A44018C9DB008AC4B4413EEF720F790225F104023C71062100C2320168C695

Uniqueness

Uniqueness Score: -1.00%

Function 0292D560, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9737e0c59cf891b4a2dab374a082d4828f979c500abc1f5b962708bb2a660216
Instruction ID: 30e158c7a9f81719b741497c5cc2f06ccc3e0bcaef165841e1a5fda506e60fb7
Opcode Fuzzy Hash: 9737e0c59cf891b4a2dab374a082d4828f979c500abc1f5b962708bb2a660216
Instruction Fuzzy Hash: 29B0927040C32CE78200A719DD499997A2CFA022007804818E412861ADDBB02D4AC6F6

Uniqueness

Uniqueness Score: -1.00%

Function 02925D6C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222d715fad8f101c829304221045b8e12fedd96a6d240932216d1f9fa1dbe4ab
Instruction ID: c8101260d88e0dff23973e1acc74fa1b5d4d5edd529960f68a310e6b55634726
Opcode Fuzzy Hash: 222d715fad8f101c829304221045b8e12fedd96a6d240932216d1f9fa1dbe4ab
Instruction Fuzzy Hash: 2DB01230109E158E052897A0680D739331C8E000493810B12D80ECD135EFA18045D1D6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0292306F, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.498712859.0000000002920000.00000040.00000001.sdmp, Offset: 02920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c8b24486dc9b9c67406e8a9ef57cdea581663e0a688e58b1872fad18ea20a7
Instruction ID: d394822a7c049f20e9a3d70eeb60711831eef393813707adae819cfaa395447f
Opcode Fuzzy Hash: 19c8b24486dc9b9c67406e8a9ef57cdea581663e0a688e58b1872fad18ea20a7
Instruction Fuzzy Hash: 84514A72F015259FD714DB6DC890A5EBBE3AFC8310F2A80B4E409EB369DE349D058B94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Swift Payment-3134101002.exe PID: 5436 Parent PID: 6208 Swift Payment-3134101002.exeCOMMON

Executed Functions

Function 04EF3850, Relevance: .8, Instructions: 763COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e91b6acceb9bcc49a9deb2095d5984c14bd0d27aa18c605bd7b5580b1cc4bc
Instruction ID: a3594c596a1313483974e3b56f2b1c1b8b0f0cffa3f688366cd4aeaa4ac6184d
Opcode Fuzzy Hash: 73e91b6acceb9bcc49a9deb2095d5984c14bd0d27aa18c605bd7b5580b1cc4bc
Instruction Fuzzy Hash: BF52D271A04205CFCB15CF68C8809AAFBB2FF85304B19D5A6EA599F256D731FC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EF23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0472d3c1eaa3274176c3dfaea6dcdd2021c18990c7d06134b27f87b557673266
Instruction ID: ccc1643e55099d4addb57ef4d2c7e0acf3dd2bc8f025ce6d8ae36585108a17b9
Opcode Fuzzy Hash: 0472d3c1eaa3274176c3dfaea6dcdd2021c18990c7d06134b27f87b557673266
Instruction Fuzzy Hash: 8D129E31E00615CFC724DF29C8846AEBBF2FF88318F14D5A9D6069B295EB76A845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04EF2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e9e5c8a7a2145749ccf0ef02c0fa952048c7eb14e5886ec693f45af3655efd
Instruction ID: a320f14b00a39ed1f426fb4a42a22300d7f5bf1adcc0106baa348fcf99a02481
Opcode Fuzzy Hash: 12e9e5c8a7a2145749ccf0ef02c0fa952048c7eb14e5886ec693f45af3655efd
Instruction Fuzzy Hash: DA818172F011159FD714DB69D894AAEBBF3AFC4310F2A8075E916EB355DE31AC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 04EF09A0, Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

X1#r, xrefs: 04EF0A50
X1#r, xrefs: 04EF0A98
X1#r, xrefs: 04EF0AA2
X1#r, xrefs: 04EF0A5A

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: X1#r$X1#r$X1#r$X1#r
API String ID: 0-1348021360
Opcode ID: 76e44dff493896c1f5e71bdc1ab900356eb32554678be2cf89008567fde68818
Instruction ID: 5765af814b598b302e7ae570fca0ea58a74096ea2a366f51881d2b0bcd00e492
Opcode Fuzzy Hash: 76e44dff493896c1f5e71bdc1ab900356eb32554678be2cf89008567fde68818
Instruction Fuzzy Hash: B851E531B50215EFCB159FA8DC54ABEB7F2BF84314F108569E646DB255DB30AD02DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04EF0682, Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

YCp^, xrefs: 04EF0702, 04EF0707
ZCp^, xrefs: 04EF06A1, 04EF06A6

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: ZCp^$YCp^
API String ID: 0-3675598700
Opcode ID: aa5b5b74f7e8eb818fadb169ad3c74e285dee1f0faa7c5178d35ce42c96cae46
Instruction ID: 9e70515362fc9af6172fb3b236920fff8550ea1d803259565c9eb897123d55b3
Opcode Fuzzy Hash: aa5b5b74f7e8eb818fadb169ad3c74e285dee1f0faa7c5178d35ce42c96cae46
Instruction Fuzzy Hash: 27416035B802409FD7197B38EC5C6AE7BA2BFC0725B1589A9E503C72E6DF705C118B92

