Play interactive tour

Edit tour

Windows Analysis Report 09142021_PDF.vbs

Overview

General Information

Sample Name:	09142021_PDF.vbs
Analysis ID:	483646
MD5:	4a638d451c40bc23491a0c79b6561d29
SHA1:	5caa98e6150e72cff32549541ab937cc952b769c
SHA256:	62e85b9481efe0bb5921277ce40acb236dba44be1bbe8bab2be8068eef10c341
Tags:	NanoCoreRATvbs
Infos:
Most interesting Screenshot:

Detection

Nanocore AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AgentTesla

Sigma detected: NanoCore

VBScript performs obfuscated calls to suspicious functions

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: MSBuild connects to smtp port

Antivirus detection for dropped file

Yara detected Nanocore RAT

Found malware configuration

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Installs a global keyboard hook

Injects files into Windows application

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

.NET source code contains very large strings

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

PE file contains strange resources

Drops PE files

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Yara detected Credential Stealer

Contains functionality to call native functions

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Contains capabilities to detect virtual machines

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7012 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\09142021_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

Notepad.exe (PID: 3664 cmdline: 'C:\Users\user\AppData\Local\Temp\Notepad.exe' MD5: 033B15C82C1F08143DA87E0F4D1AD9BC)

MSBuild.exe (PID: 5480 cmdline: {path} MD5: 88BBB7610152B48C2B3879473B17857E)

Chrome.exe (PID: 5276 cmdline: 'C:\Users\user\AppData\Local\Temp\Chrome.exe' MD5: A9C24A18FBD231939EB608A7A2087A49)

dhcpmon.exe (PID: 6560 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A9C24A18FBD231939EB608A7A2087A49)

hmltog.exe (PID: 4328 cmdline: 'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

hmltog.exe (PID: 3728 cmdline: 'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "de7e01ad-963b-4e14-81aa-08dfb351", "Group": "Do", "Domain1": "sys2021.linkpc.net", "Domain2": "23.94.82.41", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@quanturnvia.com", "Password": "info", "Host": "mail.quanturnvia.com"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Chrome.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\AppData\Local\Temp\Chrome.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Users\user\AppData\Local\Temp\Chrome.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Chrome.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23ba3:$a: NanoCore 0x23bfc:$a: NanoCore 0x23c39:$a: NanoCore 0x23cb2:$a: NanoCore 0x23c05:$b: ClientPlugin 0x23c42:$b: ClientPlugin 0x24540:$b: ClientPlugin 0x2454d:$b: ClientPlugin 0x1b3f2:$e: KeepAlive 0x2408d:$g: LogClientMessage 0x2400d:$i: get_Connected 0x15bd5:$j: #=q 0x15c05:$j: #=q 0x15c41:$j: #=q 0x15c69:$j: #=q 0x15c99:$j: #=q 0x15cc9:$j: #=q 0x15cf9:$j: #=q 0x15d29:$j: #=q 0x15d45:$j: #=q 0x15d75:$j: #=q
0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x109bd:$x1: NanoCore.ClientPluginHost 0x109fa:$x2: IClientNetworkHost 0x1452d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10725:$a: NanoCore 0x10735:$a: NanoCore 0x10969:$a: NanoCore 0x1097d:$a: NanoCore 0x109bd:$a: NanoCore 0x10784:$b: ClientPlugin 0x10986:$b: ClientPlugin 0x109c6:$b: ClientPlugin 0x108ab:$c: ProjectData 0x112b2:$d: DESCrypto 0x18c7e:$e: KeepAlive 0x16c6c:$g: LogClientMessage 0x12e67:$i: get_Connected 0x115e8:$j: #=q 0x11618:$j: #=q 0x11634:$j: #=q 0x11664:$j: #=q 0x11680:$j: #=q 0x1169c:$j: #=q 0x116cc:$j: #=q 0x116e8:$j: #=q
00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9726d:$x1: NanoCore.ClientPluginHost 0x972aa:$x2: IClientNetworkHost 0x9addd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x96fd5:$a: NanoCore 0x96fe5:$a: NanoCore 0x97219:$a: NanoCore 0x9722d:$a: NanoCore 0x9726d:$a: NanoCore 0x97034:$b: ClientPlugin 0x97236:$b: ClientPlugin 0x97276:$b: ClientPlugin 0x9715b:$c: ProjectData 0x97b62:$d: DESCrypto 0x9f52e:$e: KeepAlive 0x9d51c:$g: LogClientMessage 0x99717:$i: get_Connected 0x97e98:$j: #=q 0x97ec8:$j: #=q 0x97ee4:$j: #=q 0x97f14:$j: #=q 0x97f30:$j: #=q 0x97f4c:$j: #=q 0x97f7c:$j: #=q 0x97f98:$j: #=q
00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10fad:$x1: NanoCore.ClientPluginHost 0x439bd:$x1: NanoCore.ClientPluginHost 0x10fea:$x2: IClientNetworkHost 0x439fa:$x2: IClientNetworkHost 0x14b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4752d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10d15:$a: NanoCore 0x10d25:$a: NanoCore 0x10f59:$a: NanoCore 0x10f6d:$a: NanoCore 0x10fad:$a: NanoCore 0x43725:$a: NanoCore 0x43735:$a: NanoCore 0x43969:$a: NanoCore 0x4397d:$a: NanoCore 0x439bd:$a: NanoCore 0x10d74:$b: ClientPlugin 0x10f76:$b: ClientPlugin 0x10fb6:$b: ClientPlugin 0x43784:$b: ClientPlugin 0x43986:$b: ClientPlugin 0x439c6:$b: ClientPlugin 0x10e9b:$c: ProjectData 0x438ab:$c: ProjectData 0x118a2:$d: DESCrypto 0x442b2:$d: DESCrypto 0x1926e:$e: KeepAlive
00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493e5:$a: NanoCore 0x4943e:$a: NanoCore 0x4947b:$a: NanoCore 0x494f4:$a: NanoCore 0x5cb9f:$a: NanoCore 0x5cbb4:$a: NanoCore 0x5cbe9:$a: NanoCore 0x75663:$a: NanoCore 0x75678:$a: NanoCore 0x756ad:$a: NanoCore 0x49447:$b: ClientPlugin 0x49484:$b: ClientPlugin 0x49d82:$b: ClientPlugin 0x49d8f:$b: ClientPlugin 0x5c95b:$b: ClientPlugin 0x5c976:$b: ClientPlugin 0x5c9a6:$b: ClientPlugin 0x5cbbd:$b: ClientPlugin 0x5cbf2:$b: ClientPlugin 0x7541f:$b: ClientPlugin 0x7543a:$b: ClientPlugin
00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1ee0d:$x1: NanoCore.ClientPluginHost 0x1ee4a:$x2: IClientNetworkHost 0x13d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2e95:$a: NanoCore 0x2ea5:$a: NanoCore 0x1edb9:$a: NanoCore 0x1edcd:$a: NanoCore 0x1ee0d:$a: NanoCore 0x2ef4:$b: ClientPlugin 0x1edd6:$b: ClientPlugin 0x1ee16:$b: ClientPlugin 0x1ecfb:$c: ProjectData 0x1f702:$d: DESCrypto 0x1467e:$e: KeepAlive 0x234dc:$g: LogClientMessage 0x12657:$i: get_Connected 0x1203d:$j: #=q 0x1206d:$j: #=q 0x12089:$j: #=q 0x120da:$j: #=q 0x120f6:$j: #=q 0x1211e:$j: #=q 0x1213a:$j: #=q 0x1216a:$j: #=q
0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wscript.exe PID: 7012	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1e8c78:$x1: NanoCore.ClientPluginHost 0x1e8cb5:$x2: IClientNetworkHost 0x1ec3ba:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1f7283:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2c3968:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45c59f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x467932:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4a6164:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: wscript.exe PID: 7012	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: wscript.exe PID: 7012	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1e8a83:$a: NanoCore 0x1e8a93:$a: NanoCore 0x1e8b08:$a: NanoCore 0x1e8b17:$a: NanoCore 0x1e8c24:$a: NanoCore 0x1e8c38:$a: NanoCore 0x1e8c78:$a: NanoCore 0x1f38ed:$a: NanoCore 0x1f38ff:$a: NanoCore 0x1f393b:$a: NanoCore 0x2bffd2:$a: NanoCore 0x2bffe4:$a: NanoCore 0x2c0020:$a: NanoCore 0x458c09:$a: NanoCore 0x458c1b:$a: NanoCore 0x458c57:$a: NanoCore 0x463f9c:$a: NanoCore 0x463fae:$a: NanoCore 0x463fea:$a: NanoCore 0x4a9702:$a: NanoCore 0x4a9714:$a: NanoCore
Process Memory Space: Notepad.exe PID: 3664	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Notepad.exe PID: 3664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Chrome.exe PID: 5276	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f44c:$x1: NanoCore.ClientPluginHost 0x3f489:$x2: IClientNetworkHost 0x3d23:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc5b6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4575d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Chrome.exe PID: 5276	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Chrome.exe PID: 5276	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3f132:$a: NanoCore 0x3f142:$a: NanoCore 0x3f1f1:$a: NanoCore 0x3f200:$a: NanoCore 0x3f3f8:$a: NanoCore 0x3f40c:$a: NanoCore 0x3f44c:$a: NanoCore 0x41dc7:$a: NanoCore 0x41dd9:$a: NanoCore 0x41e15:$a: NanoCore 0x14695:$b: ClientPlugin 0x146ba:$b: ClientPlugin 0x14714:$b: ClientPlugin 0x14739:$b: ClientPlugin 0x38a67:$b: ClientPlugin 0x38a74:$b: ClientPlugin 0x38ab1:$b: ClientPlugin 0x38abe:$b: ClientPlugin 0x3a03d:$b: ClientPlugin 0x3a062:$b: ClientPlugin 0x3a0b3:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 6560	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6560	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1911:$a: NanoCore 0x196e:$a: NanoCore 0x19e1:$a: NanoCore 0xaa9d:$a: NanoCore 0xad0b:$a: NanoCore 0xad5e:$a: NanoCore 0xad97:$a: NanoCore 0xae0a:$a: NanoCore 0xba61:$a: NanoCore 0x1b7c2:$a: NanoCore 0x1b7d1:$a: NanoCore 0x1b9c5:$a: NanoCore 0x1b9d7:$a: NanoCore 0x1ba13:$a: NanoCore 0x28ef6:$a: NanoCore 0x2f6d0:$a: NanoCore 0x2f6e3:$a: NanoCore 0x2f715:$a: NanoCore 0x34b32:$a: NanoCore 0x34b45:$a: NanoCore 0x34b77:$a: NanoCore
Process Memory Space: MSBuild.exe PID: 5480	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 5480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.3.wscript.exe.2756be19830.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.3.wscript.exe.2756be19830.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.3.wscript.exe.2756be19830.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.3.wscript.exe.2756be19830.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.dhcpmon.exe.397e43c.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.dhcpmon.exe.397e43c.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.dhcpmon.exe.397e43c.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.2953dc4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.dhcpmon.exe.2953dc4.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.wscript.exe.2756c017c00.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1120d:$x1: NanoCore.ClientPluginHost 0x1124a:$x2: IClientNetworkHost 0x611d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wscript.exe.2756c017c00.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1120d:$x2: NanoCore.ClientPluginHost 0x12846:$s1: PluginCommand 0x1283a:$s2: FileCommand 0x4a8b:$s3: PipeExists 0x6a52:$s4: PipeCreated 0x11237:$s5: IClientLoggingHost
1.2.wscript.exe.2756c017c00.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wscript.exe.2756c017c00.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x111b9:$a: NanoCore 0x111cd:$a: NanoCore 0x1120d:$a: NanoCore 0x111d6:$b: ClientPlugin 0x11216:$b: ClientPlugin 0x110fb:$c: ProjectData 0x11b02:$d: DESCrypto 0x6a7e:$e: KeepAlive 0x158dc:$g: LogClientMessage 0x4a57:$i: get_Connected 0x443d:$j: #=q 0x446d:$j: #=q 0x4489:$j: #=q 0x44da:$j: #=q 0x44f6:$j: #=q 0x451e:$j: #=q 0x453a:$j: #=q 0x456a:$j: #=q 0x45a4:$j: #=q 0x45db:$j: #=q 0x45f7:$j: #=q
7.2.dhcpmon.exe.3979606.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0a7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0d4:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3979606.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0a7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e182:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c1:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3979606.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.3979606.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d05d:$a: NanoCore 0x2d072:$a: NanoCore 0x2d0a7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce19:$b: ClientPlugin 0x2ce34:$b: ClientPlugin
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.3.wscript.exe.2756be19830.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.3.wscript.exe.2756be19830.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.3.wscript.exe.2756be19830.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.3.wscript.exe.2756be19830.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.wscript.exe.2756cac70e0.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wscript.exe.2756cac70e0.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.wscript.exe.2756cac70e0.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wscript.exe.2756cac70e0.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.Notepad.exe.3d699d8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.Notepad.exe.3d699d8.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.Chrome.exe.1e0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Chrome.exe.1e0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Chrome.exe.1e0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Chrome.exe.1e0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.dhcpmon.exe.3982a65.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c48:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c75:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3982a65.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c48:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d23:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c62:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3982a65.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.a0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.dhcpmon.exe.a0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.dhcpmon.exe.a0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.a0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.dhcpmon.exe.397e43c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28271:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2829e:$x2: IClientNetworkHost
7.2.dhcpmon.exe.397e43c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28271:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2934c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2828b:$s5: IClientLoggingHost
7.2.dhcpmon.exe.397e43c.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wscript.exe.2756c017c00.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf40d:$x1: NanoCore.ClientPluginHost 0xf44a:$x2: IClientNetworkHost 0x431d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wscript.exe.2756c017c00.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf40d:$x2: NanoCore.ClientPluginHost 0x10a46:$s1: PluginCommand 0x10a3a:$s2: FileCommand 0x2c8b:$s3: PipeExists 0x4c52:$s4: PipeCreated 0xf437:$s5: IClientLoggingHost
1.2.wscript.exe.2756c017c00.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wscript.exe.2756c017c00.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf3b9:$a: NanoCore 0xf3cd:$a: NanoCore 0xf40d:$a: NanoCore 0xf3d6:$b: ClientPlugin 0xf416:$b: ClientPlugin 0xf2fb:$c: ProjectData 0xfd02:$d: DESCrypto 0x4c7e:$e: KeepAlive 0x13adc:$g: LogClientMessage 0x2c57:$i: get_Connected 0x263d:$j: #=q 0x266d:$j: #=q 0x2689:$j: #=q 0x26da:$j: #=q 0x26f6:$j: #=q 0x271e:$j: #=q 0x273a:$j: #=q 0x276a:$j: #=q 0x27a4:$j: #=q 0x27db:$j: #=q 0x27f7:$j: #=q
4.2.Notepad.exe.3d699d8.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.Notepad.exe.3d699d8.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.wscript.exe.2756cac70e0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wscript.exe.2756cac70e0.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.wscript.exe.2756cac70e0.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wscript.exe.2756cac70e0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.3.wscript.exe.2756be19830.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.3.wscript.exe.2756be19830.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.3.wscript.exe.2756be19830.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.3.wscript.exe.2756be19830.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.0.dhcpmon.exe.a0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.0.dhcpmon.exe.a0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.0.dhcpmon.exe.a0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.dhcpmon.exe.a0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.3.wscript.exe.2756bde6e20.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42b9d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bda:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4670d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.3.wscript.exe.2756bde6e20.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42915:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42b9d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441d6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441ca:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4507b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae32:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bc7:$s5: IClientLoggingHost
1.3.wscript.exe.2756bde6e20.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.3.wscript.exe.2756bde6e20.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42905:$a: NanoCore 0x42915:$a: NanoCore 0x42b49:$a: NanoCore 0x42b5d:$a: NanoCore 0x42b9d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42964:$b: ClientPlugin 0x42b66:$b: ClientPlugin 0x42ba6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a8b:$c: ProjectData 0x10a82:$d: DESCrypto 0x43492:$d: DESCrypto 0x1844e:$e: KeepAlive
1.3.wscript.exe.2756be19830.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.3.wscript.exe.2756be19830.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.3.wscript.exe.2756be19830.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.3.wscript.exe.2756be19830.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
Click to see the 64 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Chrome.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Networking:

Sigma detected: MSBuild connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 5.149.255.77, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, Initiated: true, ProcessId: 5480, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49829

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Found malware configuration

Show sources

Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "de7e01ad-963b-4e14-81aa-08dfb351", "Group": "Do", "Domain1": "sys2021.linkpc.net", "Domain2": "23.94.82.41", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Source: 4.2.Notepad.exe.3d699d8.1.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@quanturnvia.com", "Password": "info", "Host": "mail.quanturnvia.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: 09142021_PDF.vbs

ReversingLabs: Detection: 26%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 85%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Metadefender: Detection: 85%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	ReversingLabs: Detection: 100%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Source: 5.0.Chrome.exe.1e0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.dhcpmon.exe.a0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 7.0.dhcpmon.exe.a0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:

Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: hmltog.exe, hmltog.exe.10.dr

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

4_2_06A0C4D8

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 23.94.82.41
Source: Malware configuration extractor	URLs: sys2021.linkpc.net

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

IP Address: 23.94.82.41 23.94.82.41

Source: global traffic	TCP traffic: 192.168.2.6:49743 -> 105.112.53.223:11940
Source: global traffic	TCP traffic: 192.168.2.6:49809 -> 23.94.82.41:11940
Source: global traffic	TCP traffic: 192.168.2.6:49829 -> 5.149.255.77:587

Source: global traffic

TCP traffic: 192.168.2.6:49829 -> 5.149.255.77:587

Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: http://gEwqkY.com
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Notepad.exe, 00000004.00000003.371547514.0000000004E32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comT.TTF
Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comTTFdL
Source: Notepad.exe, 00000004.00000003.409520900.0000000004E10000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitu
Source: Notepad.exe, 00000004.00000003.409520900.0000000004E10000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsief0
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Notepad.exe, 00000004.00000003.358898696.0000000004E4D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com8
Source: Notepad.exe, 00000004.00000003.363785033.0000000004E14000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.363111776.0000000004E21000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-d
Source: Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnormT
Source: Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnrru
Source: Notepad.exe, 00000004.00000003.363241096.0000000004E21000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnsof
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/R
Source: Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/font0
Source: Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
Source: Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
Source: Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s-c
Source: Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ww.m
Source: Notepad.exe, 00000004.00000003.379428172.0000000004E21000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.371741312.0000000004E22000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.358559392.0000000000E9D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Notepad.exe, 00000004.00000003.358559392.0000000000E9D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: Notepad.exe, 00000004.00000003.368283874.0000000004E22000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Notepad.exe, 00000004.00000003.368997086.0000000004E22000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comx
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Notepad.exe, 00000004.00000003.365756821.0000000004E2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comNX
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Notepad.exe, 00000004.00000003.373679648.0000000004E2F000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.370080417.0000000004E2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Notepad.exe, 00000004.00000003.373679648.0000000004E2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.delar
Source: Notepad.exe, 00000004.00000003.370080417.0000000004E2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deoi
Source: Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Notepad.exe, 00000004.00000003.364646531.0000000004E1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnse
Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: MSBuild.exe, 0000000A.00000002.869802596.0000000003215000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000003.606851732.0000000000ED4000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.870025295.0000000003298000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: https://t9ePmKiGxqnJEdt3liGF.com
Source: Notepad.exe, 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: sys2021.linkpc.net

Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41
Source: unknown	TCP traffic detected without corresponding DNS query: 23.94.82.41

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Jump to behavior

Source: Notepad.exe, 00000004.00000002.410952982.0000000000B58000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: dhcpmon.exe, 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.2953dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: Notepad.exe.1.dr, Dbhandler.cs	Long String: Length: 217896
Source: 4.0.Notepad.exe.3b0000.0.unpack, Dbhandler.cs	Long String: Length: 217896
Source: 4.2.Notepad.exe.3b0000.0.unpack, Dbhandler.cs	Long String: Length: 217896

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026626B0	4_2_026626B0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266AF88	4_2_0266AF88
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026620C0	4_2_026620C0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266E108	4_2_0266E108
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266C180	4_2_0266C180
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266FE48	4_2_0266FE48
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266EE38	4_2_0266EE38
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026626A1	4_2_026626A1
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266F870	4_2_0266F870
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_02662400	4_2_02662400
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_02662408	4_2_02662408
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026620B1	4_2_026620B1
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026639CC	4_2_026639CC
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_026639D0	4_2_026639D0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A06690	4_2_06A06690
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A0A7D0	4_2_06A0A7D0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A03580	4_2_06A03580
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A03AA8	4_2_06A03AA8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A0368C	4_2_06A0368C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A002E8	4_2_06A002E8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A002D9	4_2_06A002D9
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A03623	4_2_06A03623
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A03659	4_2_06A03659
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A03F89	4_2_06A03F89
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A00FCF	4_2_06A00FCF
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A00FD0	4_2_06A00FD0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A04F68	4_2_06A04F68
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A04F58	4_2_06A04F58
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A08CA0	4_2_06A08CA0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A064A8	4_2_06A064A8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A04CA9	4_2_06A04CA9
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A054B8	4_2_06A054B8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A00489	4_2_06A00489
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A05491	4_2_06A05491
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A00498	4_2_06A00498
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A04831	4_2_06A04831
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A04018	4_2_06A04018
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A0356F	4_2_06A0356F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_000A524A	7_2_000A524A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_02543850	7_2_02543850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_025423A0	7_2_025423A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_02542FA8	7_2_02542FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_0254306F	7_2_0254306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EAF8B8	10_2_00EAF8B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EAB891	10_2_00EAB891
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EAA1E8	10_2_00EAA1E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA1792	10_2_00EA1792
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA3360	10_2_00EA3360
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA5730	10_2_00EA5730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA7330	10_2_00EA7330
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA2F08	10_2_00EA2F08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA56D0	10_2_00EA56D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_00EA33A8	10_2_00EA33A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_01458110	10_2_01458110
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0532E738	10_2_0532E738
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05320D40	10_2_05320D40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0532C9D0	10_2_0532C9D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0532A010	10_2_0532A010
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05329058	10_2_05329058
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_053280D8	10_2_053280D8
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Code function: 18_2_00C46D08	18_2_00C46D08
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Code function: 18_2_00C46950	18_2_00C46950
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Code function: 18_2_00C4692F	18_2_00C4692F
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Code function: 18_2_02E70708	18_2_02E70708
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Code function: 21_2_05210708	21_2_05210708

Source: 09142021_PDF.vbs

Initial sample: Strings found which are bigger than 50

Source: hmltog.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hmltog.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hmltog.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.dhcpmon.exe.2953dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.2953dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_065D19AA NtQuerySystemInformation,	4_2_065D19AA
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_065D1979 NtQuerySystemInformation,	4_2_065D1979
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0115B0BA NtQuerySystemInformation,	10_2_0115B0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0115B089 NtQuerySystemInformation,	10_2_0115B089

Source: Chrome.exe.1.dr	Static PE information: Section: .rsrc ZLIB complexity 0.999732142857
Source: dhcpmon.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 0.999732142857

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Notepad.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winVBS@12/11@10/3

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Chrome.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Chrome.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\09142021_PDF.vbs'

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: MSBuild.exe, 0000000A.00000003.455041958.00000000010A9000.00000004.00000001.sdmp, hmltog.exe, 00000012.00000000.481542835.0000000000C42000.00000002.00020000.sdmp, hmltog.exe, 00000015.00000000.499822928.0000000000A52000.00000002.00020000.sdmp, hmltog.exe.10.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: hmltog.exe, 00000012.00000002.485308423.00000000032E1000.00000004.00000001.sdmp, hmltog.exe, 00000015.00000002.505175873.00000000030D1000.00000004.00000001.sdmp	Binary or memory string: kr/.C:\Users\user\AppData\Roaming\hmltog\*.sln
Source: MSBuild.exe, 0000000A.00000003.455041958.00000000010A9000.00000004.00000001.sdmp, hmltog.exe, 00000012.00000000.481542835.0000000000C42000.00000002.00020000.sdmp, hmltog.exe, 00000015.00000000.499822928.0000000000A52000.00000002.00020000.sdmp, hmltog.exe.10.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean /p:Configuration=Debug
Source: MSBuild.exe, 0000000A.00000003.455041958.00000000010A9000.00000004.00000001.sdmp, hmltog.exe, 00000012.00000000.481542835.0000000000C42000.00000002.00020000.sdmp, hmltog.exe, 00000015.00000000.499822928.0000000000A52000.00000002.00020000.sdmp, hmltog.exe.10.dr	Binary or memory string: *.sln+AmbiguousProjectError'MissingProjectError)ProjectNotFoundError)InvalidPropertyError
Source: hmltog.exe	Binary or memory string: *.sln

Source: 09142021_PDF.vbs

ReversingLabs: Detection: 26%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\09142021_PDF.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe 'C:\Users\user\AppData\Local\Temp\Notepad.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Chrome.exe 'C:\Users\user\AppData\Local\Temp\Chrome.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe 'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe'
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe 'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe'
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe 'C:\Users\user\AppData\Local\Temp\Notepad.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Chrome.exe 'C:\Users\user\AppData\Local\Temp\Chrome.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_065D182E AdjustTokenPrivileges,	4_2_065D182E
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_065D17F7 AdjustTokenPrivileges,	4_2_065D17F7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0115AF3E AdjustTokenPrivileges,	10_2_0115AF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_0115AF07 AdjustTokenPrivileges,	10_2_0115AF07

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Notepad.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{de7e01ad-963b-4e14-81aa-08dfb351f0fe}
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Mutant created: \Sessions\1\BaseNamedObjects\hhdyEjeEgtQTuxIXRQTj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01

Source: Chrome.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: Chrome.exe.1.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Chrome.exe.1.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.5.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.5.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 09142021_PDF.vbs

Static file information: File size 1471650 > 1048576

Source:

Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: hmltog.exe, hmltog.exe.10.dr

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\Notepad.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIJ4QGEAAAAAAAAAAOAAAgELAVAAAMAMAAAIAAAAAAAApt8");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\Notepad.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKEn6VQAAAAAAAAAAOAADgELAQYAAMgBAABgAQAAAAAAkuc");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\Chrome.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\Notepad.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\Chrome.exe")

.NET source code contains potential unpacker

Show sources

Source: Notepad.exe.1.dr, frmSplash.cs	.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Chrome.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Chrome.exe.1.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Notepad.exe.3b0000.0.unpack, frmSplash.cs	.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Notepad.exe.3b0000.0.unpack, frmSplash.cs	.Net Code: D6549645123 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.5.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_003B5E9A push es; iretd	4_2_003B5E9C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_003B7D46 push cs; ret	4_2_003B7D90
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_02666F5A pushfd ; retf	4_2_02666F5B
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_02666FD2 push ds; retf	4_2_02666FD9
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_0266779D push ebx; ret	4_2_026677A4
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A032C2 push es; iretd	4_2_06A032E0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A07706 push es; retf	4_2_06A0770C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A07714 push es; retf	4_2_06A07716
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A00F6A push es; retf	4_2_06A00F70
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Code function: 4_2_06A031C6 push es; ret	4_2_06A031CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05C14334 push cs; retf	10_2_05C1434B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 10_2_05C142BF push cs; retf	10_2_05C142D7