Uniqueness

Uniqueness Score: -1.00%

Function 04EF12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$g r, xrefs: 04EF1349

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: $g r
API String ID: 0-1745030754
Opcode ID: 16460022ee69bf2af87e6a41419c2e6ffca05720e37c206be397c8a8817c9ba8
Instruction ID: 5b515d39952563a669642dc99051349fc09a5d1e20616e6ed5adb22f16b480ef
Opcode Fuzzy Hash: 16460022ee69bf2af87e6a41419c2e6ffca05720e37c206be397c8a8817c9ba8
Instruction Fuzzy Hash: DC22F379A00605CFCB24DF28C490AAAFBF2BF88304F548599D95A9B75ADB34BD45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0279AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0279AAB1

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e7e4359f048231be52877d3e247e4c805ff235b18690b16a00c54e98e6883d8d
Instruction ID: 7b0345ae20e038384c99ab0a94c8d5b7a98c67040eff9c3c0487b55cfe47ad12
Opcode Fuzzy Hash: e7e4359f048231be52877d3e247e4c805ff235b18690b16a00c54e98e6883d8d
Instruction Fuzzy Hash: EC31B4B25043846FE7228B25DC45FA7BFFCEF15710F0885AAED818B152D264A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050100F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0501019D

Memory Dump Source

Source File: 0000002A.00000002.454730837.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 3424e87f0f17c4ba1365b76d669563fb0738f5efad62c9915ee5cfb78b56d6fa
Instruction ID: b67574abb4c17a0ce1fa5b783d5e897e33a4ce0c446e7d7d359dd447e463838f
Opcode Fuzzy Hash: 3424e87f0f17c4ba1365b76d669563fb0738f5efad62c9915ee5cfb78b56d6fa
Instruction Fuzzy Hash: 5731A1B15097806FE712CB25DC44F56BFF8EF06310F08849AE985CB292D374A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 0279AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,53FBEC34,00000000,00000000,00000000,00000000), ref: 0279ABB4

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 316c8a931d8415e655ee55ba894087abf4e51ea657b9ab576bf83e301c7df069
Instruction ID: d9347559d9d8e73836b9032cd55996a0f78846392b75a0759bd6190974f06fc7
Opcode Fuzzy Hash: 316c8a931d8415e655ee55ba894087abf4e51ea657b9ab576bf83e301c7df069
Instruction Fuzzy Hash: 6731B1725093846FEB22CB25DC45FA2BFB8EF06710F18849AE985CB152D364E449CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0279AF50, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0279AFEA

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 9d0ee0c30a8a5a1f4b62398f92ec70d8b7151b7a5305831220efaf6d163f86cb
Instruction ID: ccfea0afaab24b0b8a0570c04a033a3f66ca6630f42d8b552f4326786ad5acd3
Opcode Fuzzy Hash: 9d0ee0c30a8a5a1f4b62398f92ec70d8b7151b7a5305831220efaf6d163f86cb
Instruction Fuzzy Hash: 0821D7714493C06FD3138B259C51B22BFB8EF87A10F0A80DBED84CB553D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0279AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0279AAB1

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9d90bad76bf0db99912364ee676aef5743f48dceed5c307c1d1aa0424df428ad
Instruction ID: 8d05db1b413fae76e41cd41fc2cd3c3e3d8485652fdeffcfc6d0a11963ed1008
Opcode Fuzzy Hash: 9d90bad76bf0db99912364ee676aef5743f48dceed5c307c1d1aa0424df428ad
Instruction Fuzzy Hash: 0121CDB2500304AFEB219A19DD85FAAFBECEF18710F14845AE9419B241D670E908CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0501012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0501019D

Memory Dump Source

Source File: 0000002A.00000002.454730837.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9c512057171c2cc73605bb1868e87709b8e098e60c08044042c5388ee60595ff
Instruction ID: 3dbece3cb3d7b3303a9c1a65a8c2f53f3eb0bf26c4f314cd90ce5ba9b57a245b
Opcode Fuzzy Hash: 9c512057171c2cc73605bb1868e87709b8e098e60c08044042c5388ee60595ff
Instruction Fuzzy Hash: B82192B1504244AFE721DF29DC49F6AFBE8EF04310F1884AAED858B241D775E544CB76

Uniqueness

Uniqueness Score: -1.00%

Function 0279AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,53FBEC34,00000000,00000000,00000000,00000000), ref: 0279ABB4

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 37b09afdd53d4cae5c0114f299223fb18c92313ffc6b638864d744bec1fb9d42
Instruction ID: 081b1e68026cb4760b0c4b2dbff958842d7046f864dc96d0311e7c1ba6e0f271
Opcode Fuzzy Hash: 37b09afdd53d4cae5c0114f299223fb18c92313ffc6b638864d744bec1fb9d42
Instruction Fuzzy Hash: 82218CB1601304AFEB20CF29EC85F66FBECEF54710F1484AAE9459B251D360E848CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0279A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0279A58A

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b12aa62c9b309dde308729520819b0380273026337c81b4b95e78c0cf7e240af
Instruction ID: cd4999c8c7b17db70f0592e803a0112f7408dc2b2f33a1ffa73f2ffba5e733bd
Opcode Fuzzy Hash: b12aa62c9b309dde308729520819b0380273026337c81b4b95e78c0cf7e240af
Instruction Fuzzy Hash: 2F117F72409384AFDB228F55DC44B62FFF4EF4A220F0884DAED858B663D375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0279B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0279B841

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bf7dd73e11fd19355b85ffd1cf09dc1ed8bedb3cff40ef612cf6d2ff37c1ea6e
Instruction ID: 53475b2fbb1f829ff1d88a41c3db827e9e2863f173ba7abccd8bd3237c1ef36d
Opcode Fuzzy Hash: bf7dd73e11fd19355b85ffd1cf09dc1ed8bedb3cff40ef612cf6d2ff37c1ea6e
Instruction Fuzzy Hash: 532190714097C49FDB128B21DC51AA2BFB0EF1B314F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0279BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0279BBB9

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 550f7ed728c9f841052f9913e5ea4ecaeceaeaf29a3874e6c4a667cece279020
Instruction ID: e139d5254b87ff9805b8f84c4a50edc90a1e9959670843b557cb10d341c82e35
Opcode Fuzzy Hash: 550f7ed728c9f841052f9913e5ea4ecaeceaeaf29a3874e6c4a667cece279020
Instruction Fuzzy Hash: AE11D3754093C09FDB228F25DC45B52FFB4EF16220F0884DEED858B563D365A458CB62

Uniqueness

Uniqueness Score: -1.00%

Function 050104EF, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05010550

Memory Dump Source

Source File: 0000002A.00000002.454730837.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c22c2a1e4212fb0c3e07df736016adc6ea79755fa8318b70ed635237356d47fb
Instruction ID: 54aafc767e22f4ace36445b097a8e5acf5b9e5200ce434f0a803a95ac522f70e
Opcode Fuzzy Hash: c22c2a1e4212fb0c3e07df736016adc6ea79755fa8318b70ed635237356d47fb
Instruction Fuzzy Hash: 6E11E2B14093849FD712CF25EC94B52BFB8EF06224F0880EBEC858F653D275A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0279BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0279BE70

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 25c306bec99799069a7809be2a7824b48ce53a744593a69e2ae32bacaa3f64e8
Instruction ID: dec315a0549ce4a2ae1db1663be7756ab3c769d8b666802b4150c50d90385741
Opcode Fuzzy Hash: 25c306bec99799069a7809be2a7824b48ce53a744593a69e2ae32bacaa3f64e8
Instruction Fuzzy Hash: A3117F754093C49FDB138B259C44B61BFB8DF47624F0980DAED858F253D2655848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0279B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0279B78A

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: f65722a7e4ec14b648e9ba5e20f8d9f84b7521c4bbd816edfa1be9f74160c1d9
Instruction ID: 3ddbf59dc090a53a1f030f71c1326a22c12d1994035bc09dcdbd4ccce89a459c
Opcode Fuzzy Hash: f65722a7e4ec14b648e9ba5e20f8d9f84b7521c4bbd816edfa1be9f74160c1d9
Instruction Fuzzy Hash: 9F119D72408384AFCB22CF55DC44A52FFF4EF09320F0885AEE9858B622C375A458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0279BEB4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0279BF0C

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: aceb26bc58e2e9229d802efc11cfb5d26c81753f973572a1e5852514c0ecaa94
Instruction ID: 76e1391df29d461a05eeb4c5397365f5d23e8a5a81f43ef91ea0598a67ead573
Opcode Fuzzy Hash: aceb26bc58e2e9229d802efc11cfb5d26c81753f973572a1e5852514c0ecaa94
Instruction Fuzzy Hash: B31151759053849FDB11CF25EC85B56BFA8EF46224F0884EAED45CF252D374E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0279A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0279A7BC

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c2c43514316624407e068183823d92dec9967232e4b8a91767f8af03bf089d09
Instruction ID: e1f62366b6f4ea151e3d92384db013674854cecf90b2e5afde8cfe789cf6e79a
Opcode Fuzzy Hash: c2c43514316624407e068183823d92dec9967232e4b8a91767f8af03bf089d09
Instruction Fuzzy Hash: 3C118C758093849FDB12CF25DC45B52BFB4EF16224F0984EBED498F253D279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0279A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0279A926

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4ed86f386109713ae0e23ba01a89fb64d4354778e86a20b4d3d0d0a8767a238b
Instruction ID: bb96aa96e032f8bcfe65c13dd5db24bde75a6dc7d5bd0a419ed65f31c9af5e45
Opcode Fuzzy Hash: 4ed86f386109713ae0e23ba01a89fb64d4354778e86a20b4d3d0d0a8767a238b
Instruction Fuzzy Hash: 32117C714097849FDB218F15DC85B52FFB4EF16220F0984DAED868B262D375A858CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0279BED2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0279BF0C

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: c19a9e1a935da68af6d96674b6f668d5e1719f51e29e0ed4c31c7aec07ceacc8
Instruction ID: 5d3315d6b264f1bfd02828d2e947eeb3f90a351d57ea2ea86148de92d7f56e94
Opcode Fuzzy Hash: c19a9e1a935da68af6d96674b6f668d5e1719f51e29e0ed4c31c7aec07ceacc8
Instruction Fuzzy Hash: A301B171A003408FDB10DF2AF88576AFBA8EF05224F08D0AADD09CB642D374E404CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0279B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0279B78A