Source: Chrome.exe.1.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: Chrome.exe.1.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.5.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.5.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.dhcpmon.exe.a0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.dhcpmon.exe.a0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File created: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\Notepad.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\Chrome.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run hmltog			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run hmltog			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	File opened: C:\Users\user\AppData\Local\Temp\Chrome.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match

File source: Process Memory Space: Notepad.exe PID: 3664, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Notepad.exe, 00000004.00000002.411624887.0000000002B74000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe TID: 5804	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe TID: 6300	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe TID: 6296	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6572	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6868	Thread sleep count: 1200 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6868	Thread sleep time: -36000000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6868	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6868	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe TID: 6968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe TID: 5748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Window / User API: threadDelayed 394	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Window / User API: threadDelayed 1370	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Window / User API: foregroundWindowGot 1166	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Window / User API: foregroundWindowGot 447	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: threadDelayed 1200	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Notepad.exe, 00000004.00000002.411103609.0000000000C02000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware Tools
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 09142021_PDF.vbs	Binary or memory string: Dim IBtoeUPykBMFiGDyawAolQRWcqXUsQdFYeVwUHmnAOSjiQudAbpngXTskWLowuGTXGgDlGeSKNnWxioMwuUQbpZBLdMxwxqGIzMcjqstxWdTjwuBizsCZprhgfsIugWNWhOxVMcFBbTFMGSOiKPwFogSIfvExkyQAQxBiwgWWmAyWmUaMdZjRZIhAvpqRYHRcCEwJQflet
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: krA"SOFTWARE\VMware, Inc.\VMware Tools
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Chrome.exe, 00000005.00000003.455107146.0000000000841000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2!
Source: wscript.exe, 00000001.00000003.346093105.000002756A691000.00000004.00000001.sdmp	Binary or memory string: nQwLmzyelpgCwqJhXPErFsNqyAFJxHofpkBqgPShKTeBtAHEsZDBtxVuCGNluphdABNMoTAIwXgmOLwxtAQXEnlsPHnaCgnVlABsnuQZYvEVQjgrKPrtYJZNPVxhfaFQkLANKDKzkqyJiQbfawPmouwbbncRxjuypolEiShGFsIhKQeztRGjKTbqOYmWasCBwATufWxHPJgIA{
Source: Notepad.exe, 00000004.00000002.411103609.0000000000C02000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware13XA57K6Win32_VideoControllerLDM5VS5DVideoController120060621000000.000000-0002029.670display.infMSBDA7YS7HNXAPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsL54N_7SB
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: kr87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: wscript.exe, 00000001.00000003.346046444.000002756B3BE000.00000004.00000001.sdmp	Binary or memory string: IBtoeUPykBMFiGDyawAolQRWcqXUsQdFYeVwUHmnAOSjiQudAbpngXTskWLowuGTXGgDlGeSKNnWxioMwuUQbpZBLdMxwxqGIzMcjqstxWdTjwuBizsCZprhgfsIugWNWhOxVMcFBbTFMGSOiKPwFogSIfvExkyQAQxBiwgWWmAyWmUaMdZjRZIhAvpqRYHRcCEwJQflet@
Source: Notepad.exe, 00000004.00000002.411624887.0000000002B74000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 09142021_PDF.vbs	Binary or memory string: Dim nQwLmzyelpgCwqJhXPErFsNqyAFJxHofpkBqgPShKTeBtAHEsZDBtxVuCGNluphdABNMoTAIwXgmOLwxtAQXEnlsPHnaCgnVlABsnuQZYvEVQjgrKPrtYJZNPVxhfaFQkLANKDKzkqyJiQbfawPmouwbbncRxjuypolEiShGFsIhKQeztRGjKTbqOYmWasCBwATufWxHPJg
Source: Notepad.exe, 00000004.00000002.411624887.0000000002B74000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: kr&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware ToolsH
Source: Notepad.exe, 00000004.00000002.411577521.0000000002B4B000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\AppData\Local\Temp\Chrome.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Chrome.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Code function: 10_2_00EA0C20 LdrInitializeThunk,

10_2_00EA0C20

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: Notepad.exe.1.dr

Jump to dropped file

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Injects files into Windows application

Show sources

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\Notepad.exe was created by C:\Windows\System32\wscript.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\Notepad.exe was created by C:\Windows\System32\wscript.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\Notepad.exe was created by C:\Windows\System32\wscript.exe	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 438000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 43A000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: D02008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe 'C:\Users\user\AppData\Local\Temp\Notepad.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Chrome.exe 'C:\Users\user\AppData\Local\Temp\Chrome.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}	Jump to behavior

Source: Chrome.exe, 00000005.00000003.488720785.000000000085A000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 0000000A.00000002.869546151.0000000001900000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 0000000A.00000002.869546151.0000000001900000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Chrome.exe, 00000005.00000003.697902390.0000000000841000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 0000000A.00000002.869546151.0000000001900000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: Chrome.exe, 00000005.00000003.427566687.0000000000839000.00000004.00000001.sdmp	Binary or memory string: Program ManagerX
Source: MSBuild.exe, 0000000A.00000002.869546151.0000000001900000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.user\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.user.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.user\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.user.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.user\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.user.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.user\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.user.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Notepad.exe

Code function: 4_2_065D1212 GetUserNameA,

4_2_065D1212

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Notepad.exe.3d699d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Notepad.exe.3d699d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepad.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5480, type: MEMORYSTR

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Source: Yara match	File source: 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5480, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Notepad.exe.3d699d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Notepad.exe.3d699d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepad.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5480, type: MEMORYSTR

Detected Nanocore Rat

Show sources

Source: wscript.exe, 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Chrome.exe, 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Chrome.exe.1.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3979606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Chrome.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3982a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.397e43c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756c017c00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.2756cac70e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756bde6e20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.2756be19830.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Chrome.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6560, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation311	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting121	Boot or Logon Initialization Scripts	Process Injection312	Deobfuscate/Decode Files or Information1	Input Capture121	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Scripting121	Credentials in Registry1	System Information Discovery114	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution1	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Query Registry1	Distributed Component Object Model	Input Capture121	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing12	LSA Secrets	Security Software Discovery421	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol111	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading2	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion241	DCSync	Virtualization/Sandbox Evasion241	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection312	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
09142021_PDF.vbs	27%	ReversingLabs	Script-WScript.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Chrome.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Users\user\AppData\Local\Temp\Chrome.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Notepad.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	86%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
C:\Users\user\AppData\Local\Temp\Chrome.exe	86%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Chrome.exe	100%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\hmltog\hmltog.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.Chrome.exe.1e0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.2.dhcpmon.exe.a0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
10.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
7.0.dhcpmon.exe.a0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/font0	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.comNX	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cna-d	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sakkal.comx	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/9	0%	Avira URL Cloud	safe
http://www.fontbureau.comT.TTF	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.urwpp.deoi	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/h	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ww.m	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.delar	0%	Avira URL Cloud	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://gEwqkY.com	0%	Avira URL Cloud	safe
23.94.82.41	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.zhongyicts.com.cnse	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/R	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/L	0%	URL Reputation	safe
http://www.founder.com.cn/cnrru	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comrsief0	0%	Avira URL Cloud	safe
http://www.fontbureau.comTTFdL	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cnormT	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://t9ePmKiGxqnJEdt3liGF.com	0%	Avira URL Cloud	safe
http://www.fontbureau.comitu	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s-c	0%	Avira URL Cloud	safe
http://www.fonts.com8	0%	URL Reputation	safe
http://www.founder.com.cn/cnsof	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.quanturnvia.com	5.149.255.77	true	true		unknown
sys2021.linkpc.net	105.112.53.223	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
23.94.82.41	true	Avira URL Cloud: safe	unknown
sys2021.linkpc.net	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/font0	Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comNX	Notepad.exe, 00000004.00000003.365756821.0000000004E2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cna-d	Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.comx	Notepad.exe, 00000004.00000003.368997086.0000000004E22000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/9	Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comT.TTF	Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.358559392.0000000000E9D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deoi	Notepad.exe, 00000004.00000003.370080417.0000000004E2F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/h	Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ww.m	Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://www.fonts.com	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.delar	Notepad.exe, 00000004.00000003.373679648.0000000004E2F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de	Notepad.exe, 00000004.00000003.373679648.0000000004E2F000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.370080417.0000000004E2F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.come	Notepad.exe, 00000004.00000003.358559392.0000000000E9D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Notepad.exe, 00000004.00000003.368283874.0000000004E22000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Notepad.exe, 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://gEwqkY.com	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnse	Notepad.exe, 00000004.00000003.364646531.0000000004E1E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/R	Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/L	Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnrru	Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	Notepad.exe, 00000004.00000003.409520900.0000000004E10000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comrsief0	Notepad.exe, 00000004.00000003.409520900.0000000004E10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comTTFdL	Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	Notepad.exe, 00000004.00000003.363785033.0000000004E14000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.363111776.0000000004E21000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnormT	Notepad.exe, 00000004.00000003.362974098.0000000004E13000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.	Notepad.exe, 00000004.00000003.379428172.0000000004E21000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.371741312.0000000004E22000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp, Notepad.exe, 00000004.00000003.367822956.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t9ePmKiGxqnJEdt3liGF.com	MSBuild.exe, 0000000A.00000002.869802596.0000000003215000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000003.606851732.0000000000ED4000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.870025295.0000000003298000.00000004.00000001.sdmp, MSBuild.exe, 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	Notepad.exe, 00000004.00000002.415758749.00000000060C2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comitu	Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comals	Notepad.exe, 00000004.00000003.373470577.0000000004E16000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/s-c	Notepad.exe, 00000004.00000003.367537675.0000000004E16000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	Notepad.exe, 00000004.00000003.371547514.0000000004E32000.00000004.00000001.sdmp	false		high
http://www.fonts.com8	Notepad.exe, 00000004.00000003.358898696.0000000004E4D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnsof	Notepad.exe, 00000004.00000003.363241096.0000000004E21000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
23.94.82.41	unknown	United States	36352	AS-COLOCROSSINGUS	true
5.149.255.77	mail.quanturnvia.com	United Kingdom	59711	HZ-NL-ASGB	true
105.112.53.223	sys2021.linkpc.net	Nigeria	36873	VNL1-ASNG	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483646
Start date:	15.09.2021
Start time:	10:49:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	09142021_PDF.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winVBS@12/11@10/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.3% (good quality ratio 0.8%) Quality average: 6.5% Quality standard deviation: 15.1%
HCA Information:	Successful, ratio: 94% Number of executed functions: 450 Number of non-executed functions: 27
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 20.82.209.183, 209.197.3.8, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208, 23.35.236.56, 20.50.102.62 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:50:16	API Interceptor	1935x Sleep call for process: Chrome.exe modified
10:50:20	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
10:50:35	API Interceptor	1x Sleep call for process: Notepad.exe modified
10:50:51	API Interceptor	1718x Sleep call for process: MSBuild.exe modified
10:51:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run hmltog C:\Users\user\AppData\Roaming\hmltog\hmltog.exe
10:51:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run hmltog C:\Users\user\AppData\Roaming\hmltog\hmltog.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
23.94.82.41	09112021_pdf.vbs	Get hash	malicious	Browse
	02_extracted.exe	Get hash	malicious	Browse
	09062021_PDF.vbs	Get hash	malicious	Browse
	09052021_PDF.vbs	Get hash	malicious	Browse
	09042021_PDF.vbs	Get hash	malicious	Browse
	PRODUCT INVOICESPDF.exe	Get hash	malicious	Browse
	11_extracted.exe	Get hash	malicious	Browse
	Payment Order_PDF.vbs	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
sys2021.linkpc.net	09112021_pdf.vbs	Get hash	malicious	Browse	105.112.45.229
	02_extracted.exe	Get hash	malicious	Browse	192.227.128.168
	01_extracted.exe	Get hash	malicious	Browse	192.227.128.168
	P4ImU1Vrfj.exe	Get hash	malicious	Browse	192.227.128.168
	09062021_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	09052021_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	09042021_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	8202021_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	8192021_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	PRODUCT INVOICESPDF.exe	Get hash	malicious	Browse	192.227.128.168
	02_extracted.exe	Get hash	malicious	Browse	192.227.128.168
	PRODUCT INVOICES_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	Invoice NeededPDF.exe	Get hash	malicious	Browse	192.227.128.168
	Inv-04_PDF.vbs	Get hash	malicious	Browse	192.227.128.168
	Ee50nK4E89.exe	Get hash	malicious	Browse	192.227.128.168
	11_extracted.exe	Get hash	malicious	Browse	197.210.29.244
	01_extracted.exe	Get hash	malicious	Browse	197.210.29.244
	Payment Order for #0025_PDF.vbs	Get hash	malicious	Browse	197.210.29.244
	Payment Order_PDF.vbs	Get hash	malicious	Browse	23.94.82.41
mail.quanturnvia.com	09112021_pdf.vbs	Get hash	malicious	Browse	5.149.255.77

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	Swift Mt103.xlsx	Get hash	malicious	Browse	23.95.13.175
	vkb.xlsx	Get hash	malicious	Browse	192.3.13.11
	Transfer Swift.xlsx	Get hash	malicious	Browse	172.245.26.190
	ORDER 5172020.xlsx	Get hash	malicious	Browse	198.12.84.109
	REF_MIDLGB34.xlsx	Get hash	malicious	Browse	23.94.159.208
	proforma invoice.xlsx	Get hash	malicious	Browse	192.3.141.149
	Swift_Mt103.xlsx	Get hash	malicious	Browse	23.95.13.175
	PO-80722 .xlsx	Get hash	malicious	Browse	198.12.84.109
	MT103-Swift Copy.xlsx	Get hash	malicious	Browse	198.46.199.203
	Items_quote.xlsx	Get hash	malicious	Browse	172.245.26.145
	Usd_transfer.xlsx	Get hash	malicious	Browse	172.245.26.145
	REF_MIDLGB34.xlsx	Get hash	malicious	Browse	23.94.159.208
	ORDER RFQ1009202.xlsx	Get hash	malicious	Browse	23.95.85.181
	msn.xlsx	Get hash	malicious	Browse	198.12.127.217
	swift.xlsx	Get hash	malicious	Browse	198.46.199.171
	Additional Order Qty 197.xlsx	Get hash	malicious	Browse	198.12.107.117
	DHL Cargo Arrival.xlsx	Get hash	malicious	Browse	172.245.26.190
	Po2142021.xlsx	Get hash	malicious	Browse	198.12.107.117
	UPDATED SOA - JUNE & JUULY & AUGUST.xlsx	Get hash	malicious	Browse	192.3.146.254
	USD INV#1191189.xlsx	Get hash	malicious	Browse	192.3.146.254

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Chrome.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	7.447937910582972
Encrypted:	false
SSDEEP:	6144:wLV6Bta6dtJmakIM5pFmHi8ieZv00yRQ+E2c8:wLV6BtpmkGFmC83KWH2c8
MD5:	A9C24A18FBD231939EB608A7A2087A49
SHA1:	1FF543A9B901E0064DC51643445AB4D06BD3815E
SHA-256:	8825944DDA4E2F28B26B51D7F4F9869EE5FA0553432414C4A9DF266FCB81C3B4
SHA-512:	2D88103A0AE1B614F76BC43BE8E5B9DE5F3DAA5C56454E7F6F28D581593803AD6D5605ECAE7671CEC57B39DBDB0A15BB802E6763689B4E02E83F76F55CCED1B7
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 86%, Browse Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Notepad.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\Notepad.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	794
Entropy (8bit):	5.275237952673745
Encrypted:	false
SSDEEP:	24:MLF20NaL3z2p29hJ5g522rW2xAi3AP29XBT:MwLLD2Y9h3go2rxxAcAO9XBT
MD5:	DA438C60C1B51D4F4CC7570ED3423896
SHA1:	6A381EA43A25330861EBDD9035C396FCAF1F8B3F
SHA-256:	067E533EFB173D68852FBAFED12FBE975141C44FB7E7CEDEE754BBC8A81CCCF7
SHA-512:	6727E148508CD60C5DC0F9E515B56C8522B7FEEAE18B4AEC990612ED65FAB488FFF8BAA71CE6E7A073F30466F0E8D62B6B307A131F85F29B9434E0A4CBE70FA7
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hmltog.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\hmltog\hmltog.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	325
Entropy (8bit):	5.334380084018418
Encrypted:	false
SSDEEP:	6:Q3LadLCR22IAQykdL1tZbLsbFLIP12MUAvvro6ysGMFLIP12MUAvvrs:Q3LaJU20NaL1tZbgbe4MqJsGMe4M6
MD5:	65CE98936A67552310EFE2F0FF5BDF88
SHA1:	8133653A6B9A169C7496ADE315CED322CFC3613A
SHA-256:	682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
SHA-512:	2D00AC024267EC384720A400F6D0B4F7EDDF49FAF8AB3C9E6CBFBBAE90ECADACA9022B33E3E8EC92E4F57C7FC830299C8643235EB4AA7D8A6AFE9DD1775F57C3
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..2,"Microsoft.Build.user, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\Chrome.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	7.447937910582972
Encrypted:	false
SSDEEP:	6144:wLV6Bta6dtJmakIM5pFmHi8ieZv00yRQ+E2c8:wLV6BtpmkGFmC83KWH2c8
MD5:	A9C24A18FBD231939EB608A7A2087A49
SHA1:	1FF543A9B901E0064DC51643445AB4D06BD3815E
SHA-256:	8825944DDA4E2F28B26B51D7F4F9869EE5FA0553432414C4A9DF266FCB81C3B4
SHA-512:	2D88103A0AE1B614F76BC43BE8E5B9DE5F3DAA5C56454E7F6F28D581593803AD6D5605ECAE7671CEC57B39DBDB0A15BB802E6763689B4E02E83F76F55CCED1B7
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 86%, Browse Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Users\user\AppData\Local\Temp\Notepad.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	838144
Entropy (8bit):	6.081092945132605
Encrypted:	false
SSDEEP:	12288:l83ory3veUbILoxew9VhmJmpeSoAfTU6tWq:lDIee8+mGoAfTU6Eq
MD5:	033B15C82C1F08143DA87E0F4D1AD9BC
SHA1:	8E0436CA6C3A04EF9158779A167558136D160578
SHA-256:	95BF92B7472F7475789FB6838C8C3EED943C69EFE8B3E2A9DF4714D189FB59CB
SHA-512:	979D35460519C2F3E4363E25608D44D195AE9BE07902F69529D99A18833DACA0BE6BEB6E32B8BCAFB3A2E7578E2B38A9E8B8856041E6288EE78342556C47D045
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....x@a..............P.................. ........@.. ....................... ............@.................................T...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........\...............d...z...........................................0............(....(..........(.....o..........................(.......( ......(!......("......(#....N..(....o....($....&..(%.....s&........s'........s(........s)........s............0...........~....o+....+...0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0..<........~.....(0.....,!r...p.....(1...o2...s3............~.....+...0......

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\Chrome.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:SG+t:SG+t
MD5:	C4EAAD30813C874DC8DA4CAA8F2D054C
SHA1:	C011FAE0CF642FB0381E6C0206D22E2CD923A816
SHA-256:	EAB05C007E1FAEDE7355F0FC43BC76095A26C12396F5BAAB48DC1813C05003D6
SHA-512:	6C8325CB7CC3986844A6C1FDCBD44774D2873DBFA331439F39C22D21D1448969258560349A61D0BB1EB38D11B85C7F194DBA61AC4C3B94F60AE073D86E9D11A8
Malicious:	true
Reputation:	unknown
Preview:	Y..Fqx.H

C:\Users\user\AppData\Roaming\hmltog\hmltog.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.20894581699571
Encrypted:	false
SSDEEP:	768:NElGiBcBuiyFjUwF0wdP9/rJMDnRFRJfStGpwV3e3qtAcy:ilGBu7jjP9/tMDn9Jt+VO3GO
MD5:	88BBB7610152B48C2B3879473B17857E
SHA1:	0F6CF8DD66AA58CE31DA4E8AC0631600EF055636
SHA-256:	2C7ACC16D19D076D67E9F1F37984935899B79536C9AC6EEC8850C44D20F87616
SHA-512:	5BACDF6C190A76C2C6A9A3519936E08E898AC8A2B1384D60429DF850BE778860435BF9E5EB316517D2345A5AAE201F369863F7A242134253978BCB5B2179CA58
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.....................@........... ........@.. .......................@......99....@.....................................S.......`/................... ....................................................... ............... ..H............text....... ...................... ..`.rsrc...`/.......0..................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tfeoxaxs.grf\Chrome\Default\Cookies Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Users\user\AppData\Roaming\hmltog\hmltog.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	306
Entropy (8bit):	4.969261552825097
Encrypted:	false
SSDEEP:	6:zx3M1tlAX8bSWR30qysGMQbSVRRZBXVRbJ0fFdCsq2UTiMdH8stCal+n:zK1XnV30ZsGMIG9BFRbQdCT2UftCM+
MD5:	F227448515085A647910907084E6728E
SHA1:	5FA1A8E28B084DA25A1BBC51A2D75810CEF57E2C
SHA-256:	662BA47D628FE8EBE95DD47B4482110A10B49AED09387BC0E028BB66E68E20BD
SHA-512:	6F6E5DFFF7B17C304FB19B0BA5466AF84EF98A5C2EFA573AF72CFD3ED6964E9FD7F8E4B79FCFFBEF87CE545418C69D4984F4DD60BBF457D0A3640950F8FC5AF0
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) Build user Version 2.0.50727.8922..[Microsoft .NET Framework, Version 2.0.50727.8922]..Copyright (C) Microsoft Corporation 2005. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	5.3236705425594835
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	09142021_PDF.vbs
File size:	1471650
MD5:	4a638d451c40bc23491a0c79b6561d29
SHA1:	5caa98e6150e72cff32549541ab937cc952b769c
SHA256:	62e85b9481efe0bb5921277ce40acb236dba44be1bbe8bab2be8068eef10c341
SHA512:	410334862dfa2d11e847969405545142ccd3d1654add3b11f5c23cbcb5112ae801a1aefc25bee8d851d044ffd3e8e99cfd0c8a7fc05fc21ee948c0f83ac600ac
SSDEEP:	12288:0UL1Nfz4Y0BgIVv1Mt/MMNLDT/DrEiv9ByYU2jB0liBsrvr21H6wonm7c4W1VVhj:zv8Dv1MuMp/JBH+l8srvria57rV0FwP7
File Content Preview:	on error resume next..Dim SNgEqCPQQbWMHuXZTLRZLRJqDDkJhViPxZWqJgtrDhThqknktVsdPIFBDqBnSFjvtGPhXgQmRaVdxbzTPAPMcFApTVmSfFZyyYojVGMMFGLomcEbqiYRpXSnGZOCuxGMBXfYnPxJoCGWuLCrRLbxhHIaFAcvrJSHAznPwfobkOdmQwtvXWkjWIetOESmmCRekzWvXnvlXANS..'dVKJGhXUYjlrUtArNBoixz