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b0cf1d0aed235cb51dec57546baa659e021d6dae87ed8a385bf7807060d7c1fd
Instruction ID: 6fa3ede8810ff562e05c98c7076b8cae236470d27b935d9c222b6218c52b9fa3
Opcode Fuzzy Hash: b0cf1d0aed235cb51dec57546baa659e021d6dae87ed8a385bf7807060d7c1fd
Instruction Fuzzy Hash: 15015B718007049FDB21CF55E884B66FBA0EF18324F0895AAEE4A4A612D376A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0279A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0279A58A

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d25f6cd266c576181ac248613bf9c05c20518d01ddf76a0937bcbda92f224d99
Instruction ID: 25ed07ac28034a39b7373d6c55f4a4bb3ac64057814032c07ee56d10da815b1b
Opcode Fuzzy Hash: d25f6cd266c576181ac248613bf9c05c20518d01ddf76a0937bcbda92f224d99
Instruction Fuzzy Hash: 86016D719017049FDB218F55E844B66FFF0EF48320F08C4AAED498B612D375A414CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0501051E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05010550

Memory Dump Source

Source File: 0000002A.00000002.454730837.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4dd5d346ea42a34260a2e21a0d893a166eb6018e1197b2c1379c4d976ae44371
Instruction ID: 70d7b89d70e7a7400543a23f05fe4d6144f8c44bc392c76dbb3d5fcf9fd6f711
Opcode Fuzzy Hash: 4dd5d346ea42a34260a2e21a0d893a166eb6018e1197b2c1379c4d976ae44371
Instruction Fuzzy Hash: 990184B5900244CFD750DF19E889BAAFBE4EF54320F18C0AADD4A8B642D275E444CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0279AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0279AFEA

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: bbe291edbfbdc492992ec16a3fa6cf43709eb61303e1f671aeacd0407c1a1cb0
Instruction ID: 237c385e9c83fe282c43eb2c7798fca387e7c101d7b5251e64ff092f4df75055
Opcode Fuzzy Hash: bbe291edbfbdc492992ec16a3fa6cf43709eb61303e1f671aeacd0407c1a1cb0
Instruction Fuzzy Hash: 5B01A271500200ABD250DF1ADC82B26FBA8FF88B20F14815AED084B745D631F516CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0279BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0279BBB9

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e6ea930e8de35b7b12b7cee65220b09295457fc0ebf934c9c9976f9fa2601aee
Instruction ID: bae0f03137762934422f79bcc0e9be5a12ccfd1a9b0aecd1ce37de8ee7c4adef
Opcode Fuzzy Hash: e6ea930e8de35b7b12b7cee65220b09295457fc0ebf934c9c9976f9fa2601aee
Instruction Fuzzy Hash: 7401D4759003008FDB20CF56E844B65FBA0EF14324F08C09EDD468B666D375E458CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0279A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0279A7BC

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 41604ef802728b9221e77e5dfd7a053a87cf38634df6244163df2a82e399df25
Instruction ID: be39ac852ee6ce7eefac2fa454ef9e3615eec7bc305e225d80c4247e9392181c
Opcode Fuzzy Hash: 41604ef802728b9221e77e5dfd7a053a87cf38634df6244163df2a82e399df25
Instruction Fuzzy Hash: C301ADB48013448FDB10DF15E885765FBA4EF54320F18C0AADD098F602D379A444CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0279B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0279B841

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8eb229545985566ebc0881cd387c119a921f4c45813b3bf7619826d8c2aeab03
Instruction ID: c29e588641b64647ce11cf58eece97e792d2e7bf96f925a0e9a94f1cd068e82d
Opcode Fuzzy Hash: 8eb229545985566ebc0881cd387c119a921f4c45813b3bf7619826d8c2aeab03
Instruction Fuzzy Hash: 6B018B71800744DFDB20CF16E885B65FBA0EF18724F08D09AED494B622D375A458CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0279A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0279A926

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1f39dd81e78b7490d9127985fb4c891302554ff172fc51edfd59506a88361733
Instruction ID: 739166ae1ae5eabb2a96325f340dea344798382999a04d3b39174465208a08ec
Opcode Fuzzy Hash: 1f39dd81e78b7490d9127985fb4c891302554ff172fc51edfd59506a88361733
Instruction Fuzzy Hash: F101AD718017048FDB208F05E885B61FFA0EF08320F08C0AADD4A4B612C375A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0279BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0279BE70

Memory Dump Source

Source File: 0000002A.00000002.452477578.000000000279A000.00000040.00000001.sdmp, Offset: 0279A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: dc304e6778475f4f864c9a197ac8d065508e8400cff1218ae4027e44d023252d
Instruction ID: ec2b680f786f2dbdd19713a9b2bef037d271639c21a5c8fd4f9f415b95bd2db4
Opcode Fuzzy Hash: dc304e6778475f4f864c9a197ac8d065508e8400cff1218ae4027e44d023252d
Instruction Fuzzy Hash: DDF0AF75804744CFDB20CF15E884761FBA8EF44324F18D0EADE494B312D379A448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 04EF20D0, Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

r*+, xrefs: 04EF230F

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 516df8ee67e77320572e4c03fe62a58bffe7281dd0d0731332cc994fcf80000f
Instruction ID: 2f70c486061779052a39d74a47e309e91f9ec9e5f09013fa20a2b0acfd6cc76d
Opcode Fuzzy Hash: 516df8ee67e77320572e4c03fe62a58bffe7281dd0d0731332cc994fcf80000f
Instruction Fuzzy Hash: CC715D30E08209DFDB44DFA8C8516BEBBB1FF85300F1095EAD7029B255E736A941DB56

Uniqueness

Uniqueness Score: -1.00%

Function 04EF02E8, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

`5#r, xrefs: 04EF03A5

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: `5#r
API String ID: 0-945842197
Opcode ID: e2ea6484cfe3b954a4d588c844289b6b52d675d82e1bc48f67d15b99227ae9a0
Instruction ID: a2bb5f19a031f1dac990dd5e4de257598a6a7bdadd5f07006b6467885f5f224f
Opcode Fuzzy Hash: e2ea6484cfe3b954a4d588c844289b6b52d675d82e1bc48f67d15b99227ae9a0
Instruction Fuzzy Hash: F0515134B05205CFDB18DF68C8506AE7BF2EFC9310F289069DA06AB396DB75AD01DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EF1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$g r, xrefs: 04EF14C7

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: $g r
API String ID: 0-1745030754
Opcode ID: 2a055d32ee9ea162c3828426f70e23a22b61a453f1087568733a8b85d441f326
Instruction ID: c67321a72c887c7e6db078191c4bf830167184078992ea47fca92045f7128848
Opcode Fuzzy Hash: 2a055d32ee9ea162c3828426f70e23a22b61a453f1087568733a8b85d441f326
Instruction Fuzzy Hash: EB51F475A00218CFDB14EF64D894B9DBBB2BF88304F5040E9D50AAB366DB35AD88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04EF2D58, Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

, xrefs: 04EF2E76

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b64d50249822371dfc6ea8595b011a9d7e12cf25024a8926a5a1fbd4b693b89e
Instruction ID: 7c525fe75caa2bb42c8003630aa0c619fafc9198adc73e2fb4c460bd4f39430e
Opcode Fuzzy Hash: b64d50249822371dfc6ea8595b011a9d7e12cf25024a8926a5a1fbd4b693b89e
Instruction Fuzzy Hash: 5141A170F081458FCB11CF69CC405EEBB62ABC5318B39D9A6C7129B645D736F812DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04EF1290, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$g r, xrefs: 04EF1349

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: $g r
API String ID: 0-1745030754
Opcode ID: aeff6e4688838c070d4041be8f1c48a29cdae0ce88c5925076a8bc61fa8923ff
Instruction ID: c6ad8e9ace46f23d13c944685a229c2f3735b7cfbdb1071a91c42cbd62f3c294
Opcode Fuzzy Hash: aeff6e4688838c070d4041be8f1c48a29cdae0ce88c5925076a8bc61fa8923ff
Instruction Fuzzy Hash: E3411674E04218CFDB64DF68D884BEDBBB2BB49304F0040A9D54AAB355EB30AE84DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04EF05B9, Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

8]q, xrefs: 04EF05D6

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: 8]q
API String ID: 0-1408181585
Opcode ID: 62543f72e5f1409dbe7a7d89fc7f51b6707412134de16e900ed08690fa5894ff
Instruction ID: 9438460824ee9d32329a4b3859f4df0f49fe44cb03e2321e2fbdfb680dc0a288
Opcode Fuzzy Hash: 62543f72e5f1409dbe7a7d89fc7f51b6707412134de16e900ed08690fa5894ff
Instruction Fuzzy Hash: E7012D317042601FCA0A363C98226FF6B8B5FC5650F59406EE107EB386CD69AC4283F6

Uniqueness

Uniqueness Score: -1.00%

Function 04EF05C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8]q, xrefs: 04EF05D6

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: 8]q
API String ID: 0-1408181585
Opcode ID: d8a4a058865f010a7397154f96bdc35a6539bf8e471a5cce6cc7092e4b03eda0
Instruction ID: 0fbecf956b2afe003ba1d12b9146f80a2017705030071dab5c0f816e1df699e8
Opcode Fuzzy Hash: d8a4a058865f010a7397154f96bdc35a6539bf8e471a5cce6cc7092e4b03eda0
Instruction Fuzzy Hash: 58F090717002241BC909367DA8126BF528B9BC4A61B65442EA107EB388DE69AC0243F6

Uniqueness

Uniqueness Score: -1.00%

Function 04EF0BC0, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c6f51b5509758f160080b921b97a30289d48472d98593f1064dcf897a1f3cc
Instruction ID: 57eb7deb2a9cf088f07bcb0264108237049f8855a9db8673207d6c4f5a91d1bb
Opcode Fuzzy Hash: 90c6f51b5509758f160080b921b97a30289d48472d98593f1064dcf897a1f3cc
Instruction Fuzzy Hash: 6C41FC31B051049FCB15DB2CC814AAE77E7AFC5310F1580AAE906DF356EE76AD068791