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 10:50:19.306777000 CEST	49743	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:50:22.316092968 CEST	49743	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:50:28.316631079 CEST	49743	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:50:41.293034077 CEST	49746	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:50:44.302396059 CEST	49746	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:50:50.342758894 CEST	49746	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:51:01.553158045 CEST	49749	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:51:04.554112911 CEST	49749	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:51:10.554585934 CEST	49749	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:51:21.782233000 CEST	49809	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:51:24.790155888 CEST	49809	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:51:30.791054010 CEST	49809	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:51:40.443243027 CEST	49822	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:51:43.448211908 CEST	49822	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:51:49.457070112 CEST	49822	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:52:00.962013006 CEST	49827	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:52:03.971230030 CEST	49827	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:52:09.987334967 CEST	49827	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:52:19.833290100 CEST	49828	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:21.162101984 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.189008951 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.189109087 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.256990910 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.257353067 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.286353111 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.286890030 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.314744949 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.315071106 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.343508005 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.343986034 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.370634079 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.370991945 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.397991896 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.401993036 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.428607941 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.428678989 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.431670904 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.431940079 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.432214975 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.432436943 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.432615995 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.432784081 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.432975054 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:21.458610058 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.458931923 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.459191084 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.465493917 CEST	587	49829	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:21.519562006 CEST	49829	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.376977921 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.403907061 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.404352903 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.469660044 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.469952106 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.498035908 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.498641014 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.526045084 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.526700974 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.554003000 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.554395914 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.581418037 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.581680059 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.609419107 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.609725952 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.636522055 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.636557102 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.636987925 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637131929 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637283087 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637492895 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637604952 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637737036 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.637830019 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.638125896 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.638169050 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.638268948 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.663836956 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.664103031 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.664314032 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.664923906 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.683985949 CEST	587	49830	5.149.255.77	192.168.2.6
Sep 15, 2021 10:52:22.739510059 CEST	49830	587	192.168.2.6	5.149.255.77
Sep 15, 2021 10:52:22.847888947 CEST	49828	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:28.864120960 CEST	49828	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:37.386285067 CEST	49831	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:40.396414042 CEST	49831	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:46.412393093 CEST	49831	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:54.468350887 CEST	49832	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:52:57.475806952 CEST	49832	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:53:03.491971016 CEST	49832	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:53:11.777662992 CEST	49833	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:14.789907932 CEST	49833	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:20.790340900 CEST	49833	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:28.959137917 CEST	49834	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:31.948081017 CEST	49834	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:37.963964939 CEST	49834	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:46.091742992 CEST	49835	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:49.089564085 CEST	49835	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:53:55.090881109 CEST	49835	11940	192.168.2.6	23.94.82.41
Sep 15, 2021 10:54:04.782836914 CEST	49836	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:54:07.778820038 CEST	49836	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:54:13.779227018 CEST	49836	11940	192.168.2.6	105.112.53.223
Sep 15, 2021 10:54:21.358670950 CEST	49837	11940	192.168.2.6	105.112.53.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 10:50:04.125307083 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:50:04.160633087 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 15, 2021 10:50:19.138469934 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:50:19.287982941 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 15, 2021 10:50:36.899993896 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:50:36.932965994 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 15, 2021 10:50:41.153657913 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:50:41.291009903 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 15, 2021 10:50:55.433137894 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:50:55.457901955 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:01.171010017 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:01.201704979 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:01.399852991 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:01.550944090 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:01.708643913 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:01.761490107 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:02.036664963 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:02.081840992 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:02.616884947 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:02.647747040 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:02.981756926 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:03.047548056 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:05.194477081 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:05.251976013 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:05.781666994 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:05.808219910 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:06.416080952 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:06.446599007 CEST	53	50055	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:07.227823973 CEST	61374	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:07.283915997 CEST	53	61374	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:08.054306030 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:08.083729982 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:08.551827908 CEST	63307	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:08.576860905 CEST	53	63307	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:13.072951078 CEST	49694	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:13.102680922 CEST	53	49694	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:32.466561079 CEST	54982	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:32.496287107 CEST	53	54982	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:51.152565956 CEST	50010	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:51.197371006 CEST	53	50010	8.8.8.8	192.168.2.6
Sep 15, 2021 10:51:53.104293108 CEST	63718	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:51:53.147177935 CEST	53	63718	8.8.8.8	192.168.2.6
Sep 15, 2021 10:52:19.785521984 CEST	62116	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:52:19.815593004 CEST	53	62116	8.8.8.8	192.168.2.6
Sep 15, 2021 10:52:21.006614923 CEST	63816	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:52:21.049338102 CEST	53	63816	8.8.8.8	192.168.2.6
Sep 15, 2021 10:52:22.325558901 CEST	55014	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:52:22.374388933 CEST	53	55014	8.8.8.8	192.168.2.6
Sep 15, 2021 10:52:37.239762068 CEST	62208	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:52:37.384242058 CEST	53	62208	8.8.8.8	192.168.2.6
Sep 15, 2021 10:52:54.328156948 CEST	57574	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:52:54.457591057 CEST	53	57574	8.8.8.8	192.168.2.6
Sep 15, 2021 10:54:04.651829958 CEST	51818	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:54:04.781595945 CEST	53	51818	8.8.8.8	192.168.2.6
Sep 15, 2021 10:54:21.328382015 CEST	56628	53	192.168.2.6	8.8.8.8
Sep 15, 2021 10:54:21.357949972 CEST	53	56628	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 10:50:19.138469934 CEST	192.168.2.6	8.8.8.8	0xbe37	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:50:41.153657913 CEST	192.168.2.6	8.8.8.8	0x89ea	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:51:01.399852991 CEST	192.168.2.6	8.8.8.8	0xb4d8	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:19.785521984 CEST	192.168.2.6	8.8.8.8	0x4f09	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:21.006614923 CEST	192.168.2.6	8.8.8.8	0x1099	Standard query (0)	mail.quanturnvia.com	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:22.325558901 CEST	192.168.2.6	8.8.8.8	0xb403	Standard query (0)	mail.quanturnvia.com	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:37.239762068 CEST	192.168.2.6	8.8.8.8	0x8e11	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:54.328156948 CEST	192.168.2.6	8.8.8.8	0x3f29	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:54:04.651829958 CEST	192.168.2.6	8.8.8.8	0x5bd1	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Sep 15, 2021 10:54:21.328382015 CEST	192.168.2.6	8.8.8.8	0x31f5	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 15, 2021 10:50:19.287982941 CEST	8.8.8.8	192.168.2.6	0xbe37	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:50:41.291009903 CEST	8.8.8.8	192.168.2.6	0x89ea	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:51:01.550944090 CEST	8.8.8.8	192.168.2.6	0xb4d8	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:19.815593004 CEST	8.8.8.8	192.168.2.6	0x4f09	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:21.049338102 CEST	8.8.8.8	192.168.2.6	0x1099	No error (0)	mail.quanturnvia.com	5.149.255.77	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:22.374388933 CEST	8.8.8.8	192.168.2.6	0xb403	No error (0)	mail.quanturnvia.com	5.149.255.77	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:37.384242058 CEST	8.8.8.8	192.168.2.6	0x8e11	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:52:54.457591057 CEST	8.8.8.8	192.168.2.6	0x3f29	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:54:04.781595945 CEST	8.8.8.8	192.168.2.6	0x5bd1	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)
Sep 15, 2021 10:54:21.357949972 CEST	8.8.8.8	192.168.2.6	0x31f5	No error (0)	sys2021.linkpc.net	105.112.53.223	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 15, 2021 10:52:21.256990910 CEST	587	49829	5.149.255.77	192.168.2.6	220 mail.quanturnvia.com ESMTP Exim 4.92.3 Wed, 15 Sep 2021 08:52:21 +0000
Sep 15, 2021 10:52:21.257353067 CEST	49829	587	192.168.2.6	5.149.255.77	EHLO 760639
Sep 15, 2021 10:52:21.286353111 CEST	587	49829	5.149.255.77	192.168.2.6	250-mail.quanturnvia.com Hello 760639 [84.17.52.51] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Sep 15, 2021 10:52:21.286890030 CEST	49829	587	192.168.2.6	5.149.255.77	AUTH login aW5mb0BxdWFudHVybnZpYS5jb20=
Sep 15, 2021 10:52:21.314744949 CEST	587	49829	5.149.255.77	192.168.2.6	334 UGFzc3dvcmQ6
Sep 15, 2021 10:52:21.343508005 CEST	587	49829	5.149.255.77	192.168.2.6	235 Authentication succeeded
Sep 15, 2021 10:52:21.343986034 CEST	49829	587	192.168.2.6	5.149.255.77	MAIL FROM:<info@quanturnvia.com>
Sep 15, 2021 10:52:21.370634079 CEST	587	49829	5.149.255.77	192.168.2.6	250 OK
Sep 15, 2021 10:52:21.370991945 CEST	49829	587	192.168.2.6	5.149.255.77	RCPT TO:<info@quanturnvia.com>
Sep 15, 2021 10:52:21.397991896 CEST	587	49829	5.149.255.77	192.168.2.6	250 Accepted
Sep 15, 2021 10:52:21.401993036 CEST	49829	587	192.168.2.6	5.149.255.77	DATA
Sep 15, 2021 10:52:21.428678989 CEST	587	49829	5.149.255.77	192.168.2.6	354 Enter message, ending with "." on a line by itself
Sep 15, 2021 10:52:21.432975054 CEST	49829	587	192.168.2.6	5.149.255.77	.
Sep 15, 2021 10:52:21.465493917 CEST	587	49829	5.149.255.77	192.168.2.6	250 OK id=1mQQeT-0002Hl-DE
Sep 15, 2021 10:52:22.469660044 CEST	587	49830	5.149.255.77	192.168.2.6	220 mail.quanturnvia.com ESMTP Exim 4.92.3 Wed, 15 Sep 2021 08:52:22 +0000
Sep 15, 2021 10:52:22.469952106 CEST	49830	587	192.168.2.6	5.149.255.77	EHLO 760639
Sep 15, 2021 10:52:22.498035908 CEST	587	49830	5.149.255.77	192.168.2.6	250-mail.quanturnvia.com Hello 760639 [84.17.52.51] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Sep 15, 2021 10:52:22.498641014 CEST	49830	587	192.168.2.6	5.149.255.77	AUTH login aW5mb0BxdWFudHVybnZpYS5jb20=
Sep 15, 2021 10:52:22.526045084 CEST	587	49830	5.149.255.77	192.168.2.6	334 UGFzc3dvcmQ6
Sep 15, 2021 10:52:22.554003000 CEST	587	49830	5.149.255.77	192.168.2.6	235 Authentication succeeded
Sep 15, 2021 10:52:22.554395914 CEST	49830	587	192.168.2.6	5.149.255.77	MAIL FROM:<info@quanturnvia.com>
Sep 15, 2021 10:52:22.581418037 CEST	587	49830	5.149.255.77	192.168.2.6	250 OK
Sep 15, 2021 10:52:22.581680059 CEST	49830	587	192.168.2.6	5.149.255.77	RCPT TO:<info@quanturnvia.com>
Sep 15, 2021 10:52:22.609419107 CEST	587	49830	5.149.255.77	192.168.2.6	250 Accepted
Sep 15, 2021 10:52:22.609725952 CEST	49830	587	192.168.2.6	5.149.255.77	DATA
Sep 15, 2021 10:52:22.636557102 CEST	587	49830	5.149.255.77	192.168.2.6	354 Enter message, ending with "." on a line by itself
Sep 15, 2021 10:52:22.638268948 CEST	49830	587	192.168.2.6	5.149.255.77	.
Sep 15, 2021 10:52:22.683985949 CEST	587	49830	5.149.255.77	192.168.2.6	250 OK id=1mQQeU-0002Hq-Jw

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 7012 Parent PID: 3440

General

Start time:	10:50:08
Start date:	15/09/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\09142021_PDF.vbs'
Imagebase:	0x7ff7cfa80000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000003.352029800.000002756BE19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.360916196.000002756CA40000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000003.351755108.000002756BDE6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.360678491.000002756C00A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	high

Chronological Activities

Analysis Process: Notepad.exe PID: 3664 Parent PID: 7012

General

Start time:	10:50:14
Start date:	15/09/2021
Path:	C:\Users\user\AppData\Local\Temp\Notepad.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Notepad.exe'
Imagebase:	0x3b0000
File size:	838144 bytes
MD5 hash:	033B15C82C1F08143DA87E0F4D1AD9BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.412408433.0000000003B21000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: Chrome.exe PID: 5276 Parent PID: 7012

General

Start time:	10:50:14
Start date:	15/09/2021
Path:	C:\Users\user\AppData\Local\Temp\Chrome.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Chrome.exe'
Imagebase:	0x1e0000
File size:	207360 bytes
MD5 hash:	A9C24A18FBD231939EB608A7A2087A49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.358180679.00000000001E2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Chrome.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 86%, Metadefender, Browse Detection: 100%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6560 Parent PID: 3440

General

Start time:	10:50:28
Start date:	15/09/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xa0000
File size:	207360 bytes
MD5 hash:	A9C24A18FBD231939EB608A7A2087A49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.401485938.0000000002931000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.400865060.00000000000A2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000000.386929462.00000000000A2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.401516583.0000000003931000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 86%, Metadefender, Browse Detection: 100%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: MSBuild.exe PID: 5480 Parent PID: 3664

General

Start time:	10:50:38
Start date:	15/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xa30000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.866866320.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.869632745.0000000003151000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: hmltog.exe PID: 4328 Parent PID: 3440

General

Start time:	10:51:12
Start date:	15/09/2021
Path:	C:\Users\user\AppData\Roaming\hmltog\hmltog.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe'
Imagebase:	0xc40000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6140 Parent PID: 4328

General

Start time:	10:51:13
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: hmltog.exe PID: 3728 Parent PID: 3440

General

Start time:	10:51:20
Start date:	15/09/2021
Path:	C:\Users\user\AppData\Roaming\hmltog\hmltog.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\hmltog\hmltog.exe'
Imagebase:	0xa50000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 2088 Parent PID: 3728

General

Start time:	10:51:22
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Notepad.exe PID: 3664 Parent PID: 7012 Notepad.exeCOMMON

Executed Functions

Function 026626B0, Relevance: 2.2, Strings: 1, Instructions: 984COMMON

Download Yara Rule

Strings

$ghr, xrefs: 0266284D

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 418d62319aaef7c77afb146ac56424ca7e0c038a9d15b8540a6e6a7b2d586170
Instruction ID: c24918278aa7b2c0bbb479d0f69da6f4c1211b918a4f1cb909c5c7a2083d55da
Opcode Fuzzy Hash: 418d62319aaef7c77afb146ac56424ca7e0c038a9d15b8540a6e6a7b2d586170
Instruction Fuzzy Hash: 37B2A275E00228DFDB65CF69C984BD9BBB2BF89304F1581E9D409AB225DB319E91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 065D17F7, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 065D1877

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b9fc7d4c234746474d87ad51974628ffc21e6be0f88c82ec7c986bb344bb5a8b
Instruction ID: 5b716576bcc3b432218721833cd614c89078228592859ebd5f8c14c17cdc4f43
Opcode Fuzzy Hash: b9fc7d4c234746474d87ad51974628ffc21e6be0f88c82ec7c986bb344bb5a8b
Instruction Fuzzy Hash: 4B219175509784AFEB22CF25DC44B52BFF4BF06210F0885DAE9858F163D275E918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 065D1212, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000E2C), ref: 065D1279

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e65702bde55ce97a3bb1867da102984260bec68c93ef8ce51ad9b8a26f5b1e7c
Instruction ID: df3118869855d998241cef5cbc2d750be70c41bb459d3b343fefbb7b31348634
Opcode Fuzzy Hash: e65702bde55ce97a3bb1867da102984260bec68c93ef8ce51ad9b8a26f5b1e7c
Instruction Fuzzy Hash: 1011A272500604AFF720DB29DC85FABBB9CEF05320F14846BEE45DB281D6B5A545CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 065D1979, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 065D19E5

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 962339c4f5cf9fe171aa76e1131e2670b2cddae47e7e7f19436a6d54b9819895
Instruction ID: 9b3c041b7bf3cb14705b4adb3eb502efe2856877c05032900a9912a9e6aa80f9
Opcode Fuzzy Hash: 962339c4f5cf9fe171aa76e1131e2670b2cddae47e7e7f19436a6d54b9819895
Instruction Fuzzy Hash: 84118E724097C0AFDB228B25DC45A52FFB4EF06314F0980DAE9844F263D275A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 065D182E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 065D1877

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 39c39e198a2e9a226feab41b312e540cc0791261160b6b8d6b2fc5771b6309ef
Instruction ID: a78f319ea1f3131e83be840e533e4bbe96d42cd4600618ded6f8f8b2038c56f1
Opcode Fuzzy Hash: 39c39e198a2e9a226feab41b312e540cc0791261160b6b8d6b2fc5771b6309ef
Instruction Fuzzy Hash: E7119E719006049FEB30CF69D984B66FBE8FF04220F0884AAED458B652D271E418CF61

Uniqueness

Uniqueness Score: -1.00%

Function 065D19AA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 065D19E5

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 75b800cdb2ab2524537761e3d9bc3ec955fd9f851eca56b8d8a0924faf1c9823
Instruction ID: 1edf28b68b16cf8b96cf11a877e6b5d9d977d8b74382f510f7fad3f2284c753f
Opcode Fuzzy Hash: 75b800cdb2ab2524537761e3d9bc3ec955fd9f851eca56b8d8a0924faf1c9823
Instruction Fuzzy Hash: E9018B31800A40DFDB708F19D884B62FFA0FF08320F18C49ADE490B256D2B5A458CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 026620B1, Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

X1kr, xrefs: 026621ED

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 3aa70165858511c9cd69a4c7a03567ffa4c4b3b4ebc608d9b2e4a46766f87d5c
Instruction ID: 41be4754dcf73c70323b7fefbfc1b375424cd7c77193d3187256669c2f8389f7
Opcode Fuzzy Hash: 3aa70165858511c9cd69a4c7a03567ffa4c4b3b4ebc608d9b2e4a46766f87d5c
Instruction Fuzzy Hash: 1B81D5B4D05208DFDB54DFE9D9986ADBBF2BF89300F20806AE909A7355DB345982CF10

Uniqueness

Uniqueness Score: -1.00%

Function 026620C0, Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

X1kr, xrefs: 026621ED

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 89a9d0e99d5e0e238d408a8de60ec5e613ad5012ac500a56a78115a5804c4fa6
Instruction ID: 096ef336acde8404c8087744b6e76454b69eada03bde51f288a7761d082861d2
Opcode Fuzzy Hash: 89a9d0e99d5e0e238d408a8de60ec5e613ad5012ac500a56a78115a5804c4fa6
Instruction Fuzzy Hash: CD81C4B4D05208DFDB58DFE9D9986ADBBF2BF89300F208069E909A7355DB345982CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A0A7D0, Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

IQi, xrefs: 06A0A8F2

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID: IQi
API String ID: 0-742927471
Opcode ID: 9d247782f3f38638f3d8d5913536e8fad898c23bb847ef562e39ebbccba20449
Instruction ID: 76840a8a6f207189d9fe118bad0e92a1c8ebaceee871053652130dd624ac0f26
Opcode Fuzzy Hash: 9d247782f3f38638f3d8d5913536e8fad898c23bb847ef562e39ebbccba20449
Instruction Fuzzy Hash: C3513EB0D0521ACFEBA4CF65D9847A9F7F2EB88300F0080FA861DA7650E7305A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0266E108, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a409dd40b4980473cfd6906f5c447edb8d45814ee7b5a47312e1a511a5e2a1e
Instruction ID: 3eb1b6370812eb509ebe8d02d48f498fa31401edf6c8178ac790dd672bb784d1
Opcode Fuzzy Hash: 3a409dd40b4980473cfd6906f5c447edb8d45814ee7b5a47312e1a511a5e2a1e
Instruction Fuzzy Hash: 9CC128B490520ADFCB08CFA4C5849BEFBB2FF49350F24A559D412BB254D731AA42DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0266AF88, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c1b9aeb4f40958574616176a2919ce20ee1f0172d09e8a79cb7bbaaebe377d
Instruction ID: 399593735a3dc8a14e458a2c31b3d316dbec340fe72cfd8f3654de09747666d3
Opcode Fuzzy Hash: 22c1b9aeb4f40958574616176a2919ce20ee1f0172d09e8a79cb7bbaaebe377d
Instruction Fuzzy Hash: 73A1E770E04258CFDB28DFA9D8887AEBBB6BB89308F109069D509F7355DB305982CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06A03580, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f08a72dacaf33fd5c65b370eea8f03227caa796e22dd1fb2efd5dfc71870fa
Instruction ID: 90f8daa8048cba79746e4309ead6d709f2416e8c64e2968802a7e09c2f5abc99
Opcode Fuzzy Hash: 80f08a72dacaf33fd5c65b370eea8f03227caa796e22dd1fb2efd5dfc71870fa
Instruction Fuzzy Hash: 1091BFB4D01209CFDB54EFA4E284A9DBBF2FB18304B10E56AE506DB765DB30AA40CF55

Uniqueness

Uniqueness Score: -1.00%

Function 06A0356F, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fdac8ae106ade7874a41d03eb8ad6772438576624bc0c64eed889393c267801
Instruction ID: 34b5697aae9caf6d8e5a08acbc7258dd12b83eca75550a314745a25d6a4bdb1a
Opcode Fuzzy Hash: 9fdac8ae106ade7874a41d03eb8ad6772438576624bc0c64eed889393c267801
Instruction Fuzzy Hash: F791BDB4D01209DFDB50EFA4E284A9DBBF2FB18304B10E16AE506DB355DB30AA40CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06A0368C, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a28e5958cfbfe178f95880ea501ff82abf00a88267dadf3c35509eba1dfab33
Instruction ID: bf7bd834fa5b6528ed83ba93fb10ccfbd167b81ae41d92b130fb3281e8442c12
Opcode Fuzzy Hash: 3a28e5958cfbfe178f95880ea501ff82abf00a88267dadf3c35509eba1dfab33
Instruction Fuzzy Hash: 26919EB4D0124ACFDB54EFA4E284A9CBBF2FB18344B10A56AE506DF755DB30AA40CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06A03623, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e051ae7d5e9609e1a28f72eb00065556564fdfa81de242ca1cb97b073380795f
Instruction ID: 5cd210f5589b942869c5ac568e5ec7027931524fe4c0f2e343b1b403ffdc4226
Opcode Fuzzy Hash: e051ae7d5e9609e1a28f72eb00065556564fdfa81de242ca1cb97b073380795f
Instruction Fuzzy Hash: 5C919FB4D0124ACFDB54EFA4E284A9CBBF2FB18344B10A56AE506DF755DB30AA40CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06A03659, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b854eadb5699da7bd283bba629e9d785f1932cbb07c23b2881a94d991e71df6
Instruction ID: b19a2195dc672bc961857d3c477ba06e27c883285d8f7b8b1aa35ea589c5f622
Opcode Fuzzy Hash: 3b854eadb5699da7bd283bba629e9d785f1932cbb07c23b2881a94d991e71df6
Instruction Fuzzy Hash: DB91AEB4D0124ACFDB50EFA4E284A9CBBF2FB18344B10A56AE406DF755DB30AA40CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0266C180, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce2a468cdedcfa4de70368e01e4c44cf6df6b2b32da4a7015174dfdff8ed3a7
Instruction ID: 3bcf588866beb3f8ce84f454959999d75bbf3ed2c5aa6b1e720a1c90a8eb6f4b
Opcode Fuzzy Hash: 4ce2a468cdedcfa4de70368e01e4c44cf6df6b2b32da4a7015174dfdff8ed3a7
Instruction Fuzzy Hash: 2371C1B4D00609DFDB08CFE9C998AAEBBB2FF89300F10906AD505BB254DB355A42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 06A06690, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81fbdbc2d1d7c149a59a6437828bbfb117d05f022ab5680172463654dab6021
Instruction ID: 790c1573687350c17d20a996245080ed4f637d05fbe2d8f1613ced342d6954cd
Opcode Fuzzy Hash: d81fbdbc2d1d7c149a59a6437828bbfb117d05f022ab5680172463654dab6021
Instruction Fuzzy Hash: 01615974D06229CFEFA4DF25E955B9ABBB2BB49300F10D4EAC10DE7240DB355A858F48

Uniqueness

Uniqueness Score: -1.00%

Function 06A064A8, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec241e74b8b7452cc143aba982856b632a230834293249c71eb5308110a9d2d6
Instruction ID: 88dd960cce7245eb815b8169f4eb706fa475645ab2ec108ee70d38b00edbc202
Opcode Fuzzy Hash: ec241e74b8b7452cc143aba982856b632a230834293249c71eb5308110a9d2d6
Instruction Fuzzy Hash: F0317A74D11208DFEB44EFA9E6809DEFBF5EB8D304F10A42AD105F6244D731A9218F64

Uniqueness

Uniqueness Score: -1.00%

Function 026605A8, Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 026606D4
`5kr, xrefs: 0266072D

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 317ec4ca7baf9060835ce1d6b63272850b8f5914c3d4977bde41093cb30676fe
Instruction ID: 5ef79d161443a27f50378af83fafe5c5b1a8cd1bfc81d42130ee088d939f5a8f
Opcode Fuzzy Hash: 317ec4ca7baf9060835ce1d6b63272850b8f5914c3d4977bde41093cb30676fe
Instruction Fuzzy Hash: 6191C374E01218CFEB54DFA9C994BADBBB2FF89310F109169D409AB3A0DB719945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 026619D8, Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

X$kr, xrefs: 02661A6F
X$kr, xrefs: 02661A7F

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: X$kr$X$kr
API String ID: 0-2690305392
Opcode ID: 6d642d139844f7cd64f0a1efd5943bfb02944e8ddfea6869731870fc107a79eb
Instruction ID: f5f435b7865521f872d4822fbcebcac01e42df0519e9a3b0029ff04ff22b40b5
Opcode Fuzzy Hash: 6d642d139844f7cd64f0a1efd5943bfb02944e8ddfea6869731870fc107a79eb
Instruction Fuzzy Hash: 0E31BF74D00209CFDB08DFAAD5486EEBBF2BB89304F10856AD819B7354D7355A85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 065D11B2, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000E2C), ref: 065D1279

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 5139c8be635d9bb8db9d70a85c89f463eb2eb389a0ecd637f714ddcddf316729
Instruction ID: 669fa25fcaeafc9a030f535334eed46870b6442db88c41014336d423d2cd38ec
Opcode Fuzzy Hash: 5139c8be635d9bb8db9d70a85c89f463eb2eb389a0ecd637f714ddcddf316729
Instruction Fuzzy Hash: 70415E7210A3C06FE7138B648C55BA6BFB89F03214F0944DBE984DF193D6689849C772

Uniqueness

Uniqueness Score: -1.00%

Function 065D055A, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 065D0601

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 03c40e77940e8cdf56a6967c67be83fa749017506cac4449114d402bf04dd95f
Instruction ID: 89f60547fea68253bf9b79992b361ecc60f30e510cf9d52f3d90ec78fa8d017f
Opcode Fuzzy Hash: 03c40e77940e8cdf56a6967c67be83fa749017506cac4449114d402bf04dd95f
Instruction Fuzzy Hash: 9D318171509780AFE722CF25CC85F56FFE8EF46210F18849AE984CB292D375E909CB65

Uniqueness

Uniqueness Score: -1.00%

Function 065D0658, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 065D070E

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5481f29ae65256926c0fd7b96faad3e8cd90411eeb1524dac3e9fcb1b4d47ee0
Instruction ID: 6abb22dfd2cdaf8f4d92f6648f64cb6450a29c9445f6b554990b9f9ef7c25ab1
Opcode Fuzzy Hash: 5481f29ae65256926c0fd7b96faad3e8cd90411eeb1524dac3e9fcb1b4d47ee0
Instruction Fuzzy Hash: 9931D9754097C06FD3138B25DC51B61BF74FF87620F0A81DBD9848B5A3E224691AC771

Uniqueness

Uniqueness Score: -1.00%

Function 065D12D7, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000E2C), ref: 065D137A

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 566a93d43b196d5b171b9878ba4cff677e2f6bb022904dadd7f95926107252d4
Instruction ID: cdf98123ad26e16636de7320e9507be540f21c8f91fb0d66b69a2dacfcedaafd
Opcode Fuzzy Hash: 566a93d43b196d5b171b9878ba4cff677e2f6bb022904dadd7f95926107252d4
Instruction Fuzzy Hash: DC219671409380AFEB228B25DD45F96BFB8EF46310F18849AED449F192D2786949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 065D1674, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 065D16F6

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 743b38208884204125107f604a32c18a7c54ffc4e53ce57f99aba889ada0725e
Instruction ID: fe8f5c56071ab7394b2cd3b4ce2a201d1e6b041193e87b8a56af254129bc78ff
Opcode Fuzzy Hash: 743b38208884204125107f604a32c18a7c54ffc4e53ce57f99aba889ada0725e
Instruction Fuzzy Hash: 4421A4765097805FD722CB65DC45B96BFE8EF06220F0984EAED84CF253D274E548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 065D058E, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 065D0601

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 731e4d3e44d3d53079291624273f660dadaf811d1042d79a2ce582a42b4f2908
Instruction ID: 004a0d2f5437d31fbc798c9e78f8c3667d6ea46d3bff64311e34125858dba6c5
Opcode Fuzzy Hash: 731e4d3e44d3d53079291624273f660dadaf811d1042d79a2ce582a42b4f2908
Instruction Fuzzy Hash: 9F218E71504200AFE720DF29C885B6AFBE8EF44710F14846AEE898B282E7B5E445CB75

Uniqueness

Uniqueness Score: -1.00%

Function 065D15B8, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 065D1638

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8f2c435c53fe89d5b9da194162cc81a24d61a5347698b0542c7da8026ad273fb
Instruction ID: bc8df4f48f03271e8b50696eea61cfb9593c1053c15ee8979523e43603f27dd0
Opcode Fuzzy Hash: 8f2c435c53fe89d5b9da194162cc81a24d61a5347698b0542c7da8026ad273fb
Instruction Fuzzy Hash: 7D21D0765097C09FD7228B25DC84A96FFF4EF07210F0D80DEE9858B563D264A858DB21

Uniqueness

Uniqueness Score: -1.00%

Function 065D0737, Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 065D07C3

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a43846cc4bb5bfb5e1328fbb2a6a4122e4186a15e7c08aa642ab455c262f3698
Instruction ID: 13661ad01399ed878094eaee1d6bcc0da5d6b54b85b88bbfb6c3fe32819533d3
Opcode Fuzzy Hash: a43846cc4bb5bfb5e1328fbb2a6a4122e4186a15e7c08aa642ab455c262f3698
Instruction Fuzzy Hash: 6821E771504380BFE721CB14CC85F66FFA8EF46720F14809AFD445F292D274A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 065D02CD, Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 065D0341

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 617c0eef26b7892790a64bd52183c6a24c99ab416a31b8fe41a99c07aded37a2
Instruction ID: d2e97acf35771179dfc0bc8142ab177592dae140e464e8379e6f2ea4260dee70
Opcode Fuzzy Hash: 617c0eef26b7892790a64bd52183c6a24c99ab416a31b8fe41a99c07aded37a2
Instruction Fuzzy Hash: 04219376509380AFDB228F25DC54B62FFB4EF06210F0884DEED854B163D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 065D1ABD, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 065D1B31