Uniqueness

Uniqueness Score: -1.00%

Function 04EF02DA, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc8ab094bb2f2dc06d5031fe97c3e1afcd026a0b8b61b16716f4f597c9ff526
Instruction ID: 2abef40adf323a95ea4dc7aa4c6171c1d786eb0f6e6828d5f00363d2bb763f22
Opcode Fuzzy Hash: 5fc8ab094bb2f2dc06d5031fe97c3e1afcd026a0b8b61b16716f4f597c9ff526
Instruction Fuzzy Hash: 06415F34B01205CFDB18CF68C8607BE7BB6AF89314F185469D602AB3A2DB75BC41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EF0006, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7a40a5bd99d4609af20749a157898ab1104c333b72b809f8cf6540ff99841e
Instruction ID: c4a0a376dc6b9668e54decb5319b01cffa1c19c3b4891db2fb47591ef1ce6f79
Opcode Fuzzy Hash: 9d7a40a5bd99d4609af20749a157898ab1104c333b72b809f8cf6540ff99841e
Instruction Fuzzy Hash: B831A5B1A0D3C1CFCB06A77498A41983FB1AE9231470D449FC582CB297E6785806DB53

Uniqueness

Uniqueness Score: -1.00%

Function 04EF0170, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a6d51f90759294c1da079875f0c3e500d234fa1fd92b37d252595d7f79e638
Instruction ID: 59619e0c88d46f1febacd6a82cb299dfcd466895d04dc451d9f6e13329760992
Opcode Fuzzy Hash: 87a6d51f90759294c1da079875f0c3e500d234fa1fd92b37d252595d7f79e638
Instruction Fuzzy Hash: 3D31CD747053049FEB148F78CC90B2A7BB9EF8A354F1844A9E5469B382EA31BC00CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04EF2C58, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f71ada389f8a55cb2c5130f76843f2e435e46994dbb8b0c76935e4d71be776a
Instruction ID: b49f4da1f3b84f3eb98f09ad80ca649560902eb28f19a964e314fdcb3accb568
Opcode Fuzzy Hash: 0f71ada389f8a55cb2c5130f76843f2e435e46994dbb8b0c76935e4d71be776a
Instruction Fuzzy Hash: E3214538708241CFC7148B28DC849B9BFA5AF81314B1995E6D746CB292F733BC00D792

Uniqueness

Uniqueness Score: -1.00%

Function 028B0846, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.452779510.00000000028B0000.00000040.00000040.sdmp, Offset: 028B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c147a2acb16ae72842573415feb770d2450570e7ffdaf8232b7c1309cd31df2
Instruction ID: 0d793f1df0d0e3588f7d792a78adb16c1ad8926f74d9c39ca625c964b521cd66
Opcode Fuzzy Hash: 6c147a2acb16ae72842573415feb770d2450570e7ffdaf8232b7c1309cd31df2
Instruction Fuzzy Hash: 78215E3554D3C08FD7038B24D850695BFB1EF47614F2986EFD8888B6A3D32A9816DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04EF21E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4744d62f8a8a3a8bd9854f969b32b9f913d2edfeb1d8f555df7cdc2abad82606
Instruction ID: 4b1f956a087ab0f6d93f89c35ef0ae7b44ea24a89986cb5cd703243b989b9dd4
Opcode Fuzzy Hash: 4744d62f8a8a3a8bd9854f969b32b9f913d2edfeb1d8f555df7cdc2abad82606
Instruction Fuzzy Hash: 57316B70E08209DFDB44DFE8C8406FE7BB1FF45304F50999AD60297295E736AA01DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04EF25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855ab6a83f133cb2b1830647fcb899f3c56fa4e29cadd9a4d121969816f90d44
Instruction ID: d9bf7218e03471ce1115bd1efaf916c9103a4054126823124cade8c3edf1d8c2
Opcode Fuzzy Hash: 855ab6a83f133cb2b1830647fcb899f3c56fa4e29cadd9a4d121969816f90d44
Instruction Fuzzy Hash: 32319E70E00285CFDB60DF65D84425AFBF2FF88318F20D9A9C2059B295DBB5A849CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04EF4190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ec690ad8560e90b6f11e14546c4d74adae0f055414a54bef5f029b1ed90b84
Instruction ID: 3d7eb1bab3113638d7bbb3db9fd329c96259b1e06032540252e83e85ff47f1da
Opcode Fuzzy Hash: 62ec690ad8560e90b6f11e14546c4d74adae0f055414a54bef5f029b1ed90b84
Instruction Fuzzy Hash: 9411D671B002169BEB18EBF4EC445FF7AA6AFE4340F11553A9607972C4FE71A90097A2

Uniqueness

Uniqueness Score: -1.00%

Function 028B087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.452779510.00000000028B0000.00000040.00000040.sdmp, Offset: 028B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f1952ff526ce39e46026bcd9eee3305a751ff06dc5f07c8ef8a860d60a1645
Instruction ID: 00b307819552b633aeda9a0f5c04b0cec642354c0d04a3effa1927eafa184cb8
Opcode Fuzzy Hash: 11f1952ff526ce39e46026bcd9eee3305a751ff06dc5f07c8ef8a860d60a1645
Instruction Fuzzy Hash: 5011E43C244244DFD706CB14C840B67BBA1AF88708F24C99CE9498B752C77BD803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04EF0568, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5de5dc26659fde36dfe6da27c56f0cba44371f0ee129e308097ee90f6c8ce7
Instruction ID: 6a344fc16d9a4225e8e185c91eac038f77d76a3783f65f30395c370726e1edbd
Opcode Fuzzy Hash: 7a5de5dc26659fde36dfe6da27c56f0cba44371f0ee129e308097ee90f6c8ce7
Instruction Fuzzy Hash: 0D11A7757043008FC705DF28D49156D7BE2AFC9304B15849ED14ACB356DA34A842DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04EF11DF, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76dbfc6d47d941914a3556ce154bf057bd1bdb9c68afd6157219f606c466a9e2
Instruction ID: 3bfe6837654f52b04bcb6ad679613c42c12691902ffdd5f93a6a5170b87d28d9
Opcode Fuzzy Hash: 76dbfc6d47d941914a3556ce154bf057bd1bdb9c68afd6157219f606c466a9e2
Instruction Fuzzy Hash: A511A135308280CFC7069BA8D8589A9BFF6AF8630071901EBD186CF276DF615C09E792

Uniqueness

Uniqueness Score: -1.00%

Function 04EF238F, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34078b801bc8ea63cfb41e6f257173c7cc1b6dcef489e69799266a7331b9df90
Instruction ID: 66bef0456b188564927206f96e6ac0bc5fa44730d392f2731bee966b3a47548d
Opcode Fuzzy Hash: 34078b801bc8ea63cfb41e6f257173c7cc1b6dcef489e69799266a7331b9df90
Instruction Fuzzy Hash: C4115EB0A0928A8FC7249F6488506EDBFB1AB49300F0054A9C352AB340EB722842EF51

Uniqueness

Uniqueness Score: -1.00%

Function 028B05D4, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.452779510.00000000028B0000.00000040.00000040.sdmp, Offset: 028B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f7bf571be9a812f6420727deca4899a474b01abe0110603731e72afa956a5e
Instruction ID: 714a11102dc74c6ad391c78c22b91de083f69f62eaef93a2a463c42ff6e25f8a
Opcode Fuzzy Hash: 91f7bf571be9a812f6420727deca4899a474b01abe0110603731e72afa956a5e
Instruction Fuzzy Hash: 7FF0A9B55097806FD7128B16EC51862FFB8DF86630709C5DFEC49CB613D229A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04EF1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b6f4bfd282929cf0ed7d25c808f9012bd62643ffda0ca64b6ea7546989f201
Instruction ID: be75795ffcd117742746402e1ad1c49a3428725bdc8c622059a6a96bb4494ded
Opcode Fuzzy Hash: 27b6f4bfd282929cf0ed7d25c808f9012bd62643ffda0ca64b6ea7546989f201
Instruction Fuzzy Hash: 47018631304114CBC704A7ACD5589A9B7EABFC5700B1440AAE606CB375DF71AC08A782

Uniqueness

Uniqueness Score: -1.00%

Function 04EF4180, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9b518fcaa2ed7c59e8b7c92761785f328c2523cbf8069fa114de3dfd2f7b2c
Instruction ID: 9d8b2debd0e17d380232377934e2f2d5b9fda0cd0f1f4795321fc9c22fc684b6
Opcode Fuzzy Hash: ce9b518fcaa2ed7c59e8b7c92761785f328c2523cbf8069fa114de3dfd2f7b2c
Instruction Fuzzy Hash: 56F027307083D89ECB115B792C094FFBFB89FE719034556ABD692C3182E97124159661

Uniqueness

Uniqueness Score: -1.00%

Function 04EF0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a3bb422e11c583e8f68f26f45be11d4b56185bfb0378a0eb190ae6286d0d4d
Instruction ID: 5864fd7a11296ee4d1f19c24e7aa8a7a30c373811ab95cb8cb9db4c68f18266e
Opcode Fuzzy Hash: c3a3bb422e11c583e8f68f26f45be11d4b56185bfb0378a0eb190ae6286d0d4d
Instruction Fuzzy Hash: 4CE0ED32F152189AEB205AF99C005EFBBA997C5760F00A9779F0BA3202FD7068115292

Uniqueness

Uniqueness Score: -1.00%

Function 028B0938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.452779510.00000000028B0000.00000040.00000040.sdmp, Offset: 028B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca624cdde786d3cca110bd12d8713cf029306db999023d3cee470ff76f838c00
Instruction ID: ac6ffa5cafe7c8c747c4888ab38c62b32e4fa25ae9584992510eb5b49f0d09a0
Opcode Fuzzy Hash: ca624cdde786d3cca110bd12d8713cf029306db999023d3cee470ff76f838c00
Instruction Fuzzy Hash: BDF01D39104644DFC706CF40D940B56FBA2EB89718F24C6ADE9491B762C737D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 04EF0908, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d92ee641f3ebb9bc793201905b1ca35902c5e8037572fffda68f49bfde6be3
Instruction ID: b13d0ebbc11d9db2b024fc013e1a8d199c91df7499fd5bb216372f1a89b69819
Opcode Fuzzy Hash: 96d92ee641f3ebb9bc793201905b1ca35902c5e8037572fffda68f49bfde6be3
Instruction Fuzzy Hash: 4AF02030A002508ED7248AB88C55AFFBBA9ABC0310F01A56A8A0767243ED7428029680