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9507fe1e06b4ef20de501469cebe657218a5464f48ae194b54d6a0ac9ec35e9e
Instruction ID: abbf517b3927ec443bf5ac44fa0b07736c0bd517e7620274c0fe857dd62843fb
Opcode Fuzzy Hash: 9507fe1e06b4ef20de501469cebe657218a5464f48ae194b54d6a0ac9ec35e9e
Instruction Fuzzy Hash: B7215E714097C09FDB238B25DC44A51FFB4EF17210F0985DBE9848F263D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 065D130E, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000E2C), ref: 065D137A

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: b46f38bb2e19aa48e7774e9f549f2d88ea64d85bd578cc6868d142759a2dc6b0
Instruction ID: c15cc28ca7d2da28b0f679e8c21d7334ad82f03998e24a41eb0fadef5766c748
Opcode Fuzzy Hash: b46f38bb2e19aa48e7774e9f549f2d88ea64d85bd578cc6868d142759a2dc6b0
Instruction Fuzzy Hash: 2411C471500600AFFB30DF18DD85FA6FBA8EF44710F1484AAEE459F281E6B4A505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 065D1517, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 065D157C

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 47503942d4475b268a3c1e1524abcf456753ade858d68f7d0be1fc1376dd6483
Instruction ID: 4d63a8cdefd349e045f2aa0700b04f136ed24c27a0f2aef4fdbaf84c307f2d8f
Opcode Fuzzy Hash: 47503942d4475b268a3c1e1524abcf456753ade858d68f7d0be1fc1376dd6483
Instruction Fuzzy Hash: E811E276409780AFDB228F25DC44A52FFF4EF06220F0880DEED858B263C275A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 065D075A, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 065D07C3

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 27335b25cf1e77de5a1c7dbafc7d83fc2ed95e0c8bc70957af74af750d53dd79
Instruction ID: 42f25353b958356111b2408f88894e9a5eda3cff21c48cf4fb177cdf3886c105
Opcode Fuzzy Hash: 27335b25cf1e77de5a1c7dbafc7d83fc2ed95e0c8bc70957af74af750d53dd79
Instruction Fuzzy Hash: F911CE71500200BEF720DF19DC85BA6FF98EF45720F24849AEE445E2C2D6B4A549CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 065D1DAB, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 065D1E15

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 93db02e2a8bf427fef83637f6d78b0e1bf4bae921abfd0f1193ea3b40865a2b0
Instruction ID: bb8728f50f37f03fc2f1a37e284abcb5c561fe5c3960470f9bb669a4643cd493
Opcode Fuzzy Hash: 93db02e2a8bf427fef83637f6d78b0e1bf4bae921abfd0f1193ea3b40865a2b0
Instruction Fuzzy Hash: 2011E272409784AFDB228F15DC45B52FFB4EF06320F0884DEED854B663C275A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 065D1470, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 065D14CF

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 07baa2b899e5ffbfc482590d4d3af5583f7c8c87369a818e6deb56d5579f3fe8
Instruction ID: 261220b12f837b327418a908baedef6326c69e262413eee805358dec7da6f8d1
Opcode Fuzzy Hash: 07baa2b899e5ffbfc482590d4d3af5583f7c8c87369a818e6deb56d5579f3fe8
Instruction Fuzzy Hash: C211C4715047849FD721CF15CC85F52FFE8EF06220F08809AED458B262D278E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 065D16AE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 065D16F6

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: aea9b49228029f8d447ce1b28a14db855dc05e6d9ea81b138a192b67a6ddf82f
Instruction ID: 335fb7ce07e97a7c947b919adb6fe208cf932734955f4f1c3bc2f3a8c08294c2
Opcode Fuzzy Hash: aea9b49228029f8d447ce1b28a14db855dc05e6d9ea81b138a192b67a6ddf82f
Instruction Fuzzy Hash: 9E115E75A006409FEB70CF69D885756FBD8EF04220F1884AAED49CB792E674E444CF71

Uniqueness

Uniqueness Score: -1.00%

Function 065D15F2, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 065D1638

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 565780bf26a4e969f26aaaa092570e600a2bf35ad26dfa955c73a9178fe2dde6
Instruction ID: 817630a300b29f3fe4866318daf79de093ebd3a6816649eae6e55093cf1276b6
Opcode Fuzzy Hash: 565780bf26a4e969f26aaaa092570e600a2bf35ad26dfa955c73a9178fe2dde6
Instruction Fuzzy Hash: 28016D75500A00DFDB708F19D884B6AFBE4EF04620F1C84AEED458BA62D375E458DF61

Uniqueness

Uniqueness Score: -1.00%

Function 065D1492, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 065D14CF

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6ce09060427f1213ec6141a583f4f5f90ed1336eb2c9cc41d78d2a6deaea4244
Instruction ID: 8c0324e1c38e33339b0a5f576db6ff46cee2892fda0ffc52514a416574ef05ad
Opcode Fuzzy Hash: 6ce09060427f1213ec6141a583f4f5f90ed1336eb2c9cc41d78d2a6deaea4244
Instruction Fuzzy Hash: 8101B135600A009FEB70CF19D884B66FBE4EF04220F08C0AADD4A8B792D679E448CF61

Uniqueness

Uniqueness Score: -1.00%

Function 065D153E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 065D157C

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c4000973d6dac28b4cfbdb46d56175a40691ac7a7340c22a80f6b1f45cacc867
Instruction ID: 5b6ff38ea1e770297c787977e31445dc2fce516de9b3f74289e673ee4372f806
Opcode Fuzzy Hash: c4000973d6dac28b4cfbdb46d56175a40691ac7a7340c22a80f6b1f45cacc867
Instruction Fuzzy Hash: 18019E32900A00DFDB718F19D884B66FFE4EF04320F08C49ADE464A652D276E458DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 065D06BE, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 065D070E

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: efe86d940513eec2dc3be0dc6249df20fd92e026b0b7a6abf3c123c94fef3aa0
Instruction ID: 190c754475b16b9cbe37036f1fcf1693128fd5be478c4280d9503b1087ca90c4
Opcode Fuzzy Hash: efe86d940513eec2dc3be0dc6249df20fd92e026b0b7a6abf3c123c94fef3aa0
Instruction Fuzzy Hash: A8014F76500604ABD310DF16DC86F26FBA8EB88B20F14815AED085B741E375F555CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 065D1DDA, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 065D1E15

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6651ec08216260ff465039241c0e976a137537861a58d47fe54c806e600eabaf
Instruction ID: 8cf856e9c43a874ab3f79936359c30ac4d8c546f1910808670ff0b8457c198d1
Opcode Fuzzy Hash: 6651ec08216260ff465039241c0e976a137537861a58d47fe54c806e600eabaf
Instruction Fuzzy Hash: 4A017135900A44DFDB708F1AD884B66FFE4EF04320F18C49ADE454B652D2B5E458DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 065D0306, Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 065D0341

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f888159ec5b57a393331427c2d770902a2d0ce8f08b941763097892380f20dcf
Instruction ID: e5cedea205143807fab6cd9c6ae8f8ab17d79e96894dc51e56c0fad05b63984c
Opcode Fuzzy Hash: f888159ec5b57a393331427c2d770902a2d0ce8f08b941763097892380f20dcf
Instruction Fuzzy Hash: 5401B131500600DFDB608F19D884B66FFE0FF04320F08C49ADE454B691D275E418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 065D1AF6, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 065D1B31

Memory Dump Source

Source File: 00000004.00000002.417699981.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1c7472f5c37cae41db3391c34d4652e9e46d3067871a8825203fe041685dd6bb
Instruction ID: c946163ccdd37b5fee844cfbfb92edf9a8ad179ca7890d5505fc0bfaa1e8a44f
Opcode Fuzzy Hash: 1c7472f5c37cae41db3391c34d4652e9e46d3067871a8825203fe041685dd6bb
Instruction Fuzzy Hash: 2D018431800644DFEB308F59D884B55FFA0FF04320F18C49ADD490B392D275A458CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02660598, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 026606D4

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 0458f2e0e748c5e3081bb263aad8104c2234ca1732d895a4096de97e76bb3667
Instruction ID: caa68d1f74901d5ca5f063537db767d06819e02967a5b16a46173eb109ca8906
Opcode Fuzzy Hash: 0458f2e0e748c5e3081bb263aad8104c2234ca1732d895a4096de97e76bb3667
Instruction Fuzzy Hash: 0F71F574E00218CFEB54DFA9C894BADBBF2BF49310F2091A9D409AB390DB719985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02661EA1, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02661FDF

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 93dd1c4a0c550a8a39d68c45b7c9600864bff393d156f26f67eda251b7d806e7
Instruction ID: 1f2d43ae6f8eced29aa44323cb2acc3e8b169cbf6a444a762ca873c55456f568
Opcode Fuzzy Hash: 93dd1c4a0c550a8a39d68c45b7c9600864bff393d156f26f67eda251b7d806e7
Instruction Fuzzy Hash: 7541C370E002489FDB04DFE9D990AEEBFB2BF88304F208169D409AB365EB355942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02661EB0, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02661FDF

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: a275c7032055586d77c95c1747edad87e1c93af122e6a7844093a4fdb84f5370
Instruction ID: 317ba4c9342be4caade7982c8cba262ff5165cf55af4b2bd5d4fc595dd9085e1
Opcode Fuzzy Hash: a275c7032055586d77c95c1747edad87e1c93af122e6a7844093a4fdb84f5370
Instruction Fuzzy Hash: 12418274E002089FDB48DFE9D941AEEBBB2FF88304F208529D419AB364EB755952CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02661958, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

X$kr, xrefs: 02661A6F

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: X$kr
API String ID: 0-683389969
Opcode ID: a5a88fc5db18dfbd2574fec5a9fae1ad83be5a60ec91ea23973cce8a3b57bbb2
Instruction ID: ec920f5972e5184c2e87d81fb59bbfa09337b0f3a071c6cd1da95da6c9db53bb
Opcode Fuzzy Hash: a5a88fc5db18dfbd2574fec5a9fae1ad83be5a60ec91ea23973cce8a3b57bbb2
Instruction Fuzzy Hash: 41410374D00209DFDB08DFA9DA456EEBBF2FB89304F1085AAD818A7354E7355A41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02661D20, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02661D7F

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 30104dc26e48aa988429220cdd2c4b510dd424d6a2b0157400ffaaeb343c82b4
Instruction ID: 0e471fce551e0b55ef93795f0709b7285c6f1275a273ca135a8a0b5a5b43a545
Opcode Fuzzy Hash: 30104dc26e48aa988429220cdd2c4b510dd424d6a2b0157400ffaaeb343c82b4
Instruction Fuzzy Hash: 5D412734E00208DFDB05DBA8D950AAEBFB2FF89308F108169C80477795EA795941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02661D30, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02661D7F

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 2630bebc875518f079dd7ee498ecffead760755d93e33a0ab15e4b4fa71f0573
Instruction ID: 0d408a0f374c732d51559e973d6d1cb5dcb3d6516c5e0ad40c2dda9daab9c91f
Opcode Fuzzy Hash: 2630bebc875518f079dd7ee498ecffead760755d93e33a0ab15e4b4fa71f0573
Instruction Fuzzy Hash: 4741F638E00208DBDB05DFA9D940AAEBBB2FF8C308F609169D90577794EB795941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 026619C9, Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

X$kr, xrefs: 02661A6F

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: X$kr
API String ID: 0-683389969
Opcode ID: 5ca5acd76f29cfc5026fb694356c08b88d13c83433266a4b4e6368795aa25a91
Instruction ID: c6e94ec95306cfbdfad2106e6a5912547c02699bec33b5efbd2eb2c641efb5b8
Opcode Fuzzy Hash: 5ca5acd76f29cfc5026fb694356c08b88d13c83433266a4b4e6368795aa25a91
Instruction Fuzzy Hash: D931F570D04249CFDB08CFAAC5486EEBBF1AF89300F1481AAD419B7354D7355A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02660A40, Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfeebd83bfde51364534d11b597dea273def1e856f6eba0a45c4694ef7312ec
Instruction ID: 91e3ee2e004ae79ce411796409d0e6346b6d5ebd455f689c24cf3c3d7525452f
Opcode Fuzzy Hash: bdfeebd83bfde51364534d11b597dea273def1e856f6eba0a45c4694ef7312ec
Instruction Fuzzy Hash: 4872A234A01218CFDB24DB64C894FE9B7B2BF8A305F5580E9D909AB361CB716E95CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02660A50, Relevance: .7, Instructions: 704COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9ac3ceaede352b549f3dea94ecc2b5cef7a20d26c920d21f721fe0f08ba902
Instruction ID: 864863a78462e329840979e5d8123e0d32a8da45e0b17e6b8450606623889045
Opcode Fuzzy Hash: ea9ac3ceaede352b549f3dea94ecc2b5cef7a20d26c920d21f721fe0f08ba902
Instruction Fuzzy Hash: 6472A234A01218CFDB24DB64C894FE9B7B2BF8A305F5580E9D909AB361CB716E95CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02660270, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db3d6945b63bb7f632ba44385571cd62e19d67c301e737989831ae52416bc6b
Instruction ID: 3d360977572ab5ee0bcfc42800fddd4e1596a5e2a3e2f01a6f66bd34b7b08e81
Opcode Fuzzy Hash: 5db3d6945b63bb7f632ba44385571cd62e19d67c301e737989831ae52416bc6b
Instruction Fuzzy Hash: E251CD78A04219DFDB04DFA8C884BADBBF1BF4E311F1454A5E502AB3A0D735A940DF65

Uniqueness

Uniqueness Score: -1.00%

Function 02660280, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a2fee0653c9496f2f0ad143528c4de3683b07803ddf867a5f9b5df8169d726
Instruction ID: 6b2b7be6afc50484325c511e5a2b36b3d51183ea08b44019cde4050f2fad81eb
Opcode Fuzzy Hash: a1a2fee0653c9496f2f0ad143528c4de3683b07803ddf867a5f9b5df8169d726
Instruction Fuzzy Hash: 20417A78A00219DFDB04DFA8C884BADBBF1BB4D311F1454A5E902BB3A0D775A940DF65

Uniqueness

Uniqueness Score: -1.00%

Function 02661AC0, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02ae633b5f0c7ef39095befce2335e3941865823c9e63a1078bfd639ef3c4c4
Instruction ID: 6c0d669ebd0e843206465bd3e510008c4615e2ea05d6b5337848fd8e8233834b
Opcode Fuzzy Hash: b02ae633b5f0c7ef39095befce2335e3941865823c9e63a1078bfd639ef3c4c4
Instruction Fuzzy Hash: 5A419E74D00208DFDB04DFAAD584AEDFBF2AF88300F24D5AAD818A7354EB309956CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02663838, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d717f205885b5c708f8b04ef6be8afd1d1175a5724922332ce36616e420f40d
Instruction ID: 5c63f2986f1162204ddddd8b1723d2e73ac5a05fe995fe937ef5ef7cc9e66bef
Opcode Fuzzy Hash: 3d717f205885b5c708f8b04ef6be8afd1d1175a5724922332ce36616e420f40d
Instruction Fuzzy Hash: D9311974E05208DFCB08EFA9D9486FDBBB6FB89700F2091A9E815A7351DB349952CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A0672F, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e7b251ae4433d5db3ee09eeb1cee5f62ddf757f025065126ecf3c6ee5f67e2
Instruction ID: 5ad7c6964e08cc9c543c8dc20d92c9b2f8a58653bc9d1474c7f22d20303959f9
Opcode Fuzzy Hash: f8e7b251ae4433d5db3ee09eeb1cee5f62ddf757f025065126ecf3c6ee5f67e2
Instruction Fuzzy Hash: D7412471D062288FEBA4DF64EA9579DBBB1BB49300F5094E6C01DA7251CB349E85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 06A064B8, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f74b3e0ac32f8db54c3cfad3a1fe76ec2a75d2eec9697136645c99e4fe916ba
Instruction ID: 458216b32eaf474765628fcdff6a7f0cf1e0856f0e6d3802ac7ed93fca4c8047
Opcode Fuzzy Hash: 4f74b3e0ac32f8db54c3cfad3a1fe76ec2a75d2eec9697136645c99e4fe916ba
Instruction Fuzzy Hash: 3E316874D05208DFEB44DFA9E6849DEFBF5EB4D304F10A42AD115FA245E731A9208F68

Uniqueness

Uniqueness Score: -1.00%

Function 06A04590, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c29c0ad37eaa01298e4dd0cfe69c862912eab79437bdce0bcd2c068f9f8464d
Instruction ID: a07a815abc5233840b8984e9bd3153bb0625abd010a1b2210a3d010414c9b428
Opcode Fuzzy Hash: 2c29c0ad37eaa01298e4dd0cfe69c862912eab79437bdce0bcd2c068f9f8464d
Instruction Fuzzy Hash: 06318DB8D06188DFDB04CFA9D940AEEBBF2FB8D300F1490A9D951A7311D6345A02CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A04540, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ca7f63ffb4a1dc773b08e832faa99dd78526b46a9341cf5e0770445ba8dd68
Instruction ID: c203b1150590486b3a1ee4404ed3a346c4db6a0832373d4a53a7721e958982b4
Opcode Fuzzy Hash: 13ca7f63ffb4a1dc773b08e832faa99dd78526b46a9341cf5e0770445ba8dd68
Instruction Fuzzy Hash: AF31ADB8D05249DFEB04DFA8D9406EEBBF2FB9D300F109069D955A7310E6344A02CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02663829, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c2d5483b75ed7d6b7dabcc13b6db13b83d644c03a2724c106095c425614a0e
Instruction ID: d50cf0ee34649f53af3617bbf6a74c25277f1f989af5eb6b0747a8eee16cccde
Opcode Fuzzy Hash: 76c2d5483b75ed7d6b7dabcc13b6db13b83d644c03a2724c106095c425614a0e
Instruction Fuzzy Hash: 6C311AB4E05208DFCB08EFA9D9586EDBBB6FF89700F2081AAE415A7351DB345942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0266CB20, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc5462238c6a4ad55738d8fda4d0ac381ed2c9602a49e1d7ac3abea3dad45f5
Instruction ID: 139db3134f790c3ffd8fb2da66c7b8545630269077eb7f1c63b8ce721ef49fe0
Opcode Fuzzy Hash: ecc5462238c6a4ad55738d8fda4d0ac381ed2c9602a49e1d7ac3abea3dad45f5
Instruction Fuzzy Hash: CC31E874E0420ADFDB48CFE6D4849AEBBB2FB89300F50955AD429AB354D3349A42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02660006, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee281f2aa585c19c0d8870aaf239e3ec7f573c227339ad97b24492a36e9efa92
Instruction ID: cd387989d4f75b2de6061592ce0445250a7041519851cb242640b0d156cf4512
Opcode Fuzzy Hash: ee281f2aa585c19c0d8870aaf239e3ec7f573c227339ad97b24492a36e9efa92
Instruction Fuzzy Hash: F3212C6084E3C58FD7179BB488657AABFB0AF47204F1948EFC0C1E71A3D6685819C766

Uniqueness

Uniqueness Score: -1.00%

Function 02661AB1, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a44d53b460656c2eba4aa37a58696fc99a030a4101e02706fe7f402f994422
Instruction ID: 0653da311a432f8c17c300953918655ca094d73e2072c131769c2bfd1ce9863b
Opcode Fuzzy Hash: 03a44d53b460656c2eba4aa37a58696fc99a030a4101e02706fe7f402f994422
Instruction Fuzzy Hash: 7121C274D052089FDB08CFAAD984ADDFBF2AF89204F14D1AAD818A7355EB305942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 082D1CFC, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.419930212.00000000082D0000.00000040.00000001.sdmp, Offset: 082D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e6bdb78cf4187ea71f1471bbb7d9e9c7f238fc2816581d1d8013bd61790cc9
Instruction ID: 6cd6cefcd0f63d1abf40f69e0220f7860ac639e0d3c16a7c52f663b47bdf656d
Opcode Fuzzy Hash: 94e6bdb78cf4187ea71f1471bbb7d9e9c7f238fc2816581d1d8013bd61790cc9
Instruction Fuzzy Hash: BD11BAB5608301AFD340CF19D880A5BFBE4FB88664F14896EF998D7311D275EA14CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 026600F8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076c461ab1dc0dccd7115cb99038ee8e6597c5ce3cec5a093461a59d218d245c
Instruction ID: 09d09f5d5f009fe1190aaa242c049332607d7e4895af4452c35dbbc45f9774f6
Opcode Fuzzy Hash: 076c461ab1dc0dccd7115cb99038ee8e6597c5ce3cec5a093461a59d218d245c
Instruction Fuzzy Hash: A3213E3090020ECFCB04FBA8DD4699D7B71FF44304B108279E9159B655DB705E06DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 06A0BF18, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c1d973e6b7d74be5fa54fe0636f9c85b9bf02e4cafc5e932344cd801e7deca
Instruction ID: 1ff27fb92be37989fa5c28662641940e3e3dd4122d30f9560d2195a7c592c6db
Opcode Fuzzy Hash: d1c1d973e6b7d74be5fa54fe0636f9c85b9bf02e4cafc5e932344cd801e7deca
Instruction Fuzzy Hash: 30111E74E04209DFEB44EFA5D644A6EB7B6EF89300F10D469D406A7384DB319E41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02660108, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59d51e9567d942ce1d3e9614a53d6172581287b2e87ce93584201e6d04fd6c9
Instruction ID: b5fac3e892e0b315b2294b5996ba6d6316d6413c7f4e636b25f8b4507b50bb39
Opcode Fuzzy Hash: b59d51e9567d942ce1d3e9614a53d6172581287b2e87ce93584201e6d04fd6c9
Instruction Fuzzy Hash: 97111C30A0010ECFDB04FBA8DD459AD7B71FF44318B108278D91557754EB705E06DB55

Uniqueness

Uniqueness Score: -1.00%

Function 06A083E0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f0c8d21742e4a3e41b0e8005bbed47735a1cc2db8b01d92a2128e316f44264
Instruction ID: 6dcf697c00337d588a46c6f93e818953f944377eb061fcf71519aa4fa3c1c12e
Opcode Fuzzy Hash: a7f0c8d21742e4a3e41b0e8005bbed47735a1cc2db8b01d92a2128e316f44264
Instruction Fuzzy Hash: 2C11A4B4D04208CBEB28DFAAD5547AEFBF2AB88304F24C12AD518AB385D7791545CF84

Uniqueness

Uniqueness Score: -1.00%

Function 02661C78, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c70b8afa53f6b95808db526204d6e2ffb1f9d23a2b47d0bbdace4a13b3048a4
Instruction ID: 126b12163593fd3193e445ea3a7f138962714702f1bc9ebecf5c1c488bf895be
Opcode Fuzzy Hash: 8c70b8afa53f6b95808db526204d6e2ffb1f9d23a2b47d0bbdace4a13b3048a4
Instruction Fuzzy Hash: 65111374D04208DFCB09DFA5D950AEEBFB2EF88304F2081AAD404A72A4EB394A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02661C88, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e916058ef196dbc26c1c3ac102dab7f124d364e4ec63569da1a1b563c0282df
Instruction ID: 51ad570795afcb36f1141530d119c7e1b8c08260348747f36868a430dfd82270
Opcode Fuzzy Hash: 5e916058ef196dbc26c1c3ac102dab7f124d364e4ec63569da1a1b563c0282df
Instruction Fuzzy Hash: E011D374D00208DBDB48DFAAD941AEEBBB2FF88304F209569D41567354EB395A41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 06A07510, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614a18ad4c33865e78b7f772c6217884ec215f9c7df46a93bca8fb6ae165ed95
Instruction ID: 232718bee11e2c46578684c070f3ed6edc3e7d87800f8cf9b37ee649f152c12f
Opcode Fuzzy Hash: 614a18ad4c33865e78b7f772c6217884ec215f9c7df46a93bca8fb6ae165ed95
Instruction Fuzzy Hash: D01106349063288FDBA6EF2099947AC7BB6BF4A200F5051EAD019A7392CA300F85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02661C06, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73d15b12c5cb9f6214ef421ce0466b97863fe496aed2498cd1cbd90d39f609a
Instruction ID: 57b7f0adc45d956439a3d03663d5e8ca2ed109ac725e64cc87c07c9b35ceeb44
Opcode Fuzzy Hash: c73d15b12c5cb9f6214ef421ce0466b97863fe496aed2498cd1cbd90d39f609a
Instruction Fuzzy Hash: 6D0119B4D08258DFCB04DFA9C9556ADBFB2AF86200F1080A9D849A7352DB345A02CF51

Uniqueness

Uniqueness Score: -1.00%

Function 026603E9, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79d8cc879e335835130bac3872ebd69092895d361bc2914e2b59fe6a6a885e4
Instruction ID: be685c71b52076207ba56268274e0ec3f17060974137f48b8df65c1ac2b0e6a0
Opcode Fuzzy Hash: c79d8cc879e335835130bac3872ebd69092895d361bc2914e2b59fe6a6a885e4
Instruction Fuzzy Hash: 8EF06D30A06208DFDB08DBF08550BEF77BADF86204F215898880123782CE749E11EAA9

Uniqueness

Uniqueness Score: -1.00%

Function 06A06551, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58409e13fdf379dcf5c0a212bcd9cfe5c88ef4a076fa986b759ec1c800315e1d
Instruction ID: 11df13f9f9c6b1d0209d60da90cfad00c9ec557d108b0d70d512c017373b5ade
Opcode Fuzzy Hash: 58409e13fdf379dcf5c0a212bcd9cfe5c88ef4a076fa986b759ec1c800315e1d
Instruction Fuzzy Hash: C6012878E05108DFEB44DFA8E6804CDBBB2EB48314F10A12AE511B7244DA30A9258F14

Uniqueness

Uniqueness Score: -1.00%

Function 06A06A8F, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312a74451c01615186cb1119cd1625e517b6ba69c7adc69c36781bdc4d573a88
Instruction ID: 291ab38ad5faa95e2d582d56f0903078656bb97edcc343b4a3ecd862e0334d89
Opcode Fuzzy Hash: 312a74451c01615186cb1119cd1625e517b6ba69c7adc69c36781bdc4d573a88
Instruction Fuzzy Hash: AE11B6B0D11668CFDBA09F21DD487EDBBB1BB89301F1050E9901EAB351CB344E918F51

Uniqueness

Uniqueness Score: -1.00%

Function 06A072C9, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0cee6b8ff74baf27c6a7c741b7dc0bd35cf91d002ae7ba3b0b650a0ec7bb9d
Instruction ID: a2e18c9a5f1a4ab5466a47607f828ee7e5c50920a6e73f6b4ec179fc01afb6d2
Opcode Fuzzy Hash: ca0cee6b8ff74baf27c6a7c741b7dc0bd35cf91d002ae7ba3b0b650a0ec7bb9d
Instruction Fuzzy Hash: 9511F574D022688FDBA5AF25DD587ACBBB5EB88301F1081D9D429A7352CA304F81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 06A073E3, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a93c744c3f3cc695498d8e5d1e1f4bea8094e4875c71d6c9afed578a2f751c
Instruction ID: f7eb3734aedf4c61183e06f4b7c471e7d50028047e684364d535f63a746d3619
Opcode Fuzzy Hash: 67a93c744c3f3cc695498d8e5d1e1f4bea8094e4875c71d6c9afed578a2f751c
Instruction Fuzzy Hash: 9011C870D0126A9FDBA4EF50D8547EDBBB1AB49340F1055EAC82AB7355DB304E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A06F6B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8b20d6355f72fdd327ccf830b15a9991a81aa58774a757a3d0128cb4db0f86
Instruction ID: d42391e7ee1146236bd44a372d5a2a69ba21183cfa6e5f3936a727dfe081c861
Opcode Fuzzy Hash: 6d8b20d6355f72fdd327ccf830b15a9991a81aa58774a757a3d0128cb4db0f86
Instruction Fuzzy Hash: 021106B0D0222D8FDBA4AF24D9987ECBBB1AB59300F5095E9C129B3351DA305E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A06946, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c3c76dabc3578f50f60ebb17c25d2156f10aa02750378a5632613987d9eadf
Instruction ID: b0465e8d5a90b8b1375f0cfbbf369195ff19a29a5d412e97161655c2256e701e
Opcode Fuzzy Hash: 04c3c76dabc3578f50f60ebb17c25d2156f10aa02750378a5632613987d9eadf
Instruction Fuzzy Hash: 0B11C570905228CFEBA4EF24DD547EEBBB1BB49300F5091E9901EA6284DB354EC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A075FB, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd4c66cd689cf5a1592501b68dbe87aecf6e4c066a7a2bed6a358a8d190f1df
Instruction ID: 5d5543e32c399c3c693841ebb4d8f16c6d51fef4e9df03e583c5bd5ea95b4ebc
Opcode Fuzzy Hash: 1dd4c66cd689cf5a1592501b68dbe87aecf6e4c066a7a2bed6a358a8d190f1df
Instruction Fuzzy Hash: 70111770906228DFDBA59F20DA58BECBBB1FB08304F4091D9D60AA7385DB345B85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02660070, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c5ce383826dee5d67de9d11b2fc04064935e7061aff274bc76cff4006fb050
Instruction ID: fbcaf99dfded6610882bf9a90b100566ea598b2f58536de5eff881f13bc70fc7
Opcode Fuzzy Hash: 35c5ce383826dee5d67de9d11b2fc04064935e7061aff274bc76cff4006fb050
Instruction Fuzzy Hash: D4F08C70D41249DBEB589FA4C8597FFBBF4AB49700F10183AC401B3380DAB559048BE4

Uniqueness

Uniqueness Score: -1.00%

Function 0266E7A0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6795af3e6c2da3675e5c4cd1a5c20159006f654c1e795e3627863ca119632a4a
Instruction ID: f2fafec3151e9a5301d58a5be6ecadca2ab52bc1455b8e2b43dc952385911ea9
Opcode Fuzzy Hash: 6795af3e6c2da3675e5c4cd1a5c20159006f654c1e795e3627863ca119632a4a
Instruction Fuzzy Hash: 3CF07978A00208AFDB04DFA9C559E5DFBF2EF48300F55C098E9089B361D635E940CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06A0714B, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caee9ef105b184f94100833b3fae3e2695bc002f539e93dbfbe90420e5487ced
Instruction ID: b4387a2b8a2ea4e99d6e045d384dc60c50572b1d73be95f20e41070e23cc9181
Opcode Fuzzy Hash: caee9ef105b184f94100833b3fae3e2695bc002f539e93dbfbe90420e5487ced
Instruction Fuzzy Hash: A601C970D4226A8FDBA4DF25D954BEDBAB2AF49300F1090E9842DE3245DA304E818F50

Uniqueness

Uniqueness Score: -1.00%

Function 02660530, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4b898711ee25810688420b12c828f252894374f8621c5806bdafddd9f7f7c5
Instruction ID: 9f9026ffa89c79b67911c5b7b5bea93a565c905157e311ea253d89bac5b1235d
Opcode Fuzzy Hash: ad4b898711ee25810688420b12c828f252894374f8621c5806bdafddd9f7f7c5
Instruction Fuzzy Hash: B0F0C478D05208EFDB45DFA8C584AADBBB0FB09204F2045E9D851A7311D730EE06DB50

Uniqueness

Uniqueness Score: -1.00%

Function 026603F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e34de1e32f8ab3a8fed2ece89ceb6726be95ca419be29399129a885cc6e94ee
Instruction ID: 77e8eeb18a1059088fa2766b1ef5c5dd7b0cf0440e1349bc6fd64be76c23ce5e
Opcode Fuzzy Hash: 9e34de1e32f8ab3a8fed2ece89ceb6726be95ca419be29399129a885cc6e94ee
Instruction Fuzzy Hash: 48F0C034A42208DBD708DBF1D550FAF73BBDF95204F605C689405237848E759F51EAA9

Uniqueness

Uniqueness Score: -1.00%

Function 026609D9, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3c42173c2c85128a6903828ee80df9d8de6b7e01dc8669870663094a17404a
Instruction ID: d764696c07170514ec55d70c7f7f08b6dcb679979b98fefc3800ef53d6820da2
Opcode Fuzzy Hash: 7c3c42173c2c85128a6903828ee80df9d8de6b7e01dc8669870663094a17404a
Instruction Fuzzy Hash: 0AF0BE30944248EFCB05FBE8C9927EEBB75AF82201F6002A9C44467391DF302E01CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02661C18, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dda85e2b53552ad70a850f1064d181f9a03258ebbe2adb2f9802440dd3c44e6
Instruction ID: b63907d45ef6d664cf38ab1548926e9c4c44964f8f7e48569a3a9bc455d09fd7
Opcode Fuzzy Hash: 3dda85e2b53552ad70a850f1064d181f9a03258ebbe2adb2f9802440dd3c44e6
Instruction Fuzzy Hash: 52F0F4B4D00208DFCB08DFA9C5445AEBBB6AF84300F1080A9C809A3310EB345A01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02660220, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad98f4303468bd4f52939f74a4ba52a7238c2fed90927fb386564142d91f69a
Instruction ID: 881095039cb579a05601c0bc463d35d9f7b8937c2c845874c69e97de3ef4d5f2
Opcode Fuzzy Hash: 7ad98f4303468bd4f52939f74a4ba52a7238c2fed90927fb386564142d91f69a
Instruction Fuzzy Hash: 47F0A034809388EFCB19DFB4E9466A87FB5EF06305F1080EAD88497252D3355E09DB55

Uniqueness

Uniqueness Score: -1.00%

Function 06A06836, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239164911be7467aaa6f2df257e42029ebc1d79f8a279ddf5fe74f5f6b065978
Instruction ID: f9120165dda051f07f8758ad9d90c002c706ef3d5ec9329b8f47dbbc17b16e5f
Opcode Fuzzy Hash: 239164911be7467aaa6f2df257e42029ebc1d79f8a279ddf5fe74f5f6b065978
Instruction Fuzzy Hash: 20011A749056688FDBA9EF209C547AD7BB6BB89201F1491E99019B3264CA304F818F10

Uniqueness

Uniqueness Score: -1.00%

Function 06A07039, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c107345cfbfc8a0874b62e1687ba0075789875ff3296c43cdc26ea18cb1211f9
Instruction ID: 5dff6183c3b7bccbce9562bb35333639aed474fe5d33e19e3d60e8d28f88f599
Opcode Fuzzy Hash: c107345cfbfc8a0874b62e1687ba0075789875ff3296c43cdc26ea18cb1211f9
Instruction Fuzzy Hash: 2401087490621C8FDBA6EF20D8547EDBAB6BB4C200F0091E9911AA3251CA305F81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 06A06E4C, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18fdb01cea8f026bb150b4e5d68f71556cf61e5cfacbf7535b42a46e4738b96
Instruction ID: eb818eaa783c0dc41640f7966b0750cc581fe0e59524ddc28ac76af84a22e514
Opcode Fuzzy Hash: a18fdb01cea8f026bb150b4e5d68f71556cf61e5cfacbf7535b42a46e4738b96
Instruction Fuzzy Hash: 3901D6749022288FDBA4DF24D9547ECBAB2BB49301F4095EA946EF3345DA304F91CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06A06B7F, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da0156a6df38e8291bb90dcaf359b06fc71222e838360e82c6f476892e6b131
Instruction ID: 3345c6991f082b390690e6fdaed1ea72facadf7445785faa8dd89f039136f261
Opcode Fuzzy Hash: 4da0156a6df38e8291bb90dcaf359b06fc71222e838360e82c6f476892e6b131
Instruction Fuzzy Hash: A901DE749122188FDBA5EF24D9547ACBBB6AF45200F1090E9D55DBB341CA301F81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02660452, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faafee4babe91faad41ec5403d2cb22150dbce3514df82d2ff6812bf941b4ed4
Instruction ID: b363992f83940b3444243439769c36fda456235a35734c1d0dd6d75a66e4e09f
Opcode Fuzzy Hash: faafee4babe91faad41ec5403d2cb22150dbce3514df82d2ff6812bf941b4ed4
Instruction Fuzzy Hash: 7EF0D474C09358DFCB05DFF4C848AAEBBB4EF06205F6049A9C840A7352D775AA52CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02661968, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2519aa3b8d9d0032e8edf92250dc4b4ff13433d66ec2491cbe9063b30314f4fe
Instruction ID: 237d5f2231d7649e0da2be4fc2ad35833f27b54bfea433e63a585cfaf307d153
Opcode Fuzzy Hash: 2519aa3b8d9d0032e8edf92250dc4b4ff13433d66ec2491cbe9063b30314f4fe
Instruction Fuzzy Hash: D8F05E3090130DDFCB14EFA8D640BAEBBB6FB44308F104AA9C81497758EB316A41CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02660540, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02214811ef6bc3cb26368c2c0690c4114e77efdcdfa45e720476aace7099d47
Instruction ID: 89fc91de33e91c2d989856ed74e145c3c042c55fd6d82994f59f37a20ca7db9b
Opcode Fuzzy Hash: a02214811ef6bc3cb26368c2c0690c4114e77efdcdfa45e720476aace7099d47
Instruction Fuzzy Hash: 9CF0B278E04209EFCB04EFA8C584AADBBB4FB08300F2049A8D810A7310D770EE41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 082D1613, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.419930212.00000000082D0000.00000040.00000001.sdmp, Offset: 082D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04252942f9e304aadd70b57bd9c84a8ec59841cdadc4c896677cc1c74e8056d0
Instruction ID: 25d63f851b87ef812f3c673e99120f558957716fd1acf98764b307fbe86df3ec
Opcode Fuzzy Hash: 04252942f9e304aadd70b57bd9c84a8ec59841cdadc4c896677cc1c74e8056d0
Instruction Fuzzy Hash: 2CE0D8B250120067D2109E06DC85B53FF98DB80A30F18C457EE081B302E1B6B514CEE5

Uniqueness

Uniqueness Score: -1.00%

Function 082D1D67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.419930212.00000000082D0000.00000040.00000001.sdmp, Offset: 082D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d690c3cbe92dc2aa57f16d21bfe75509bc3c6421748b4a31c5f178e379c0455d
Instruction ID: bf002d4b732131fdcaa6a5756c852e0455a3c756b4a907af3b7491c028271278
Opcode Fuzzy Hash: d690c3cbe92dc2aa57f16d21bfe75509bc3c6421748b4a31c5f178e379c0455d
Instruction Fuzzy Hash: 7AE0D8B254130067D2108E06DC85B53FF98DB84A30F14C46BED081B302E1B6B514CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 026609E8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f173e7ec8d042e2ad1701e6b90a9041cbffea6f0754768c7ed94d5c221c79ed
Instruction ID: aaffc48bf48ee15e2b93fb8a83690a3e1d9415ab668ae7491c30a3324bbd3ef5
Opcode Fuzzy Hash: 3f173e7ec8d042e2ad1701e6b90a9041cbffea6f0754768c7ed94d5c221c79ed
Instruction Fuzzy Hash: F0F0C970A4010CEBCB44FFE8DA52BAEBB75AFC1302F6052A9944567390DF706E41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 026637B0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9a59cfe3de57ed6abdcb675c1058abf5693b29c9586df407fd9e6bb1b04a64
Instruction ID: bb453d9564656a4b6a0a338d3c66c2796dcab63527400f2a0b072d9eaac9349b
Opcode Fuzzy Hash: 4c9a59cfe3de57ed6abdcb675c1058abf5693b29c9586df407fd9e6bb1b04a64
Instruction Fuzzy Hash: 0FF0A9749083889FC705CBA4D804AA8BFB4AF42314F2440DAC84467383C632A906CB54

Uniqueness

Uniqueness Score: -1.00%

Function 06A07207, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3884387d838cd0e26c067c1a1080ad0a4703e2ba0532b76038eeb2a0980782
Instruction ID: bb1ef04618f5062eecfbeaf1bdd03913c12b2a6de3c1d1b747523ff2174409c0
Opcode Fuzzy Hash: 0a3884387d838cd0e26c067c1a1080ad0a4703e2ba0532b76038eeb2a0980782
Instruction Fuzzy Hash: 05F01D74C4622BCFDBA5DF24E950BFDBAB1FB48315F1095E5D92AE2241CB304A908F50

Uniqueness

Uniqueness Score: -1.00%

Function 06A06A13, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab5bd8567f02114c754f8f6125d57b23c1e67a914683ee2d71881548526e417
Instruction ID: 7b912af40122c25a434073a55ed909ef87bc84c35baae09e75b76332404dd77e
Opcode Fuzzy Hash: dab5bd8567f02114c754f8f6125d57b23c1e67a914683ee2d71881548526e417
Instruction Fuzzy Hash: BDF0A974902228CFDBA4AF61D9987EDB7B1EB49300F1096EAD51DA7294DA345E80CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02660460, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6257a3daf7cb8d88d4f42ea2fdca2ba1466c31cba2c46a448a20cbf8582167e2
Instruction ID: 0b4e1a6c810d69180b48c295407fbfda145f578f9ed5a9cd1fe78d6a9f01c052
Opcode Fuzzy Hash: 6257a3daf7cb8d88d4f42ea2fdca2ba1466c31cba2c46a448a20cbf8582167e2
Instruction Fuzzy Hash: 4EF0C274D01208EFCB04EFF8D848AAEBBB4FB05205F6049A9C814A3350EB75AA51CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0266B5E0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae273487f283236bd88c5343ad2a9b5e13eb31ed0156f444649bb39da22fc502
Instruction ID: c19415d90233a242fec2a0f012d77b19a26974eccb9f7984858a402913eae98a
Opcode Fuzzy Hash: ae273487f283236bd88c5343ad2a9b5e13eb31ed0156f444649bb39da22fc502
Instruction Fuzzy Hash: 7BF0C974905208EFCB04DF98D944AADFBB9EB88304F10C099EC18A7351C7329A52DF81

Uniqueness

Uniqueness Score: -1.00%

Function 06A0A1C0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3806715dd49e68b2a0237c9576ca1a7f9f3a56288be09d9b4f850b6f4506a3cc
Instruction ID: 2065aa8605f26e7df21b66ca48a6ed62e26547e75d50c0d23cb57b84ffb532ad
Opcode Fuzzy Hash: 3806715dd49e68b2a0237c9576ca1a7f9f3a56288be09d9b4f850b6f4506a3cc
Instruction Fuzzy Hash: F1E04F30E00308DFD740EFB4E50AB6EB7B1EB45305F1091A9D904A3281DB756A44CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0266CD70, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566b30dcc1e01082714c79e0cf42651733856dacae35bde91939106486205044
Instruction ID: 306318fb2fc12d8a17c118ca195888f331925c8f5f22e14104e5e0634766cefc
Opcode Fuzzy Hash: 566b30dcc1e01082714c79e0cf42651733856dacae35bde91939106486205044
Instruction Fuzzy Hash: B0E0E5B4D00308EFDB04EFB8D944AAEBBB1FB08301F1085AAE814A3340D731AA50DF80

Uniqueness

Uniqueness Score: -1.00%

Function 02660230, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9361398a06d0e2fb0ce36b236f445c85fd7871bb7719edd60431b43e4c86337
Instruction ID: 60184a14b784c6aefcb5f295d024cdbe3fd61910d5cca620e9646c812c847288
Opcode Fuzzy Hash: f9361398a06d0e2fb0ce36b236f445c85fd7871bb7719edd60431b43e4c86337
Instruction Fuzzy Hash: BAE04F34905308DBCB18EFA9D54566CBBB9BB55305F1081B9D84553350D7315A41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0266A010, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e8b681fb95e35997585bf3c65ec1ff52455bf3bdd9c2751c533e6bad603d66
Instruction ID: 6b519e116a2110e62f16f9a57144047fc8dfd4b687ab1b8f9428391b29864c62
Opcode Fuzzy Hash: f7e8b681fb95e35997585bf3c65ec1ff52455bf3bdd9c2751c533e6bad603d66
Instruction Fuzzy Hash: AFE0E574D04208EBCB04DF98D544AACBBB4EB48304F2080A9D80863341DA32AE52DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0266A910, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f44afd7a342e71ce237c039a063b5ae06d08cd7446ced3a0e380e63bafcef5
Instruction ID: 15fd40e6259cfebeee7a8930f148c47133365cd55c8749eba59262e617922099
Opcode Fuzzy Hash: 93f44afd7a342e71ce237c039a063b5ae06d08cd7446ced3a0e380e63bafcef5
Instruction Fuzzy Hash: FFE04F34914208EBCB04DFD4D944AADBB79EB49310F20C199DC0827351C7329A52DB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A036F8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3896cb3a03cd0ec170ee44c8c57e1ad5f31da20e27a8f9fd3fbcaea48bdec4f7
Instruction ID: 1f52c17b6c06b4f89f199135430806eb12520f6296b3a9c7e566e9e57cd88bc9
Opcode Fuzzy Hash: 3896cb3a03cd0ec170ee44c8c57e1ad5f31da20e27a8f9fd3fbcaea48bdec4f7
Instruction Fuzzy Hash: 71F03074A0110ADFCB50DFA4D590A9DBBB1FF45310F209615E912E7399DB306E428F44

Uniqueness

Uniqueness Score: -1.00%

Function 06A08B10, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29edf9e5c10d56b6ad9da3b212de18c8d3b6cee4b877b8cb4cbde1651dcff41b
Instruction ID: 9be8881096ca6fb663a4ad09635511cac767e94246a283837045f6e113724a90
Opcode Fuzzy Hash: 29edf9e5c10d56b6ad9da3b212de18c8d3b6cee4b877b8cb4cbde1651dcff41b
Instruction Fuzzy Hash: 82E01AB0D0430CEFDB44EFA8D440AADBBB1FB44300F1085AAD814A3340D7359651DF84

Uniqueness

Uniqueness Score: -1.00%

Function 02667C49, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fa932385abbb8bf107543338567e6b78f9746d46d26c7192647f4b0b48becb
Instruction ID: 4f8d0d2cddfec09f4e4ed09b1320e16886addb4af57a60a872d4383750ec3045
Opcode Fuzzy Hash: 18fa932385abbb8bf107543338567e6b78f9746d46d26c7192647f4b0b48becb
Instruction Fuzzy Hash: 91F098B4A45228CFDB20DF54DD997ACBBB1BB08701F5010D9EA09A2390C7715ED1CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0266B560, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbd666bd7a512d3a65439e724813365aa994d776aee91f342e31d3af6243f5e
Instruction ID: a6d87921247d98b92bf47435267c48f654afdec5b7274b789db35b14abf78f0f
Opcode Fuzzy Hash: 9cbd666bd7a512d3a65439e724813365aa994d776aee91f342e31d3af6243f5e
Instruction Fuzzy Hash: 87E0BF74E45208EFCB04DF98D5456ACFBB4EB48304F20C1E9D818A7351D771AA42DF81

Uniqueness

Uniqueness Score: -1.00%

Function 06A09378, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670e621f0f528f97c7912a41415e9f2363dcbc727b3ef7ef9762d968dcc5bc45
Instruction ID: 81bbdbadaf1869e83e1419477980bea20f03272a1a5e801c7ac6be763fb819ea
Opcode Fuzzy Hash: 670e621f0f528f97c7912a41415e9f2363dcbc727b3ef7ef9762d968dcc5bc45
Instruction Fuzzy Hash: 09E04634E00208AFCB54EBA8E40579EB7B0AB48700F10C1A9980897380EA39AA40CF82

Uniqueness

Uniqueness Score: -1.00%

Function 026637C0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1f18892786923069a0593d06cddb5a2edd76e26f7ed719f6eb0059d7b74973
Instruction ID: 52bab2c476d16a934b43d9e6089f5e4c6521350cd4b71f7ff563c305f68db3c7
Opcode Fuzzy Hash: 0a1f18892786923069a0593d06cddb5a2edd76e26f7ed719f6eb0059d7b74973
Instruction Fuzzy Hash: A5E01274A09208DBC708DFA4D94597DBF78EF45714F2081D9C80827341CB32AE52DF95

Uniqueness

Uniqueness Score: -1.00%

Function 026623C0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f28c171521c6e2891cc7238155c809159a8cace54d5367972cde43077127978
Instruction ID: abd17542b233b6bc8bdae911d2d53b1bbc1a16872548c32c9e55b7123f72c914
Opcode Fuzzy Hash: 9f28c171521c6e2891cc7238155c809159a8cace54d5367972cde43077127978
Instruction Fuzzy Hash: 3FD05E3000E7C44FD70AA7A55C6E7B97F389B17505F5840DBD9C96A0A3CE689C0BCB66

Uniqueness

Uniqueness Score: -1.00%

Function 06A09538, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bc447b0c3695d9c31a19fb72b2a766ff1566c15691bcad7d699e7b8b700f05
Instruction ID: 11e9b612c391debb22a73786017dcd942b3577c7f1ff998c9bb6d6a89bba0b9e
Opcode Fuzzy Hash: 42bc447b0c3695d9c31a19fb72b2a766ff1566c15691bcad7d699e7b8b700f05
Instruction Fuzzy Hash: A0E0E2B4D10308AFDB54EFB9940579DBBB4AB44701F1080A9980896241E736AA84CF81

Uniqueness

Uniqueness Score: -1.00%

Function 026600ED, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985b6959b4da567c2a7dababbb0410e79aabb9e3b5ef99aad7f7ca64b5b1bf93
Instruction ID: 1a96711527d361da76479c2fd447d14edf281b081d01fd3b2c8e0c6f1c3b2003
Opcode Fuzzy Hash: 985b6959b4da567c2a7dababbb0410e79aabb9e3b5ef99aad7f7ca64b5b1bf93
Instruction Fuzzy Hash: 06D04275D41209CBDB04DBA4E4486EDB775EB89325F209866C515A2250C73155958FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0266AF48, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abaeb794dcb4ccb27ac05e687bac053446596dd24db85dd43e9364dce86df798
Instruction ID: 6c3d6ca77c19ac0de5a3a5d92249aac5c6123b226924557efd33965c75008d96
Opcode Fuzzy Hash: abaeb794dcb4ccb27ac05e687bac053446596dd24db85dd43e9364dce86df798
Instruction Fuzzy Hash: 72D05E74C1A208DFDB44EFE8E9096BDBBB8AB05605F2010E8C80873351EB319E41DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0266398C, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7be3b846e55593932006f810f129ee56e954dd6989b58e4dc911b4f175d57f4
Instruction ID: de7d38feac220511d8be9fa472f893117691e8bb14217971b7851007da1d6619
Opcode Fuzzy Hash: d7be3b846e55593932006f810f129ee56e954dd6989b58e4dc911b4f175d57f4
Instruction Fuzzy Hash: 73D01770C1A208DBCB04EBE4E90D7AC7B79AB05601F6002E9CC0863391EA308A51CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02663990, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0026c446e512f530d64b2204411221296c64b0e734ad5f93b31bba1f07d1077f
Instruction ID: d7cbc6bb49c741f6d29049f40cbd492a1182de263a9d1464643d338f5af8a7d5
Opcode Fuzzy Hash: 0026c446e512f530d64b2204411221296c64b0e734ad5f93b31bba1f07d1077f
Instruction Fuzzy Hash: 64D05B30C05308DBC704DFE4D90977C7B78AB05601F2002D4CC0463351EB305951CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06A01FD1, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc818700e2cae8a4d9643a98ccc621d6dd633be0526c2be90845aacc3d2d799
Instruction ID: 39f285b9418e9bbdb8de3ea40ddbcbd1bbd7f06d863a22b1feda8d810e423517
Opcode Fuzzy Hash: 7cc818700e2cae8a4d9643a98ccc621d6dd633be0526c2be90845aacc3d2d799
Instruction Fuzzy Hash: D2E0B6B5E0435D9FDF54EF90C981B9DB7B5EB45300F1010999618BB240D3349A41CF29

Uniqueness

Uniqueness Score: -1.00%

Function 06A06266, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a3b9fdd5bc84f499ffe60a91d13d9b71b65604e5b4a38a126b5affd2eb3899
Instruction ID: 6a76e1af4ac57c06715dce02bb1c576aab3a5f0369ee9c57efbd59549ef64c45
Opcode Fuzzy Hash: 46a3b9fdd5bc84f499ffe60a91d13d9b71b65604e5b4a38a126b5affd2eb3899
Instruction Fuzzy Hash: 80E01A70C0231DCFEB50DFA5E5986ADBBF1BF09304F105019C016AB290D3745A51CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06A02BDC, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d682f1931837762ca14c4889357536fabcff50d763a50f3c2d9356046060ba9c
Instruction ID: 8cd3bfcf6125f00adb46f60ce4e18016a46edd82eb170a01472b663f1f53187a
Opcode Fuzzy Hash: d682f1931837762ca14c4889357536fabcff50d763a50f3c2d9356046060ba9c
Instruction Fuzzy Hash: D4E0BDB4D08229CFEB14EBA5D981B9EBBB9BF89340F0154A9C40AB7740D3346941CF25

Uniqueness

Uniqueness Score: -1.00%

Function 06A06D21, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44930583d112532d1a4e5dcdf9a8f37fe6404e635611dc02a45f9fab0b8b9aba
Instruction ID: 605da88842aab6870696787ef2280217592334f5e48c37a4227a77278a9cab40
Opcode Fuzzy Hash: 44930583d112532d1a4e5dcdf9a8f37fe6404e635611dc02a45f9fab0b8b9aba
Instruction Fuzzy Hash: F8E01A749032189FEB94DF61D9447D9BAF5BB0A301F5050D9945AE7250DA300A808F51

Uniqueness

Uniqueness Score: -1.00%

Function 0266B630, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c747b23920f64e668d2eab4fe621a51a79a9694d6263949852842012fc6be5
Instruction ID: 6708f70d02dda7adbd730ac7636a096f0f65d6d300553c26d33abde8a8e2ce83
Opcode Fuzzy Hash: 93c747b23920f64e668d2eab4fe621a51a79a9694d6263949852842012fc6be5
Instruction Fuzzy Hash: 4CD0C970404308DFD300AFB5F82DB2A7BEAEB05286F64E468A609D3551EB725900CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A0A4B0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6289c839790ad234eb4a1d0e2e43a162cdf498ce27d1e512fbbcd3d0c615135d
Instruction ID: 2e96e489cc7f54f58c4d73441f11948aa8ba52dd2a49ce2c8f42d640c3e7e5dd
Opcode Fuzzy Hash: 6289c839790ad234eb4a1d0e2e43a162cdf498ce27d1e512fbbcd3d0c615135d
Instruction Fuzzy Hash: DCD0C974D15308ABD781FBF8A44975DBBF4AB04701F5045A99908D3282EA325654CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 026600CD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf6f9665b1949dce841406b925a73b35dbb1336bb61790f0254ccc066eb5efd
Instruction ID: 249026301ef29b5fa13678d87fe162f05cd85c05e24db40d4b2edcdfefcc9297
Opcode Fuzzy Hash: daf6f9665b1949dce841406b925a73b35dbb1336bb61790f0254ccc066eb5efd
Instruction Fuzzy Hash: E2D09236E412088F8B00CBF8E4444DCF775EB89225B209466C914A2310C73194558F60

Uniqueness

Uniqueness Score: -1.00%

Function 06A021C9, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffffe427cfa162f43ac5fc8ea7e0b8c0eef027dcb80ac4b86b09b66c04d717e
Instruction ID: 940a21337837d9dfea046979be75318b282766e11bb78eb39cb8c2f0a8f05695
Opcode Fuzzy Hash: 0ffffe427cfa162f43ac5fc8ea7e0b8c0eef027dcb80ac4b86b09b66c04d717e
Instruction Fuzzy Hash: 1ED01774C04118CFDF14EFA0C841BAEBBB0BF08300F109099941563740C3301901CF28

Uniqueness

Uniqueness Score: -1.00%

Function 0266212D, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e7412e19714221545edc2facbc5757af9f33f767458dc8b29d2744a482b84c
Instruction ID: fe4607e0deb4920eb682ec57023b8fcb08bf144db21f06fa14054b9734975b7e
Opcode Fuzzy Hash: b4e7412e19714221545edc2facbc5757af9f33f767458dc8b29d2744a482b84c
Instruction Fuzzy Hash: E6C0803164410047C31CBF60B51D53F7215C7AB301F50D3A5540E2754DCD3AC813C354

Uniqueness

Uniqueness Score: -1.00%

Function 06A01CD8, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5065f9888a425abfa6feb948bb32c6fb5c028d25cc2bd56e7a0c02190fc00a3
Instruction ID: 05239b8dd84fc925064fffbb7fcb6581f64c24dee0bb6daa64dbb512d73b34df
Opcode Fuzzy Hash: a5065f9888a425abfa6feb948bb32c6fb5c028d25cc2bd56e7a0c02190fc00a3
Instruction Fuzzy Hash: BAD05E74C081089FDB54DAD0C50278DF7B5AB45340F00549A810DA6240D73099018F29

Uniqueness

Uniqueness Score: -1.00%

Function 06A0125C, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6caa5fe6f171e17302fd3760c280df2d8abdcafb452cd3c905d6b52dc7b2b5cc
Instruction ID: 3c4e5b2d48c3dfc5cd5dd635ddbbfa6f4e75782614ca0ae2a7ab57160920a0c6
Opcode Fuzzy Hash: 6caa5fe6f171e17302fd3760c280df2d8abdcafb452cd3c905d6b52dc7b2b5cc
Instruction Fuzzy Hash: E4D0C974C04358CFDB50EE94D5057DAB7B6AB95310F1062A5411AA7280DA344A468F29

Uniqueness

Uniqueness Score: -1.00%

Function 026623D0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98da74d23efd09edd16e4935982367dbd120b7359bc9335ec13b89ef958a1feb
Instruction ID: a142eed257a52e3e8ef7862faed6d94f40c67b126eeafc1c1e5b4e7aa647ace0
Opcode Fuzzy Hash: 98da74d23efd09edd16e4935982367dbd120b7359bc9335ec13b89ef958a1feb
Instruction Fuzzy Hash: 22C08C3000938487C30CA3C56C1C379735C570A205F9410129A8D211628F649806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02669FD8, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb86ea6287f0ae30fb5aa757a8347a496106fa218df376f9aaa0dba19a11304a
Instruction ID: e197ea5c3a0941d4116783e3a8059b133a0bea71645bcc0810c0e6e89b151d4d
Opcode Fuzzy Hash: cb86ea6287f0ae30fb5aa757a8347a496106fa218df376f9aaa0dba19a11304a
Instruction Fuzzy Hash: 17C02B3008B3444FD70C72C4150CB38364C4300308F5008182E0C036528F74E850CB79

Uniqueness

Uniqueness Score: -1.00%

Function 06A00ED3, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce464529fdc078a34358b0dbe53446845298b7c45b1d245024e63aaac8f360e9
Instruction ID: ca8c744abff40c7a31fa6530f3c48191456d9add794857b282aa80ffd50d0196
Opcode Fuzzy Hash: ce464529fdc078a34358b0dbe53446845298b7c45b1d245024e63aaac8f360e9
Instruction Fuzzy Hash: D3D0A93081321AAFCB00CF60EA80B8CBBB2BB02300F10395AD008AB119C330AA008F90

Uniqueness

Uniqueness Score: -1.00%

Function 06A0306D, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58f932fe6214497caeaa50688d2d314ae7a279c9b9729c3dde9abe5927a0fb2
Instruction ID: 011f51acd19a012b5892dbb1dd227dfffea1506beb992242b34a6cb64148d750
Opcode Fuzzy Hash: b58f932fe6214497caeaa50688d2d314ae7a279c9b9729c3dde9abe5927a0fb2
Instruction Fuzzy Hash: E1C012B4C042188FDB20EFA0D440BAEBBB5AB49300F0050A9920CA3240D3308A018F29

Uniqueness

Uniqueness Score: -1.00%

Function 06A02D09, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a153257f697bb880742068b0fd4899b0cdcf37325b1acd53d0dedc4636c0098
Instruction ID: 26bbaac10dc9639b458eff176a82038fb2d6bba620743767cfb62dff7236de6a
Opcode Fuzzy Hash: 3a153257f697bb880742068b0fd4899b0cdcf37325b1acd53d0dedc4636c0098
Instruction Fuzzy Hash: 92C012B4C042089FDB84EF94E501BAEBBB5BB99340F0060A98108B3240C7305A018F26

Uniqueness

Uniqueness Score: -1.00%

Function 06A0610C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8ee9ed4835dcb9c3bd2eda06698baac720cedf9a94b82b028f661bf614ac2a
Instruction ID: 444606343958375e7074a4fceab7982dcffa83d54f5b6909208f68fd6e2a56fb
Opcode Fuzzy Hash: fa8ee9ed4835dcb9c3bd2eda06698baac720cedf9a94b82b028f661bf614ac2a
Instruction Fuzzy Hash: 7DD0C774C062059FDB40CFD4D54019CFBF4D746360F1463569061EB295D2749640CF55

Uniqueness

Uniqueness Score: -1.00%

Function 06A061A7, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b392fd9348544f3eabde15bf69840db8814c23cf2c7346e35b01adfb1d545faf
Instruction ID: 6d09d17ef65560fe073a1eb19c130415b9d1da1c8b140b750c84e66514d45b68
Opcode Fuzzy Hash: b392fd9348544f3eabde15bf69840db8814c23cf2c7346e35b01adfb1d545faf
Instruction Fuzzy Hash: 89C08CB0802186EFF301DF60F28640CBB31AB06201B202914E0029A090C7302500CB18

Uniqueness

Uniqueness Score: -1.00%

Function 06A06185, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02cd21f578079493d8b346077b40dedc2f5fc1006a51e01b49577b4038b42d63
Instruction ID: 24a943c43649cbbdc491a71ecde58f888f7a294b82c1213d4fcddf1a4a6f961b
Opcode Fuzzy Hash: 02cd21f578079493d8b346077b40dedc2f5fc1006a51e01b49577b4038b42d63
Instruction Fuzzy Hash: ACC08C30846205DFE340CB90F6C584EBBB2EB05360F107004A402C21D0DA602440CE44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02662400, Relevance: 5.2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 02662566
:@Dr, xrefs: 02662549
`5kr, xrefs: 02662622
f]Ir, xrefs: 02662452

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 91748ee69d84a9d01cfbb07a785ae4c68d2c991ca2fe38b479b46726da44c856
Instruction ID: 89324f4b81dc174ad0ba9b4ab5d0360a11e274cad2746999cfd0e3d94c5ea9f8
Opcode Fuzzy Hash: 91748ee69d84a9d01cfbb07a785ae4c68d2c991ca2fe38b479b46726da44c856
Instruction Fuzzy Hash: D9613770A002498BD748EFAADE4679DBFE2BFC4305F24C269D5089B669DF7058028B55

Uniqueness

Uniqueness Score: -1.00%

Function 02662408, Relevance: 5.2, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 02662566
:@Dr, xrefs: 02662549
`5kr, xrefs: 02662622
f]Ir, xrefs: 02662452

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 82ed108226f1fb01800aad5b1c1a27e23f78f105239aa24942510871fa16e58a
Instruction ID: 51583505cfa99c6719a117c435643ae5f34faf02429a4c4c1ea2ce4c8d77e179
Opcode Fuzzy Hash: 82ed108226f1fb01800aad5b1c1a27e23f78f105239aa24942510871fa16e58a
Instruction Fuzzy Hash: 8C613870E002098BD748EFAADE4669DBFE2FFD4305F24C269D5089B669DF705842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 026626A1, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

$ghr, xrefs: 0266284D

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: b07beca0f6d6a7210d72c3ced4793d4f99c201cd3f6c73f03fd2728144f1ee81
Instruction ID: 7c007578d923beba6ba3b71fb1e8666dee6e64a21d65964720a532d4f4ec4b56
Opcode Fuzzy Hash: b07beca0f6d6a7210d72c3ced4793d4f99c201cd3f6c73f03fd2728144f1ee81
Instruction Fuzzy Hash: ADB17371E00658CFDB68DF6ACD54ADDBBF2AF89305F14C1A9D809AB354DB305A858F40

Uniqueness

Uniqueness Score: -1.00%

Function 06A04CA9, Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

=jlC, xrefs: 06A04E41

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID: =jlC
API String ID: 0-1087931671
Opcode ID: 0119e2846454e9c3bec80d9a64cd3d79a9c13cf922fda7a47b40c61f82a32e77
Instruction ID: e110d4a5d8adb154cc53ac086cc6e043881f6e4a6dc109165b3da8acc7738a12
Opcode Fuzzy Hash: 0119e2846454e9c3bec80d9a64cd3d79a9c13cf922fda7a47b40c61f82a32e77
Instruction Fuzzy Hash: 91516870D0524ACFEB44DFA6D540AEEFBF2FF89314F109556D510BB294D734AA018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A04F68, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96ac4fff35cdbf7aa539b5f889f13f20cd0f2f850f68f160e95623279e3bd6e
Instruction ID: 351b84a7c316f8b72150b756b2c071f9b10fc0d6f91068ca1b5f96e6f62ed907
Opcode Fuzzy Hash: d96ac4fff35cdbf7aa539b5f889f13f20cd0f2f850f68f160e95623279e3bd6e
Instruction Fuzzy Hash: 21B10674E00258DFDB54DFA9C680AADFBF2BF89304F2481AAD418AB355D7309A42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A04831, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c357c1de33cc2e539e0d650931fe760a2f7aa244e78db660002bacc182f345d1
Instruction ID: b2ae22efafdd8d978f8de43e6b1a5b346e938fb29f6941c2c5676435b94fb6b4
Opcode Fuzzy Hash: c357c1de33cc2e539e0d650931fe760a2f7aa244e78db660002bacc182f345d1
Instruction Fuzzy Hash: 37A157B0D0524ADFEB44DFA6E5806AEFBF2FF88310F249529D514AB295D3309A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06A04F58, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbad040d9c1b5252e9b2a941cce8f9489bd7e77f9e933894a1da74f980ae077
Instruction ID: a7670b83a9d48b2dc89d305c955a5f82b4cbf80b0190c8d7f9397ef7b704d295
Opcode Fuzzy Hash: 3cbad040d9c1b5252e9b2a941cce8f9489bd7e77f9e933894a1da74f980ae077
Instruction Fuzzy Hash: 8AB1F774D04258DFEB54DFA9C6806ADFBF2BF89304F24D1AAD418AB256D7309A42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A08CA0, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba61a606132ad457f09f5b1c6b36420740162fb45121fe1a4760ac183161d09
Instruction ID: 95f6a8fdc0bc5aab2d66b4adaca7f0f593b1fc6d680ed9d0e2ebb7df539705c5
Opcode Fuzzy Hash: aba61a606132ad457f09f5b1c6b36420740162fb45121fe1a4760ac183161d09
Instruction Fuzzy Hash: B9914970D01218DFEF54DFA9C580AADFBB2FB89304F20926AD415AB356C7389A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0266EE38, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9486731ffccbc999aa7fb5ceaa1856ac0074d4a365a0ee34f314a30ff00a5e81
Instruction ID: 6fff1191c41b04f35e5d44e882d2fc3f0194313b3b625a458eb5e69669090f38
Opcode Fuzzy Hash: 9486731ffccbc999aa7fb5ceaa1856ac0074d4a365a0ee34f314a30ff00a5e81
Instruction Fuzzy Hash: 4771FD78E15209EFCB44CFA9D489AADFBF1FB49240F10D49AE415AB224D339AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0266F870, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 211da872e3793cd09ea80d4fd080f1b98b1b0b4fd378dcb24183f5da15b9eea4
Instruction ID: 37afc78fb60012dabf53a9f018443ad61d15483c70c719281c5e48173518c94a
Opcode Fuzzy Hash: 211da872e3793cd09ea80d4fd080f1b98b1b0b4fd378dcb24183f5da15b9eea4
Instruction Fuzzy Hash: CB51E374D15209EFCB08CFA5E5849AEFBF2FB48300F24959AD416AB654C330AA41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06A05491, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fb0057f2193d1d147f470502cae5d040e5f13d45dfb3b3213ae7cfb14d219d
Instruction ID: 24b4baed6f7d3a71e3809b7594c8bef923c9ab76e89a1b501e7a820c83843cc9
Opcode Fuzzy Hash: 92fb0057f2193d1d147f470502cae5d040e5f13d45dfb3b3213ae7cfb14d219d
Instruction Fuzzy Hash: 3451A070D05258DFEB14DFAAC6404ADFBF2FF89300B24D56AD414AB206D3349A02CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06A03F89, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3fc376edfc67eaf9c079ffe934226c3ab691ff731330c0130d1b377c8be32f
Instruction ID: 6cc28ea125332d4017b143b1bc9471b41ef18dd832fc751e1cd4994b421d8ca5
Opcode Fuzzy Hash: fe3fc376edfc67eaf9c079ffe934226c3ab691ff731330c0130d1b377c8be32f
Instruction Fuzzy Hash: 6521B170D09344CFEB09CFAA981059EBFB7ABCA300F14C5ABD554AB262D63549029FA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A00FD0, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6d76368fbbd1404ebd83c1dfdc07b5bb6ae6262377fdb576ce3868c4ea5d68
Instruction ID: ae93d17860f2fc0104a1be2a484b87a56db48a6d2799e7a213c33f5c9621d208
Opcode Fuzzy Hash: ff6d76368fbbd1404ebd83c1dfdc07b5bb6ae6262377fdb576ce3868c4ea5d68
Instruction Fuzzy Hash: FB415DB1E056188BEB5CDF6B9D4479EFAF3AFC9300F14C1BA854CAA254EB3009468F51

Uniqueness

Uniqueness Score: -1.00%

Function 06A054B8, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a853c6efc430db484b3d5cb5973362d7e34cfc7c77cb006830440444a862e51
Instruction ID: 6c7e032cfd94d37cde50d4342a951516876d05d525b9a8db73823034add6100b
Opcode Fuzzy Hash: 3a853c6efc430db484b3d5cb5973362d7e34cfc7c77cb006830440444a862e51
Instruction Fuzzy Hash: D64169B0D04258DFEB14DFAAD6404ADFBF2FF89304B24C66AC414AB246D7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06A00FCF, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a79cac4060458055a81dec7871f5b4fc5a70511d41f9b01bbb51ce9edecc958
Instruction ID: d6a23071f05ccbb2fb4e6db15593dfa4c34461616a616ffd87a9124a8c79f836
Opcode Fuzzy Hash: 6a79cac4060458055a81dec7871f5b4fc5a70511d41f9b01bbb51ce9edecc958
Instruction Fuzzy Hash: F04120B1E016188BEB5CDF6B9D4479EFAF3AFC9300F14C1BA954CAA254EB3019468F51

Uniqueness

Uniqueness Score: -1.00%

Function 026639D0, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f37e8def99cb8f8cdafd3a85e2db5511b02c13702cfb8684876f3e6916e5b3
Instruction ID: f4193459ac07553a84aea7810254dc640bd4c8c4f12a48b72e907c293a320d67
Opcode Fuzzy Hash: 29f37e8def99cb8f8cdafd3a85e2db5511b02c13702cfb8684876f3e6916e5b3
Instruction Fuzzy Hash: D24112B1E056188BEB5CCF6B8D4479EFAF7AFC9200F14C1BA850CA6255EB3105968F51

Uniqueness

Uniqueness Score: -1.00%

Function 06A002D9, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496be7645438c8689664832162bf39464824d124bb27aeb5bb2f1b5bb25a31af
Instruction ID: 8ab77c582d3d9d948672b42a24413e8ae0ade7fd62416e7d5b063d8a32ac21b4
Opcode Fuzzy Hash: 496be7645438c8689664832162bf39464824d124bb27aeb5bb2f1b5bb25a31af
Instruction Fuzzy Hash: 96413570D0520ADFEB44DFA6E581AAEFBF1EF89300F64946AC411BB241D3349A41CF96

Uniqueness

Uniqueness Score: -1.00%

Function 06A002E8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c33df39218827a57038dc0cf0df1b54b9f6493a6a26a4fad18c9863f421a53
Instruction ID: 5a5315eb61531756552331845c2c0d13e54f45ee2e19ca00b73e0d5edb88b6b4
Opcode Fuzzy Hash: 83c33df39218827a57038dc0cf0df1b54b9f6493a6a26a4fad18c9863f421a53
Instruction Fuzzy Hash: 3D41F470D0520ADFEB44DF96E581AAEFBB1BF88300F60946AC415BB244D3359A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 026639CC, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c895f35c3daea1bdd2d899622c2f652418ff4b979ebce0c9accc5ae3a317b812
Instruction ID: 551f7d3ebf4b2f1cade1b42c45c0c35ee481d43b24cdc2c0f1e48b3a36792782
Opcode Fuzzy Hash: c895f35c3daea1bdd2d899622c2f652418ff4b979ebce0c9accc5ae3a317b812
Instruction Fuzzy Hash: BD4102B1E056588BEB1CCF6B8D4469EFAF3AFC9200F14C1BAC90CAA255EB310556CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0266FE48, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.411390408.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4795133aa7135ea4a44950636a387736cd63477969939e0903c0110a2ccff961
Instruction ID: fe28918eb221e5c5432aca3f8225d7393fba7279a1016797b3a5e8f96e515c3f
Opcode Fuzzy Hash: 4795133aa7135ea4a44950636a387736cd63477969939e0903c0110a2ccff961
Instruction Fuzzy Hash: 8131E5B1D0420ADFCB08CFE6D5855AEFBB2BB89300F10D46AD41AB6605D774A642CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06A00498, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c822d9e0539f1c3d71f5087bbb2e40f2e212b52f2bb908e7636f8ae5e2ae16bc
Instruction ID: a45fb71f3098a51509b66e62d978630dbbe591e5c3883dc38eaa8622a669ed1b
Opcode Fuzzy Hash: c822d9e0539f1c3d71f5087bbb2e40f2e212b52f2bb908e7636f8ae5e2ae16bc
Instruction Fuzzy Hash: CF11FBB1E016189BEB18DFABE84069EFBF7AFC8300F04C07AD908A6254EB3405468E51

Uniqueness

Uniqueness Score: -1.00%

Function 06A0C4D8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7d5bdc7994da952b49e22fbdc58bf0a5321663ad176c7a7204d451484c295d
Instruction ID: 540b1df425e535c6c4bd7bb8a841308d3ac27ee7136885759a9ca50d9a16c3cb
Opcode Fuzzy Hash: df7d5bdc7994da952b49e22fbdc58bf0a5321663ad176c7a7204d451484c295d
Instruction Fuzzy Hash: 3211F874D452199FDB54DFA9D844BFEBEF0AF0A310F145169E405B3280D7349640CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 06A00489, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d3841937ed71825d129ed66c69fbba5b1ebcf4e3ef7811e32303ca5d092c2a
Instruction ID: 45dd9a9b622bca9346ad85a2fae4092edce7935068d42d407f966c14aad37a12
Opcode Fuzzy Hash: 70d3841937ed71825d129ed66c69fbba5b1ebcf4e3ef7811e32303ca5d092c2a
Instruction Fuzzy Hash: F611B6B1E016589BEB18CFAB994069FFAF7AFC9200F08C0799848AA255EB3415468F55

Uniqueness

Uniqueness Score: -1.00%

Function 06A03AA8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ba842872280fcab15ddb711630fd467023301d7830adb3fe0083396cbf06e3
Instruction ID: 4ba982fb04a8d95db4deafb8069fd562a14ada76947e143c5fdb6349bbbbd3c2
Opcode Fuzzy Hash: d7ba842872280fcab15ddb711630fd467023301d7830adb3fe0083396cbf06e3
Instruction Fuzzy Hash: BC11E8B0E006099BEF48DFABD54019EFBF7AFC9300F24C57A8418AB255EA3456118F50

Uniqueness

Uniqueness Score: -1.00%

Function 06A04018, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.418212197.0000000006A00000.00000040.00000001.sdmp, Offset: 06A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7b942a1bdbdc4e954700c6f2fba5538285b7e9205466cbb37a998fecfb252d
Instruction ID: eee295e4c1e3892ed25bfa9cf2d1faa886eda5da55a17f83534952abb0ae010b
Opcode Fuzzy Hash: bb7b942a1bdbdc4e954700c6f2fba5538285b7e9205466cbb37a998fecfb252d
Instruction Fuzzy Hash: 6E01C8B0D04609CBEB48DFAB990059EFBF7FFC8300F24C43A8514AB255D6345A069F40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exe PID: 6560 Parent PID: 3440 dhcpmon.exeCOMMON

Executed Functions

Function 02543850, Relevance: 2.0, Strings: 1, Instructions: 757COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 02543F9D

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: 133517c4104895fbc768bfc511ca46b4f77c5b59c3ec8c570e1d7292b1fd26f0
Instruction ID: d6a93143391b1250cde256ad94714a25f757f6964374446f345ba87eba33e521
Opcode Fuzzy Hash: 133517c4104895fbc768bfc511ca46b4f77c5b59c3ec8c570e1d7292b1fd26f0
Instruction Fuzzy Hash: A952E571A04215EFCB05CF68C884A69FFB2FF85318B2985E6D9059F262CB31ED41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 025423A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aabdd2667202b7321c4109212df5615977a6723e1613fc577242fa316c20a2e
Instruction ID: 75f08f63a1d57069bf5b7d1751970a1ec25d39adadf62e997d5c69facc22f599
Opcode Fuzzy Hash: 3aabdd2667202b7321c4109212df5615977a6723e1613fc577242fa316c20a2e
Instruction Fuzzy Hash: 0812ABB0A04225CFDB24DF29C98466DFBF2FB88308F54852AE806DB365DB749D85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02542FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed37b17a67169317c8f3d9ec48d63e21bce2adac2be383797265fed2a4f2c8d
Instruction ID: 9ae6803a38ab5697f73d0f347b92a7feff8f0a79bd1ddda30d89567352919f62
Opcode Fuzzy Hash: 0ed37b17a67169317c8f3d9ec48d63e21bce2adac2be383797265fed2a4f2c8d
Instruction Fuzzy Hash: 16818B71F00115ABD718DB69D880A6EBBF3AFC8314F2A85B5E409DB365DE31EC018B94

Uniqueness

Uniqueness Score: -1.00%

Function 025409A5, Relevance: 5.1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02540A50
X1kr, xrefs: 02540A5A
X1kr, xrefs: 02540AA2
X1kr, xrefs: 02540A98

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: 71e426a475e24c008dad86ce341ace5b0fe088508100b57752c09446e37a6834
Instruction ID: 845ae192872c6409ef247c4347eb3ef1fb2c733e79be318b974958ec9a117cfd
Opcode Fuzzy Hash: 71e426a475e24c008dad86ce341ace5b0fe088508100b57752c09446e37a6834
Instruction Fuzzy Hash: 8841D9317042119FCB05DBA8D854AAEBBF2FF85304F2545A9E6069F3A1DF30AD02CB85

Uniqueness

Uniqueness Score: -1.00%

Function 025420D0, Relevance: 2.7, Strings: 2, Instructions: 198COMMON

Download Yara Rule

Strings

nk, xrefs: 025422F1
r*+, xrefs: 0254230F

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: nk$r*+
API String ID: 0-3661759213
Opcode ID: 83492482413174f56326f644e11e6ddbb5adce6b29de2930dc0ccfaa34432536
Instruction ID: 60a16e8719000721063b33d04a626b297ef17cc6b71233d2e3d25ab5fe6d8d19
Opcode Fuzzy Hash: 83492482413174f56326f644e11e6ddbb5adce6b29de2930dc0ccfaa34432536
Instruction Fuzzy Hash: 83715E70A08225DFCB44DFA8C48167EFBB1FF85308F10946AE906DB2A5DB749E41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 025402E8, Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02540537
`5kr, xrefs: 025403A5

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 272cfb1ae9a03a36c32d2fe6bffa66ead5f2710fe00e3da22d281c05025de69c
Instruction ID: c88581ecaa8bcf176478bb90558faa7c261c8ffff76a4b76d69558aec0ef4385
Opcode Fuzzy Hash: 272cfb1ae9a03a36c32d2fe6bffa66ead5f2710fe00e3da22d281c05025de69c
Instruction Fuzzy Hash: 96516E30A092058FDB08DF68C460B6EBFF2BF89704F258469D606AB3A1DF759C41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02542D58, Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 02542DA5
, xrefs: 02542E76

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: 353599211b79d75354dcdabfcf7bf86049fef51af3a67dbedcf01053b9d8e87e
Instruction ID: f93a667caf13fb07143a240b8b9fa6bd2a5c64feade873389b9bc5a20ca55c8b
Opcode Fuzzy Hash: 353599211b79d75354dcdabfcf7bf86049fef51af3a67dbedcf01053b9d8e87e
Instruction Fuzzy Hash: 4B41B470E142258BCB14DF69C8406BEFBA2FBC1318F15C876E916DB605CB35D862CB95

Uniqueness

Uniqueness Score: -1.00%

Function 025412A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 02541349

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 03d1b0a147ecee19f27ff5cca2a2c954e4d40afba716e9d215045c4d3ca429f6
Instruction ID: 23655749794794a4048bd9a110cf21cb97dcee6e31aaf4ce3d7757c4502edd5d
Opcode Fuzzy Hash: 03d1b0a147ecee19f27ff5cca2a2c954e4d40afba716e9d215045c4d3ca429f6
Instruction Fuzzy Hash: 1F22E374A04A05CFCB24EF28C490A6AFBF2FF88304B10C999D85A9B755DB34AD85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 025B00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 025B019D

Memory Dump Source

Source File: 00000007.00000002.401473158.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 80bfebeb34cff349593b418b710ae70caf9e7f1632029db469f97c37f507971b
Instruction ID: 9d490465e70077a85def7b3c17bff0ef3dab9b8a87993da236fa134b6d5dabfa
Opcode Fuzzy Hash: 80bfebeb34cff349593b418b710ae70caf9e7f1632029db469f97c37f507971b
Instruction Fuzzy Hash: 7A319371509780AFE712CB25DC45F96FFE8EF06210F08849AE984CB292D375E909CB65

Uniqueness

Uniqueness Score: -1.00%

Function 025B012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 025B019D

Memory Dump Source

Source File: 00000007.00000002.401473158.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f625fa93ca70fce1a16908cb6f7043e3bbdf409d9cd6512bd25f9059f3b0959c
Instruction ID: bfa9d7e273576221b0c35dd6f07d65110188da58964bbde257f4df0eb055c102
Opcode Fuzzy Hash: f625fa93ca70fce1a16908cb6f7043e3bbdf409d9cd6512bd25f9059f3b0959c
Instruction Fuzzy Hash: DC218B71500200AFE725DF25DD85BABFFE8EF05610F1484AAED498B282E771E504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 02541458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 025414C7

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 76a06811397f0848b3c461737ac3d6a86a327c20a77f5c4197609dfc9648de26
Instruction ID: 1be7df3775897981551d3cc80ed908a1f722dd95b9edfc95ba50272338512548
Opcode Fuzzy Hash: 76a06811397f0848b3c461737ac3d6a86a327c20a77f5c4197609dfc9648de26
Instruction Fuzzy Hash: D351E374A04218CFDB54EF68C894B9DBBB2BF49304F5080EAD40AAB365DB35AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0254068B, Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

}k, xrefs: 0254074F

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: }k
API String ID: 0-2281513113
Opcode ID: 05fbf67003e4067f71dd71e51e72912506e7b6fb52450204b6295a48882afee8
Instruction ID: 6f9c62b0b27a2020eb312bda9fa3e4eb66637f0b631c27f90a12064766df97b3
Opcode Fuzzy Hash: 05fbf67003e4067f71dd71e51e72912506e7b6fb52450204b6295a48882afee8
Instruction Fuzzy Hash: 86414AB06481018BD7487B38EC1C66E3BA7BFC07157556A29F502CB2F5DF704D819BAA

Uniqueness

Uniqueness Score: -1.00%

Function 02540690, Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

}k, xrefs: 0254074F

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: }k
API String ID: 0-2281513113
Opcode ID: e4937b5079f733c346bc277ebeb9a84d47d9ba3e2e7548a3f27733cd99da4fd6
Instruction ID: 782b731a866b76f0e44f085121d5f0d6b81472079ff713b390fe2d2f6df9ea22
Opcode Fuzzy Hash: e4937b5079f733c346bc277ebeb9a84d47d9ba3e2e7548a3f27733cd99da4fd6
Instruction Fuzzy Hash: DB413BB06082018BD7487B38ED1C56E3BA7BFC07157556A29F502CB2B5DF704D819B9A

Uniqueness

Uniqueness Score: -1.00%

Function 02540006, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

$lk, xrefs: 025400E2

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: $lk
API String ID: 0-3542985557
Opcode ID: 2a905b30ca87076f016ac5e23ceb378ca5d48073b03555e695a54ae5c8afb552
Instruction ID: a013e0a6b0585e94f44f488e9316091a426ba6f39118b2e3442c11cebdca4c70
Opcode Fuzzy Hash: 2a905b30ca87076f016ac5e23ceb378ca5d48073b03555e695a54ae5c8afb552
Instruction Fuzzy Hash: F3318E7010E3C18FC716AB78DCA44957FB2BE4320471945DFE081CF2A7DA695889CB67

Uniqueness

Uniqueness Score: -1.00%

Function 02541298, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

$ghr, xrefs: 02541349

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: d7146d8a8ac459587623dd85c057a4597d7d5f1da51e1d2085bdf44e8c78f301
Instruction ID: 2b918f326750128f712ef7672b99b4bcbdc995b4b7a48653eed4adc55e99f719
Opcode Fuzzy Hash: d7146d8a8ac459587623dd85c057a4597d7d5f1da51e1d2085bdf44e8c78f301
Instruction Fuzzy Hash: A7412974A04618CFCB54EF68D880BADBBB1BF49348F1084AAD40EAB355DB309D84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 025402AB, Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

Lmk, xrefs: 025402B6

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: Lmk
API String ID: 0-2364670092
Opcode ID: 373bb20dc1d78ec05bccdabce17cfe747b37d96f1adf43a497f874a62c2d794e
Instruction ID: 83e045db69a6bac4691031134f1cc2f22e145bfdeb3594db8aca475c569bcbfe
Opcode Fuzzy Hash: 373bb20dc1d78ec05bccdabce17cfe747b37d96f1adf43a497f874a62c2d794e
Instruction Fuzzy Hash: A9D0A73020C600CB8368CB08F590491BBB5FF847103518D19E85647A94CF70FC02C704

Uniqueness

Uniqueness Score: -1.00%

Function 02540BC0, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dccf2055658b2b1dce0686906f53044726ad44d7ee8d16726f4755383a408d
Instruction ID: 882d45f74807ade52aa1f5bb2f522e8128963b4b145379e4cfe62eb0b5ddea13
Opcode Fuzzy Hash: 31dccf2055658b2b1dce0686906f53044726ad44d7ee8d16726f4755383a408d
Instruction Fuzzy Hash: 5B419431B05114CFC7099B2CC4146AEBBB6AFC6314F1580AAEA06DF2A1CE719D0AC795

Uniqueness

Uniqueness Score: -1.00%

Function 02542BF8, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a042aa3985bac8c96f957406ad04302636c5126f5d25c4b7ed54781700fc326
Instruction ID: 0ca6a64b6963eef89a8332389dee9e2924a5dbe62ca50a01aa2e7221eb60c646
Opcode Fuzzy Hash: 8a042aa3985bac8c96f957406ad04302636c5126f5d25c4b7ed54781700fc326
Instruction Fuzzy Hash: 6241E37010D3A1EFC31697249C54635FFB5BF83208F0989A7E886CF5A2CB209E05C766

Uniqueness

Uniqueness Score: -1.00%

Function 025402DC, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c15f9776d7722fa3930204e0062e8622a9a4148ce61d37abf47efaada21aad
Instruction ID: 0644bdd5712832947f780bc3938136227cf8ef6bc21af2b0f821b20404ab03ef
Opcode Fuzzy Hash: 39c15f9776d7722fa3930204e0062e8622a9a4148ce61d37abf47efaada21aad
Instruction Fuzzy Hash: D0314B30A05605CFDB18CB68C054BAEBFB2FF88718F248869D602AB7A0DF759C41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 025421E8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de7977b3a5cf2fc97d34ec9a914d31dae1aabe293da1b7745d8c66e82331611
Instruction ID: 1727598489e13b48ab340aed061e96adff037aead70581b7dfb966cd4d80735f
Opcode Fuzzy Hash: 3de7977b3a5cf2fc97d34ec9a914d31dae1aabe293da1b7745d8c66e82331611
Instruction Fuzzy Hash: D0312A70A0C219DFCB85EFA8C5456ADBFB1BF45308F1045AAEC02DB2A1DB349E45CB56

Uniqueness

Uniqueness Score: -1.00%

Function 025425DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7437d9b69b1abcce6d752bb8aeaa4c8a5fd4c96680608b5baa23610158e936
Instruction ID: 73f61d7c695c58ac8ee1f56339b04d13be033e7c5b8959551b3d359ecf6f9599
Opcode Fuzzy Hash: da7437d9b69b1abcce6d752bb8aeaa4c8a5fd4c96680608b5baa23610158e936
Instruction Fuzzy Hash: F2319CB0A00255CBDB64DF69C84465AFFE2FF84318F10D22AD8059F264DFB49989CF44

Uniqueness

Uniqueness Score: -1.00%

Function 025421F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ecaf8b08676f244a7e7ec297e714f60184cfa2c97b1637442df9bc0bb8ad7b
Instruction ID: 596129f90340abc9b7cd9b25c3d5dacb38b59eb24a2652f62ee0edc3f48e3a8a
Opcode Fuzzy Hash: b7ecaf8b08676f244a7e7ec297e714f60184cfa2c97b1637442df9bc0bb8ad7b
Instruction Fuzzy Hash: 5121F970E08219DFCB84DFA8C5456BDBBB1BB44308F10456AEC02E72A0DB719A40CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02544190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3f32941b13b92bf28d3eea81bd67c0c5caa0eb080bd60b49176a69e5ae665c
Instruction ID: 5ab2fcd9a03dae75d86a82d640c4f22d32931530b07edfa67d30f1412ca51763
Opcode Fuzzy Hash: ff3f32941b13b92bf28d3eea81bd67c0c5caa0eb080bd60b49176a69e5ae665c
Instruction Fuzzy Hash: D2110671B442168BDB14ABB8D8146BFBABBBFC4344F11053ED907A7280DE708840C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 02540B18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8efc4c79d73bba1d8fe39a32b543e362aa26df161d86c96e452c4348ba0fbb
Instruction ID: ee6f12090dd8a438487d689de757e961ba10b871aeec78ba80ae2a1595d05ce2
Opcode Fuzzy Hash: fb8efc4c79d73bba1d8fe39a32b543e362aa26df161d86c96e452c4348ba0fbb
Instruction Fuzzy Hash: 68118231B58165EACB6855748811BBEE1967B4465CF304C6A9B43E71C0FE30C900CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 023F087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401391380.00000000023F0000.00000040.00000040.sdmp, Offset: 023F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3722cd5ca24a6bbc59e6c6820055a50dfd42278c95708716bf35e5af4cb11956
Instruction ID: 6ab28a9bcbadede4fa3d7f13030a7554a3a3a076fc19aad34cb702271bbc4981
Opcode Fuzzy Hash: 3722cd5ca24a6bbc59e6c6820055a50dfd42278c95708716bf35e5af4cb11956
Instruction Fuzzy Hash: 73110A34204344DFD759CB28D540B26FBE5AB48708F24C59CEA494B657C77BD403CA51

Uniqueness

Uniqueness Score: -1.00%

Function 023F0845, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401391380.00000000023F0000.00000040.00000040.sdmp, Offset: 023F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80893546968e2f37a069e276862af384a11ca8736e4f1f064e5ee497156ad17
Instruction ID: 817ecf6092a78f824a74ffc0488f352bfbb728234bd06d4731be17ccea7bf7e0
Opcode Fuzzy Hash: f80893546968e2f37a069e276862af384a11ca8736e4f1f064e5ee497156ad17
Instruction Fuzzy Hash: F3215B3410D3C08FD7078B24D9A0B55BFB1AF47218F2985DED8858B6A3C33A881ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 025411DF, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af535429fe108a078551e688283847ca87135041df4e6355e587844cbd30eee1
Instruction ID: c6de9393c7dc6d755538b0ce40f2e3e9ac26dd8b41b774709814f7953d209743
Opcode Fuzzy Hash: af535429fe108a078551e688283847ca87135041df4e6355e587844cbd30eee1
Instruction Fuzzy Hash: AA11703030C580CFC705A739D454869BFE5BF8620471984EBD98ACF2B7CE658C49CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02541209, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7a905cfec7b0fc1508dfc32843ad885d880d095402445403798566f6e5371c
Instruction ID: c1e3cefd0a5971aa94a2c2e34043a05744af6375da3083840854b4aff3188c52
Opcode Fuzzy Hash: aa7a905cfec7b0fc1508dfc32843ad885d880d095402445403798566f6e5371c
Instruction Fuzzy Hash: B8018C3030C190CFC705AB2DD058969BFE6BFC620471984EBE44ACF2B6CE618C89CB95

Uniqueness

Uniqueness Score: -1.00%

Function 025405C0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a9f2f944f933a37ef9d525a814e16bffd7a2534ff058416b33b15d6b8260ba
Instruction ID: e980f4ccbc8cb437a0fe9a38b6c7e41efed86fd28cef7856e15abfb8707c0f76
Opcode Fuzzy Hash: 17a9f2f944f933a37ef9d525a814e16bffd7a2534ff058416b33b15d6b8260ba
Instruction Fuzzy Hash: C4F02D717400220BCB8D7A3C94212BF668BABC4650768012EE207EB3C1CEB08C4347DA

Uniqueness

Uniqueness Score: -1.00%

Function 025405C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d525c3588d633da9ffad4084f207d8d1aa7a49a1c0ba2f84c21cee80b00e5add
Instruction ID: efc840d2d894ad030e4c74db574e38b5c14c6eca4005539bedf4794509a7323f
Opcode Fuzzy Hash: d525c3588d633da9ffad4084f207d8d1aa7a49a1c0ba2f84c21cee80b00e5add
Instruction Fuzzy Hash: F6F0B47170012507CA4C7A7D94217BF668F9BC5A507A4452EE207DF3C5CEB08C4343DA

Uniqueness

Uniqueness Score: -1.00%

Function 023F05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401391380.00000000023F0000.00000040.00000040.sdmp, Offset: 023F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f744809d3dfabc74ebce6187fc58bedb4e50dc778b0111a41ee771955ff63d
Instruction ID: fadc5c47ccbd6ff91eb24673b1f3216abb931df0d9bc2e4148dde273ee079003
Opcode Fuzzy Hash: a2f744809d3dfabc74ebce6187fc58bedb4e50dc778b0111a41ee771955ff63d
Instruction Fuzzy Hash: 3B01D6B650D7806FD7128B06EC41862FFB8DA86620748C09FED498B612D225A808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02541218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366c4f60bc73af9d73fbc5e2583415f54e2b170fb562810bcb90c92eff7e1f9e
Instruction ID: 50481f57bab7a5c9cffa7549eb1736f138380d704d6890e805e0927d9c3f5490
Opcode Fuzzy Hash: 366c4f60bc73af9d73fbc5e2583415f54e2b170fb562810bcb90c92eff7e1f9e
Instruction Fuzzy Hash: 6F013130308410CBC644AB6DD05896DBBEAFFC571472585AAE90ACB775CFB1DC89CB89

Uniqueness

Uniqueness Score: -1.00%

Function 02540D34, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e19f3aa8f364dd26fe05cb6d74cf80fd05a83999b4dcab5d931533e3623621
Instruction ID: 367e18ca059d4555c95e4f5f103f7a5ceec116d82541fb3ddc09876166988882
Opcode Fuzzy Hash: d7e19f3aa8f364dd26fe05cb6d74cf80fd05a83999b4dcab5d931533e3623621
Instruction Fuzzy Hash: 52F090313141009FD7049B28D888A99BBE6FBC5319B24886AE54ACB36ACF719C05DB41

Uniqueness

Uniqueness Score: -1.00%

Function 02540918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c924d5be2bc8df0b46950cfa17c004baf08ebe09a1c5b44855bcaf077a468aba
Instruction ID: 900899962e49e1a57b2f9b10e3073da47f39e4648e03ef10a7e67b7e2140a059
Opcode Fuzzy Hash: c924d5be2bc8df0b46950cfa17c004baf08ebe09a1c5b44855bcaf077a468aba
Instruction Fuzzy Hash: 93E0E532E192189ADB586AF998005AFFBA9A7D9658F204D379B07A3380DD70894182D5

Uniqueness

Uniqueness Score: -1.00%

Function 02544180, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4970f1e974df661fca36786dcebaecca2ddc38b5575b93739152ec06c324ff1
Instruction ID: c1847a24d556f98a43d1e54931b1bcb53e1f2d1ca1140c9b47e3aa17d2a13f7f
Opcode Fuzzy Hash: b4970f1e974df661fca36786dcebaecca2ddc38b5575b93739152ec06c324ff1
Instruction Fuzzy Hash: C6F027716897844EDB1167702C096EEBF75BAD2148B0109AFD807E3041ED754014C795

Uniqueness

Uniqueness Score: -1.00%

Function 023F0938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401391380.00000000023F0000.00000040.00000040.sdmp, Offset: 023F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 175bb6339cf1be7965ab1a689a96476741b94c46b75c80cdb21b1500112e6eb2
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: B3F01D35104644DFC315DF04D540B16FBA2EB89718F24C6ADE9890B767C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 023F05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401391380.00000000023F0000.00000040.00000040.sdmp, Offset: 023F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff2bd8798064083545cabf2f3bba966ed0979a59dcbe3b0677d6ee1bda7eaca
Instruction ID: abb8d7d16ce08537aa3baa03984f270d8e4462a84e55e18f1682f5be20b2625d
Opcode Fuzzy Hash: dff2bd8798064083545cabf2f3bba966ed0979a59dcbe3b0677d6ee1bda7eaca
Instruction Fuzzy Hash: 0FE092766406009BD650CF0BEC41462F7D8EB88630B18C07FDC0D8B700E636F504CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 02540650, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11029cb7f9fed46426f990adc3c2dea4b209fbbf3599c3ddccff62b3ebe4ec2b
Instruction ID: ed7baaeb7bed31aad1f672f07f85640902085ecc95c1487195e9de8f1a274a0a
Opcode Fuzzy Hash: 11029cb7f9fed46426f990adc3c2dea4b209fbbf3599c3ddccff62b3ebe4ec2b
Instruction Fuzzy Hash: E1D05E7108E3908FC30B6B706C151A8BF71AE9320971548A7C9468B4B3C9269AA6DB27

Uniqueness

Uniqueness Score: -1.00%

Function 0254016F, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0977a32b7b435a1286a8c9c9ab46d8e63d67c2541449ac5ae2281295297b2ff5
Instruction ID: 9babb925db8eddfeabbb162a1ffd0cd6d67ca3037634b57ea6d2cda7e4048fde
Opcode Fuzzy Hash: 0977a32b7b435a1286a8c9c9ab46d8e63d67c2541449ac5ae2281295297b2ff5
Instruction Fuzzy Hash: 19E012722053008FC7156B70D8651583771EB4661570106B9D4268B6F0EA3AC995C651

Uniqueness

Uniqueness Score: -1.00%

Function 02542D20, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dbb7672e6ccd0eaef2360bae976a621656767e9ad9d699a8b64bd93ff8406a
Instruction ID: ea6c1ec930af3ea9a34d3a71410949bdb375a5679db6b3337fc1d377f1622877
Opcode Fuzzy Hash: 86dbb7672e6ccd0eaef2360bae976a621656767e9ad9d699a8b64bd93ff8406a
Instruction Fuzzy Hash: B3D05E3404D3949ED71707609815B64BF306B0B309F1508C3E54ACF0F3C9544506C32A

Uniqueness

Uniqueness Score: -1.00%

Function 02540180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462b091b6de9c0dbe9a798342fdba0e22cf6e26f02d83bca3bf895c7a8e4d04c
Instruction ID: 3ebc2cdf184489ac0f85ea33ffa79f379d721566471968485b0649fb994c710c
Opcode Fuzzy Hash: 462b091b6de9c0dbe9a798342fdba0e22cf6e26f02d83bca3bf895c7a8e4d04c
Instruction Fuzzy Hash: 11D012B1201304CFCB183B70E4184283366AB44205300097CE80687760EF3BD890CA04

Uniqueness

Uniqueness Score: -1.00%

Function 02542D30, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f479163c1cf218b478a5ce05a059c77c067dd30ce28d58abed9c310c81bd1333
Instruction ID: ed3a07badc9b4712968cfc6e920161e1e71b65e16f9eaa3d92b554a28eb8225a
Opcode Fuzzy Hash: f479163c1cf218b478a5ce05a059c77c067dd30ce28d58abed9c310c81bd1333
Instruction Fuzzy Hash: 40C0923419C628E6E6981684AC1AF74F218B70CB4EE100C43BE0FDC0A81DA1A212D06E

Uniqueness

Uniqueness Score: -1.00%

Function 02540660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb0e9a515f76247b03e1df8c3e73a9d018f9bd381a9515b158eceff05aef33b
Instruction ID: e38f45da5dac4d9bafba727770998e256927f83fcdfb6d051ee2756c2f8b3485
Opcode Fuzzy Hash: 4bb0e9a515f76247b03e1df8c3e73a9d018f9bd381a9515b158eceff05aef33b
Instruction Fuzzy Hash: 02C09B71089664CEC35C67756C05539F21AB6D1309764CC35DA07111718E72D4B1D96D

Uniqueness

Uniqueness Score: -1.00%

Function 02542EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2da3d3fe8a688ac3b36a458bc0848907e9a4c2a8e766eb27ce4c6f53531c03
Instruction ID: 0888a1c995f4ca17f0ed6dd871cfe4da4696460e9d04286bc339ec6082d1389a
Opcode Fuzzy Hash: 5a2da3d3fe8a688ac3b36a458bc0848907e9a4c2a8e766eb27ce4c6f53531c03
Instruction Fuzzy Hash: 60B0123022420A0B174057B52C48B22778C56405097401060AD0CC1100FA01D0E03154

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02540D8C, Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 025410CB
,:kr, xrefs: 02540E38
0jr, xrefs: 02540F8E
X1kr, xrefs: 02540F1C

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: ,:kr$0jr$:@Dr$X1kr
API String ID: 0-1245831938
Opcode ID: fd26cb90f74fbe08391b63e47281b6d1f09708bbbdb600d72b68793c36bf41d5
Instruction ID: 013d3f2e0b36c48a0899181eabde5a6f319a8b5ad87c084433ffbe45ca519581
Opcode Fuzzy Hash: fd26cb90f74fbe08391b63e47281b6d1f09708bbbdb600d72b68793c36bf41d5
Instruction Fuzzy Hash: D6B1B870A08344CFD394EF789160B6ABFE2FB95704F50996EE5498B399DF719841CB02

Uniqueness

Uniqueness Score: -1.00%

Function 025401B8, Relevance: 5.1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

Strings

hfk, xrefs: 02540264
hfk, xrefs: 0254023A
hfk, xrefs: 0254020B
hfk, xrefs: 025401DC

Memory Dump Source

Source File: 00000007.00000002.401420873.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false

Similarity

API ID:
String ID: hfk$hfk$hfk$hfk
API String ID: 0-1104659808
Opcode ID: 2dfc8c6b201843c31471587591180ddd3196ec59611e8f890ccfe8fde5e4703e
Instruction ID: 5cbb2a6a202a1002357b2a3b90ad1a162f057c724610a5a7a86e5c431f6982e7
Opcode Fuzzy Hash: 2dfc8c6b201843c31471587591180ddd3196ec59611e8f890ccfe8fde5e4703e
Instruction Fuzzy Hash: 542100707012159FEB14DE68D880F6ABBEAFFC5B54F600469E6059B380EB75FC018B65

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exe PID: 5480 Parent PID: 3664 MSBuild.exeCOMMON

Executed Functions

Function 0532E738, Relevance: 25.3, APIs: 1, Strings: 13, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0532EE8D

Strings

X1kr, xrefs: 0532E8BA
X1kr, xrefs: 0532EFE0
X1kr, xrefs: 0532EF71
X1kr, xrefs: 0532F092
H*, xrefs: 0532E890
X1kr, xrefs: 0532ED79
X1kr, xrefs: 0532F00F
X1kr, xrefs: 0532E84E
X1kr, xrefs: 0532E816
X1kr, xrefs: 0532EDD6
X1kr, xrefs: 0532EDB0
X1kr, xrefs: 0532ED5A
X1kr, xrefs: 0532EF47

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: H*$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr
API String ID: 2994545307-1645992065
Opcode ID: 0e9512a03c628a125ff27193086c522e7a940ebe5e5819ba39a96137009ff68c
Instruction ID: 2da603fa6094cb24119b21d12b3cf19055e5b3edd4222e29254507b8a26bff7b
Opcode Fuzzy Hash: 0e9512a03c628a125ff27193086c522e7a940ebe5e5819ba39a96137009ff68c
Instruction Fuzzy Hash: CF625D35E00629CFDB64DFA4C844BDEBBB6BF89300F1585A9D909AB260DB719D85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00EA0C20, Relevance: 1.7, APIs: 1, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00EA0C85

Memory Dump Source

Source File: 0000000A.00000002.867387495.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c2e35e5b4544ba224017210c17ce782a5a1da63703ea53a856e75c7630ef800
Instruction ID: 77d2ad558eb65975ad7607203e4ab85595eb2232067464c593466b47292e2514
Opcode Fuzzy Hash: 6c2e35e5b4544ba224017210c17ce782a5a1da63703ea53a856e75c7630ef800
Instruction Fuzzy Hash: 2B517271B00209DFCB44EBB4D844AAEB7B6FF88314F249939E516EB254DF319845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0115AF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0115AF87

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: ff5be17f66ee65a072d3d4179656244bb2eadf4c990c5a477c5252ba55af32ec
Instruction ID: 8f3e6c4bb65f24c0d25e9b189e9f8da6be80c25781696047144375ce7f6e8bc0
Opcode Fuzzy Hash: ff5be17f66ee65a072d3d4179656244bb2eadf4c990c5a477c5252ba55af32ec
Instruction Fuzzy Hash: C3218D75509784AFEB278F25DC44A56BFA4AF06210F08859AE9858B1A3D271A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0115B089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0115B0F5

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: ff2fa71f6dd996949b28aa55a7eb2055abd6a914b08d6c24aef0847365e10ac4
Instruction ID: 8b07500dcf1304afd882c798307f14e70b289a01177220f417e3dfd0f8c1f397
Opcode Fuzzy Hash: ff2fa71f6dd996949b28aa55a7eb2055abd6a914b08d6c24aef0847365e10ac4
Instruction Fuzzy Hash: F1118171409784AFDB138F15DC45A52FFB4EF06324F0980DAED844B163D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0115AF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0115AF87

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 98761fb057186bba554a018a8a6aa6e8b088ac049075398a47c88a2ed3107393
Instruction ID: 6f2cfe7b305367a4923a555d675a69755a9fb7cbb640746c30011fb60f33efed
Opcode Fuzzy Hash: 98761fb057186bba554a018a8a6aa6e8b088ac049075398a47c88a2ed3107393
Instruction Fuzzy Hash: DD119E71500600DFDB25CF69E884B5AFFE4EF04220F0885AAEE458B652D371E418CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0115B0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0115B0F5

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: aeb3769f850ae8bd5614d9ccf59b4dd6e0b51dcc01fa84a44a187ae3618707fe
Instruction ID: 8837d05b06f380d6e3967ec289cc49e2b845c96015df7e208b814f04b97a1173
Opcode Fuzzy Hash: aeb3769f850ae8bd5614d9ccf59b4dd6e0b51dcc01fa84a44a187ae3618707fe
Instruction Fuzzy Hash: B201AD31504644DFDBA5CF59E884B26FFA0EF08320F18C09ADE994B212D3B5A418CF72

Uniqueness

Uniqueness Score: -1.00%

Function 01458110, Relevance: 1.1, Instructions: 1108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15e543d258fc2dee6b1ab7599564eed42fc45e33189140d0e7d91526306acc9
Instruction ID: b3888646e6bad9af9b6ed44bd71496d89d44237fe08e235230b9a10ac08359ce
Opcode Fuzzy Hash: b15e543d258fc2dee6b1ab7599564eed42fc45e33189140d0e7d91526306acc9
Instruction Fuzzy Hash: 0E92B334B002068FDB618B2EC484B6E7BE1EF45310F24457AE959DB3A3CB75EC458B52

Uniqueness

Uniqueness Score: -1.00%

Function 05324808, Relevance: 8.3, APIs: 1, Strings: 3, Instructions: 1251libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 05325D07
:@Dr, xrefs: 053256BB
:@Dr, xrefs: 0532612D

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr$:@Dr$:@Dr
API String ID: 2994545307-1395999109
Opcode ID: ccb9c64ba62786e9f35945dbb4cf7b6e367d675a6dca223435fa308abfbd8cd7
Instruction ID: 1db72e1f93ad285f0845cff38545089be9c4e4d18dc7e2d172675ccfd4faac3f
Opcode Fuzzy Hash: ccb9c64ba62786e9f35945dbb4cf7b6e367d675a6dca223435fa308abfbd8cd7
Instruction Fuzzy Hash: 47D2C774A006288FCB65DF68DC58AAABBB6FF49301F5081E6D809E7354DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324844, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 693libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 88c60d4acbc70698e6eae17907299fb5e118b4c8e742ffa482e7dbc4e382b45c
Instruction ID: 3cf15ce7f537fdb9c4f2dc7e466c3ddefa631ec8425dae7a6d77fca9bfde38c6
Opcode Fuzzy Hash: 88c60d4acbc70698e6eae17907299fb5e118b4c8e742ffa482e7dbc4e382b45c
Instruction Fuzzy Hash: 8072A274A04628CFCB65DF28DC88AA9BBB6FB49311F5081E6D94DA3350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324898, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 683libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 6be4c31bd8a9351039cd536bdf4737539b89c3b2b09eb82e9f6fec424fe11326
Instruction ID: f677872c429be8312c78f85221100259ca0b94d5fd88a6bf1c9eee5d7b117c85
Opcode Fuzzy Hash: 6be4c31bd8a9351039cd536bdf4737539b89c3b2b09eb82e9f6fec424fe11326
Instruction Fuzzy Hash: 8672A374A04628CFCB65DF28DC88AA9BBB6FB49311F5081E6D94DA3350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 053248EC, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 671libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 9af295e71d8ad58901278d7c6a0a85d138fd987e39e9e27d5e34bacff2f16e88
Instruction ID: 172246a69934e14e6aadb2471377eb2e01be735903807a8e8d5211eea35d4c75
Opcode Fuzzy Hash: 9af295e71d8ad58901278d7c6a0a85d138fd987e39e9e27d5e34bacff2f16e88
Instruction Fuzzy Hash: 5C72A374A04628CFCB65DF28DC88AA9BBB6FB49311F5081E6D94DA3350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324937, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 661libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 5875b1d068379a70550ca016a095d72bb011c64e1941dcdd21017860bc5c89af
Instruction ID: de14008744ec3ada2066a0e5a9f3606e19d74d68baa0a3e195577efa5c329255
Opcode Fuzzy Hash: 5875b1d068379a70550ca016a095d72bb011c64e1941dcdd21017860bc5c89af
Instruction Fuzzy Hash: 0172A374A04628CFCB65DF28DC88AA9BBB6FB49311F5081E6D94DA3350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324982, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 653libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 037c56e26bf51af9983b1b2d936909613c6acf6e14c3e376af05fdb2c550407f
Instruction ID: f3f33a90f3ec3a08fe28a5d2401fbefcdf4e7f7b0f2cde0805d46cb7428db273
Opcode Fuzzy Hash: 037c56e26bf51af9983b1b2d936909613c6acf6e14c3e376af05fdb2c550407f
Instruction Fuzzy Hash: 30629374A04628CFCB65DF28DC88AA9BBB6FB49311F5081E6D94DA3350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 053249D6, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 641libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: a3c50dbe334004e70685c5292506a8336369df228ba3cdeeae35eed17577c7d4
Instruction ID: f2f12abd931a1bdc33a99fd134264b1668d7453867cda637178412769ff4dd95
Opcode Fuzzy Hash: a3c50dbe334004e70685c5292506a8336369df228ba3cdeeae35eed17577c7d4
Instruction Fuzzy Hash: 29629374A046288FCB65DF28DC88AA9BBB6FB49311F5081E6D94DA3350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324A21, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 633libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: bc703fc2cf629183d0195280365332151f8f7220c671df409d9d3baa19d33aee
Instruction ID: 846829d9d11226ce36910f03ca0ca3537fcb923d991c35bf33e89be0dae21431
Opcode Fuzzy Hash: bc703fc2cf629183d0195280365332151f8f7220c671df409d9d3baa19d33aee
Instruction Fuzzy Hash: 61629374A046288FCB65DF28DC88AA9BBB6FB49311F5081E6D94DE3350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324A75, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 623libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: eff92dc81fbf11cb733a1efb81de610703344f1c314666ce6cec4520816d7795
Instruction ID: eed73a801a90687a125093db8a1e5c3e101d74216ae694be32624b08ff8e12d6
Opcode Fuzzy Hash: eff92dc81fbf11cb733a1efb81de610703344f1c314666ce6cec4520816d7795
Instruction Fuzzy Hash: 1862A374A046288FCB65DF28DC88AA9BBB6FB49311F5081E6D94DE3350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324AC9, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 613libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 11ac648778a90b2c1e3d9adda4855053e1585ec99e471f6d5c83c1eea9a299a2
Instruction ID: 109a2beb81ccc99c57abbe07a916dbc8cbccfb767be737c0c5bb2f54951f64bf
Opcode Fuzzy Hash: 11ac648778a90b2c1e3d9adda4855053e1585ec99e471f6d5c83c1eea9a299a2
Instruction Fuzzy Hash: 9662A374A046288FCB65DF28DC88AA9BBB6FB49311F5081E6D94DE3350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324B1D, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 603libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: c531e339a0788f3af167ca614f6848c9bd66bdb98017ed831cef8a4fc3e47ca1
Instruction ID: ca33244b68cc3d50bb36fb000d015ac0f257c54d1d255b6286e5344ea47bb6ed
Opcode Fuzzy Hash: c531e339a0788f3af167ca614f6848c9bd66bdb98017ed831cef8a4fc3e47ca1
Instruction Fuzzy Hash: 3962A374A046288FCB65DF28DC88AA9BBB6FB49311F5081E6D90DE7350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324B71, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 593libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 4c3896603f6e7ba2b382c2c3230f6cbe0720185df5e54c7487d1ec8341fe9db7
Instruction ID: adaed76b1a66ef6f477570554719d5e0923d8eb4c7546a94844d6980256fe2e6
Opcode Fuzzy Hash: 4c3896603f6e7ba2b382c2c3230f6cbe0720185df5e54c7487d1ec8341fe9db7
Instruction Fuzzy Hash: EE529374A04628CFCB65DF28DC88AA9BBB6FB49311F5081E6D90DA7350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324BC5, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 583libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 5b7a0310fddec05b3892af78dd8d0ec37da9c4d74600dadf0c457bdc5188821a
Instruction ID: 2f8f44fee019be8dd26504b8993cbf9634410d3e55721e1849cad18c10e0ce9a
Opcode Fuzzy Hash: 5b7a0310fddec05b3892af78dd8d0ec37da9c4d74600dadf0c457bdc5188821a
Instruction Fuzzy Hash: 03529474A04628CFCB65DF28DC88AA9BBB6FB49311F5081E6D90DA7350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324C19, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 573libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 6c75cd56bc88c7268b5912b5d9f35db74090cdc25637872aad5db8f3b4c1e2c5
Instruction ID: 7b3a24e064526c635df596a60c643e413b43515825322022917dd5716cc7d93c
Opcode Fuzzy Hash: 6c75cd56bc88c7268b5912b5d9f35db74090cdc25637872aad5db8f3b4c1e2c5
Instruction Fuzzy Hash: 7852A474A04628CFCB64DF28DC88AA9BBB6FB49311F5081E6D90DA7350DB319E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324C6D, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 563libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 1b56d6e8785c5ecdc59f817912c7925d0a8a3b85bda6cd4ee3c4af8868d63628
Instruction ID: c0733be7cfea6cdacb3cf09448f3a4f5811137d63f05f8d052e754e011ab7923
Opcode Fuzzy Hash: 1b56d6e8785c5ecdc59f817912c7925d0a8a3b85bda6cd4ee3c4af8868d63628
Instruction Fuzzy Hash: 00529474A046288FCB64DF28DC98AA9BBB6FB49311F5081E6D90DA7350DB315E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324CC1, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 553libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: ed84fa5b2e1024c81a1f31e722e9e5d8525393535047c25e6871509a75141789
Instruction ID: fb68009625a2d77ff0cd1292370015f7ec05457f35712fd6cdc0e230c017491e
Opcode Fuzzy Hash: ed84fa5b2e1024c81a1f31e722e9e5d8525393535047c25e6871509a75141789
Instruction Fuzzy Hash: 04529474A046288FCB64DF28DC98AA9BBB6FF49312F5081E6D90DA7350DB315E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324D15, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 543libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 4294098055a5fa73f8f420f8c524a0256aee9b4e2856a4620f2249f691fbe9b8
Instruction ID: 1b81bb2a69cbff48ce8c419654a7052665f4c33ad6a19f9cf8716453a7ba82ef
Opcode Fuzzy Hash: 4294098055a5fa73f8f420f8c524a0256aee9b4e2856a4620f2249f691fbe9b8
Instruction Fuzzy Hash: 7642A474A046288FCB64DF28DC98AA9BBB6FF49312F5081E6D90DA7350DB315E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324D69, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 533libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: a3f7d4d954a2e58fcb4c357ab794d2ecb97c32fd3911d9512fc549b6851c4745
Instruction ID: 441c18a41d9db45e323f3be943e704054ee28b5bad1219fc70eb1082958895ce
Opcode Fuzzy Hash: a3f7d4d954a2e58fcb4c357ab794d2ecb97c32fd3911d9512fc549b6851c4745
Instruction Fuzzy Hash: 6242A474A046288FCB64DF28DC98AA9BBB6FB49312F5081E6D90DE7350DB315E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324DBD, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 523libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 401f3ff7e0f86cd81f4a97078ab8726ecf5a9e4d0a67ce87ed7f5a903cdb7a0e
Instruction ID: db3fe5b9f2518f776495e2b6e194c1f7ae021ec96e7b61e13383acd4b492ae37
Opcode Fuzzy Hash: 401f3ff7e0f86cd81f4a97078ab8726ecf5a9e4d0a67ce87ed7f5a903cdb7a0e
Instruction Fuzzy Hash: E842A374A046288FCB64DF28DC88AA9BBB6FB49312F5081E6D90DE7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324E11, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 513libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 2ae538460bbf62a3acdf17e193e23169e137e0ffe6df1d44ec8064aaca300fdc
Instruction ID: f0ac7772fe42afe495a0a3c0ca135d9bc038a24298f114e88ec1fc58d31ebe17
Opcode Fuzzy Hash: 2ae538460bbf62a3acdf17e193e23169e137e0ffe6df1d44ec8064aaca300fdc
Instruction Fuzzy Hash: 7C42A374A046288FCB64DF28DC88AA9BBB6FB49312F5081E6D90DE7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324E71, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 500libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 43c923b813c4f4e57e75d2c3abd5f2be0d364d232c160b025b9d76c1148cbf36
Instruction ID: deba5fefe22c9ff9f433ac823dbac9f79b6ce1da7bc4b95ac2b8900780f474df
Opcode Fuzzy Hash: 43c923b813c4f4e57e75d2c3abd5f2be0d364d232c160b025b9d76c1148cbf36
Instruction Fuzzy Hash: 09429374A046288FCB64DF28DC88AA9BBB6FB49312F5081E6D90DA7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324EC5, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 490libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: a7382eeb93bbef04bbf60dc1a71a979c00c56ea816fde848ba9337c8b9fdbbf6
Instruction ID: f90ba29bf24c676ecbca3e381c9e96919a15fae50c9409ce2368b4de034bcae3
Opcode Fuzzy Hash: a7382eeb93bbef04bbf60dc1a71a979c00c56ea816fde848ba9337c8b9fdbbf6
Instruction Fuzzy Hash: 1F329374A046288FCB64DF28DC88AA9BBB6FF49312F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324F19, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 478libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: cf37cbe6e96e469074b839a83a330eb1899891fbd9ce00a45b0ee15702333111
Instruction ID: fa88e3f089d82f1373582103897d783d0b8481f2910613b0c8bf8b128962829b
Opcode Fuzzy Hash: cf37cbe6e96e469074b839a83a330eb1899891fbd9ce00a45b0ee15702333111
Instruction Fuzzy Hash: 4D32A374A046288FCB64DF28DC88AA9BBB6FF49312F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324F64, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 470libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 1029a626b8d8117010fca3f65025a44cf18fc4175c324261ee93a8de6e463d16
Instruction ID: 66a21162181807590e640fc379ee4c81623a66dd68d482467d2c220c19b2c394
Opcode Fuzzy Hash: 1029a626b8d8117010fca3f65025a44cf18fc4175c324261ee93a8de6e463d16
Instruction Fuzzy Hash: 0432A374A046288FCB64DF28DC88AA9BBB6FF49312F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05324FB8, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 458libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 7bde9b03fd5eff6beb9b57dd0b5df8c02cfb1aa70aeb54d1829a38dd493a5da6
Instruction ID: 796959bafc92e26efe76c838c7f5e0541171526760dd45810704e8fbf0de4906
Opcode Fuzzy Hash: 7bde9b03fd5eff6beb9b57dd0b5df8c02cfb1aa70aeb54d1829a38dd493a5da6
Instruction Fuzzy Hash: BD32A474A046288FCB64DF28DC88AA9BBB6FF49312F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05325003, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 450libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: a8a992c06b564558cee8752dfd99e4afc31d6a9b7ccd41398b5632cfa3dc3ee5
Instruction ID: d292e0e0001f4ceaed7c1c078693415f0af70b25dd76e9010168c8cf267e15a6
Opcode Fuzzy Hash: a8a992c06b564558cee8752dfd99e4afc31d6a9b7ccd41398b5632cfa3dc3ee5
Instruction Fuzzy Hash: 4A22A474A046288FCB64DF28DC88AA9BBB6FF49312F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05325057, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 440libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: b47ab3e0e9ce00c14da733850a1a6b284e5992cb5facc55ed9d7246e4006fa5f
Instruction ID: aa39fc9935ce03519b9a83b3b71e172e3dd4e3f3745518f64f51feca4abe07bb
Opcode Fuzzy Hash: b47ab3e0e9ce00c14da733850a1a6b284e5992cb5facc55ed9d7246e4006fa5f
Instruction Fuzzy Hash: 8F22B474A046288FCB64DF28DC88AA9BBB6FF49312F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 053250AB, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 430libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: dfaec0fae0767c5c5404f64aa78c6c6b46239e2042ad16119ff29c64cbd9c603
Instruction ID: 96713b0ae7aaa20fa65ca979a8117d79036e68be6acbc6ddebdd17c5b5f5a458
Opcode Fuzzy Hash: dfaec0fae0767c5c5404f64aa78c6c6b46239e2042ad16119ff29c64cbd9c603
Instruction Fuzzy Hash: 6122B574A046288FCB64DF28DC98AA9BBB6FF49302F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 053250FF, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 420libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 62ad2f9156689c1ba8d3387a3f177f67eb83049c556a1cd3ced254f4f8b726a3
Instruction ID: c064411814282172abf2408aad6bdb1ae4c3aa9ef6b695e69115f39ae9e22f5c
Opcode Fuzzy Hash: 62ad2f9156689c1ba8d3387a3f177f67eb83049c556a1cd3ced254f4f8b726a3
Instruction Fuzzy Hash: 4E22B574A046288FCB64DF28DC98AA9BBB6FF49302F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05325156, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 410libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: f1a72277d7f7fd45aa1590020eb352ba4e79a8c30160b3b63df3568604e20b05
Instruction ID: be5b760e9fbfbf29312ef7fdee2be9e83085da156f6e733d9df5d35011df43a6
Opcode Fuzzy Hash: f1a72277d7f7fd45aa1590020eb352ba4e79a8c30160b3b63df3568604e20b05
Instruction Fuzzy Hash: 1F12B574A046288FCB64DF28DC98AA9BBB6FF49302F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 053251AD, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: e157e0b33c52cf89c9015c516726b9f5cb157c99f9a50e35a5bd370443d7fef0
Instruction ID: 9910bda1fd94167f97a8c13b4cd19088666d6c9d536834f94866f35d2e80d0ea
Opcode Fuzzy Hash: e157e0b33c52cf89c9015c516726b9f5cb157c99f9a50e35a5bd370443d7fef0
Instruction Fuzzy Hash: DC12B574A046288FCB64DF28DC98AA9BBB6FF49302F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 053251F8, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 390libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: d53fe9819ffadb3bc70cefad636a867dd4f200620d8d4321aac5a28c53b3197e
Instruction ID: 29978fbe522c2ad239c89698bb996998117af78eef4df49fca9cd34bb4b22d00
Opcode Fuzzy Hash: d53fe9819ffadb3bc70cefad636a867dd4f200620d8d4321aac5a28c53b3197e
Instruction Fuzzy Hash: 5C12B574A046288FCB64DF28DC98BA9BBB6BF49302F5081E6D909E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0532524F, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 380libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 5d9242949a6b208ff841b8387147e256202c8d4b9ff213a6649a51ee849ee88f
Instruction ID: 79c0ccb1dc0b90222bfb5066ad56b8bc602dfade9f3908ea2e7988f5e6ab0aa1
Opcode Fuzzy Hash: 5d9242949a6b208ff841b8387147e256202c8d4b9ff213a6649a51ee849ee88f
Instruction Fuzzy Hash: B702C574A006288FCB64DF28DC98BA9BBB6BF49302F5081E6D809E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 053252A6, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 370libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: dde8e08e72962c533eb8e8d174d17dfc2ab107a769ba70433428afcba52de590
Instruction ID: a939d56ef24bcb16904060ce25759e54aef047ddadd80a91fc1fe4d2906c4502
Opcode Fuzzy Hash: dde8e08e72962c533eb8e8d174d17dfc2ab107a769ba70433428afcba52de590
Instruction Fuzzy Hash: 4C02C574A006288FCB64DF68DC98BA9BBB6BF49302F5081E6D809E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 053252FD, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 358libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 60fba8250ba6a864a6295763539e5df6de73bf1b8555bfc81aa12e5545b1101b
Instruction ID: a7838c0255f8256ed08af0ede8b35f3fd83247caf990abb52723b8e6fd15b2b1
Opcode Fuzzy Hash: 60fba8250ba6a864a6295763539e5df6de73bf1b8555bfc81aa12e5545b1101b
Instruction Fuzzy Hash: E702C674A046288FCB64DF68DC98BA9BBB6BF49302F5081E6D809E7350DB355E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05325348, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 350libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 9a96572e4debe260edb0403f576d8f78f1632a13484a4bb3af2604f39ee361b3
Instruction ID: 99f4258369bc4d93182ba93ed4edef0ae3d417e005856595e80007b1db17839e
Opcode Fuzzy Hash: 9a96572e4debe260edb0403f576d8f78f1632a13484a4bb3af2604f39ee361b3
Instruction Fuzzy Hash: EAF1B574A046288FCB64DF68DC98BA9BBB6BF49302F5081E6D409E7250DB359E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0532539F, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 340libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: bf7b7dd7c29ca325ea9cb4b3510a598e01ee8ed85e15c02ab115ae9c5437d40d
Instruction ID: f46617ca62abec225143d800a009c626f8d3c8fc2c33eb361bde7fcf915bfe93
Opcode Fuzzy Hash: bf7b7dd7c29ca325ea9cb4b3510a598e01ee8ed85e15c02ab115ae9c5437d40d
Instruction Fuzzy Hash: 15F1B574A046288FCB64DF68DC98BA9BBB6BF49302F5081E6D409E7350DB359E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 053253F6, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 330libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 5e6c4405eb0cb8a036c41e253c91e6eaed4ad0f8d21aca77ea91de96ba5d2339
Instruction ID: 3145be44e411781fccd00d4b325822257e31c2374917004a2b240277f1d2b480
Opcode Fuzzy Hash: 5e6c4405eb0cb8a036c41e253c91e6eaed4ad0f8d21aca77ea91de96ba5d2339
Instruction Fuzzy Hash: 38F1C574A046288FCB64DF68DC98BA9BBB6BF49302F5081E6D409E7250DB359E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0532544D, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 320libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: dc4fae808c6d7d5d2e349305bccb56513d6339f3601bdf4c55c572e87377b064
Instruction ID: 1d91992e7688e455acedc75f5323a86f474882666915a9c6bc661be46ee86aba
Opcode Fuzzy Hash: dc4fae808c6d7d5d2e349305bccb56513d6339f3601bdf4c55c572e87377b064
Instruction Fuzzy Hash: 34E1D674A046288FCB64DF68DC98BA9BBB6BF49302F1081E6D40DE7250DB359E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 053254A4, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 310libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05325603

Strings

:@Dr, xrefs: 053256BB

Memory Dump Source

Source File: 0000000A.00000002.871151126.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 4aba1ebe33bf19ff738a0fc4722978d6b5064149487e99bd1c3913df984ecfc6
Instruction ID: 254a80297f7f0d42d1aff359ff9af0ac570a0d468b3f46f1f02a76dd455e01ea
Opcode Fuzzy Hash: 4aba1ebe33bf19ff738a0fc4722978d6b5064149487e99bd1c3913df984ecfc6
Instruction Fuzzy Hash: 78E1E674A046288FCB64DF68DC98BAABBB6BF49301F1085E6D40DE7254DB359E81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01453761, Relevance: 2.9, Strings: 2, Instructions: 406COMMON

Download Yara Rule

Strings

l@, xrefs: 014539CB
l@, xrefs: 01453A9C

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: l@$l@
API String ID: 0-735082856
Opcode ID: 1458651faba5640c77bbafe1978adb45726a481155615810c8962ce3914d82bd
Instruction ID: c403e440060837b5c500246e20d00d6f77bc1897cc943daadeb93b38d06b0965
Opcode Fuzzy Hash: 1458651faba5640c77bbafe1978adb45726a481155615810c8962ce3914d82bd
Instruction Fuzzy Hash: 06E19E30B002458FDB55DF78C8546AEBBB2BF85304F1585AAD809EB366EB34DD46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01456528, Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 01456639
:@Dr, xrefs: 014566A9

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: :@Dr$:@Dr
API String ID: 0-1937172351
Opcode ID: b3080a1d9332f5d0fe7ed8bc301ec98e2fef9b88f1ecd4a15cc6220a742c15a2
Instruction ID: 21cb38684a6f4bd6d1153569c227ed57302e35ba4851e290474bfc8d5c877656
Opcode Fuzzy Hash: b3080a1d9332f5d0fe7ed8bc301ec98e2fef9b88f1ecd4a15cc6220a742c15a2
Instruction Fuzzy Hash: AE519334B002149FDB4AAB7D8851B6F3EEB8FD8304F51403A9A05E73D6EE749D0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 01456578, Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 01456639
:@Dr, xrefs: 014566A9

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: :@Dr$:@Dr
API String ID: 0-1937172351
Opcode ID: c05d6f12228b12cdd97b407951927c130e18796527b9b5614950dd0215836b52
Instruction ID: 977ab2c34a122ad95b7fec315e1207a31ec6b144e33416abac12dd9268ac6c85
Opcode Fuzzy Hash: c05d6f12228b12cdd97b407951927c130e18796527b9b5614950dd0215836b52
Instruction Fuzzy Hash: F741AF30B001209BDB49AB7D8851B6F7EEB8FD8704F11543E9A09E73C1EE789D0287A5

Uniqueness

Uniqueness Score: -1.00%

Function 0145602A, Relevance: 1.7, Strings: 1, Instructions: 486COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 01456462

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: e04a910e8de31489b2f9a779264159a9fe537f647db43e314831266f431063f2
Instruction ID: 45b91b4ac706970a02db69c907f836fa946c99cd0583c1d4089c70dcd8843e04
Opcode Fuzzy Hash: e04a910e8de31489b2f9a779264159a9fe537f647db43e314831266f431063f2
Instruction Fuzzy Hash: F8F1C030B093818FD756CB68C890A7B7BB2AB86300F5685BBD849CB3A3D635DC06C751

Uniqueness

Uniqueness Score: -1.00%

Function 00EA8B98, Relevance: 1.7, APIs: 1, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00EA8BD8

Memory Dump Source

Source File: 0000000A.00000002.867387495.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c73c8eea4fe0e952c3fdb4567f8f236e99f9acb023ba8cd952a3ec102708c239
Instruction ID: 864000274076288e0b1fabf314bbac7515b4958dba965ac610486d1c6c64185a
Opcode Fuzzy Hash: c73c8eea4fe0e952c3fdb4567f8f236e99f9acb023ba8cd952a3ec102708c239
Instruction Fuzzy Hash: AD714F30A00205CFDB14DFB8D954AAEBBF6AF89314F149929D406AB394DF74EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA0BC1, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00EA0C85

Memory Dump Source

Source File: 0000000A.00000002.867387495.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7f9ba3e066e91c0022e3d75912ec3081872beaa45fe6fbc97e639e77dc2ab31
Instruction ID: 0a4ab50e40df5ece82dce7f3c7b6894873e7b36d605c4a4d3df80fb3c5d97ac8
Opcode Fuzzy Hash: b7f9ba3e066e91c0022e3d75912ec3081872beaa45fe6fbc97e639e77dc2ab31
Instruction Fuzzy Hash: 36519130B00249DFCB44ABB4D844AAE7BB6EF89314F248579E415EB294DB35E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01454C18, Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

tq, xrefs: 01454E69

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: tq
API String ID: 0-2372698852
Opcode ID: 7e7a8aef79c7ff73351db9f21f050c8f7b8a6f62e3d4993094b8c9c1f62e82f7
Instruction ID: f23f3a6dee8eb0e5eb3e4a0f767a893b04db5698b73677be4b195fea1a331e86
Opcode Fuzzy Hash: 7e7a8aef79c7ff73351db9f21f050c8f7b8a6f62e3d4993094b8c9c1f62e82f7
Instruction Fuzzy Hash: D0E18C35B002049FCB599BB8C854AAE7BF6AF88300F25846AE505DB3A5EF35DD46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05C024E1, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05C025F1

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: f9d5af19d3e9a5fccd5adda01969056b3e809e87139669e0d5e93de56c971e32
Instruction ID: ce563d701b1deb199c553a172fd89c57e876f76b4bb3e3a47422c3a9fd0e9ed6
Opcode Fuzzy Hash: f9d5af19d3e9a5fccd5adda01969056b3e809e87139669e0d5e93de56c971e32
Instruction Fuzzy Hash: 9541E3711093806FE712CB25DC55F92FFB8EF46220F0884DBEA849F293D265A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C01F71, Relevance: 1.6, APIs: 1, Instructions: 112networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 05C0203A

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 1ebcd983878662f8bae8aa61d8f638cb4bd0c765f006341fcbb1687c44d2c067
Instruction ID: 9d2cb3e312514122b07d4098a8fbae76921947b272342db362542398990e73ed
Opcode Fuzzy Hash: 1ebcd983878662f8bae8aa61d8f638cb4bd0c765f006341fcbb1687c44d2c067
Instruction Fuzzy Hash: 4E419D7550D3C0AFE7238B618C54B52BFB4EF07214F0989DBE9C58F1A3C265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05C