Uniqueness

Uniqueness Score: -1.00%

Function 028B05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.452779510.00000000028B0000.00000040.00000040.sdmp, Offset: 028B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7cb0252f3b21d556e1c59142931c374499a349ab5b6a5f61e9059e71171257
Instruction ID: 4414db1f874eabf2b2706403a41219a99761126903006b874e0d810a17ebf154
Opcode Fuzzy Hash: cd7cb0252f3b21d556e1c59142931c374499a349ab5b6a5f61e9059e71171257
Instruction Fuzzy Hash: 4FE092B66006044BD650DF0BFC81452F7E8EB84630718C47FDC0D8B711D179B508CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 04EF02A0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc39b6371525e1ae3c00f0e8281def4c78218196b11282f078caf9f15437f2a
Instruction ID: fa2f77d9cadfe2e9876b6ef5388eb6a4d82fd2eaab28baa9465fca4fee8459fc
Opcode Fuzzy Hash: dcc39b6371525e1ae3c00f0e8281def4c78218196b11282f078caf9f15437f2a
Instruction Fuzzy Hash: C5E0C23850D780CFCB524B6499A58E27FB4AF87310309EADAE5928B647CB607C409B71

Uniqueness

Uniqueness Score: -1.00%

Function 04EF2D20, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ff68814d0bf6e576f2ffb7c1d4574eabcddccb3c144279f5450c184aa5e04f
Instruction ID: a8106fc337573bd0656afdb4496b34733b59abd120315206e2f42cbc0df002a1
Opcode Fuzzy Hash: e2ff68814d0bf6e576f2ffb7c1d4574eabcddccb3c144279f5450c184aa5e04f
Instruction Fuzzy Hash: 15E0123468D3C49DD31246685C257E07F244B1B711F4899D293C5890D3A6133812A227

Uniqueness

Uniqueness Score: -1.00%

Function 04EF064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca79c6f9e8a446404c0d62961c57555f48d024f973d699a284efc7df1d87e72
Instruction ID: eadb27cd0b945b1e939837bf9ec4c90b67fdd3db5265120663481d77e2e51e83
Opcode Fuzzy Hash: 7ca79c6f9e8a446404c0d62961c57555f48d024f973d699a284efc7df1d87e72
Instruction Fuzzy Hash: C3D0A7F38C63804FC30916B02C290E47F55CFE73147409DA5EA0056D1394353D53AA51

Uniqueness

Uniqueness Score: -1.00%

Function 027923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.452457283.0000000002792000.00000040.00000001.sdmp, Offset: 02792000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051e748b4dc2f02c37ffe6938539d2a473929109e4f74e939cb23bdc4dee8194
Instruction ID: d4a1068a456dcedfc814d5933f7c6d463be6b24e1a6d974c2f131464a11dcf4c
Opcode Fuzzy Hash: 051e748b4dc2f02c37ffe6938539d2a473929109e4f74e939cb23bdc4dee8194
Instruction Fuzzy Hash: CED05E79305B815FD726DA1CD5A8F953B94AB62B08F5644F9EC008B673C368D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 027923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.452457283.0000000002792000.00000040.00000001.sdmp, Offset: 02792000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a9baa3233abba6dbb0e56994fe6f0faaf45fda50d7996dff68ce3d61dfb2cf
Instruction ID: dc1d1a4e434af480bcb059d0b86724192840b33a5192ae5916ddb52beebfc50b
Opcode Fuzzy Hash: b5a9baa3233abba6dbb0e56994fe6f0faaf45fda50d7996dff68ce3d61dfb2cf
Instruction Fuzzy Hash: 87D05E342012815BCB15EB0CD194F5937D4AB41B04F0644E8AC008B662C3A4E881C600

Uniqueness

Uniqueness Score: -1.00%

Function 04EF0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e853473daef44fedff6c6fcd5294e819fb6b9c5385c2e00bd9644394111a08
Instruction ID: 39cf6ab22506c07022db87002a815b21e2359970cd3152790f73d0cf015b6130
Opcode Fuzzy Hash: 61e853473daef44fedff6c6fcd5294e819fb6b9c5385c2e00bd9644394111a08
Instruction Fuzzy Hash: 25D01235640304CFCF083BB4E01941C33A9AB846153054C7CD81787740EF36E850CA00

Uniqueness

Uniqueness Score: -1.00%

Function 04EF2EC0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7221b5301a670170b2e51d70e69ccc3b098f0dd3b97782c7fedf78b2a335b791
Instruction ID: cb9c2bc402ec9ddb02adecfef30b50a6829fe0d2240c6798926919faafb6dbaf
Opcode Fuzzy Hash: 7221b5301a670170b2e51d70e69ccc3b098f0dd3b97782c7fedf78b2a335b791
Instruction Fuzzy Hash: 3EB092312942094BEB509AB5B848B66738C878062AF9464A1BA0CC9900E656E4F02141

Uniqueness

Uniqueness Score: -1.00%

Function 04EF0660, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.454327812.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6b3fa11419a652acb897d89a96c55c782452f0fc863ef1e830d0f09d34c3d2
Instruction ID: c94d30da7764ee332cab4642d917763162081c9f6efd67c15c013a16fb341728
Opcode Fuzzy Hash: 7f6b3fa11419a652acb897d89a96c55c782452f0fc863ef1e830d0f09d34c3d2
Instruction Fuzzy Hash: 9BB02B71483304CEC20816705C0402DB20857C1310340CC30A501105128D3174219860

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Swift Payment-3134101002.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre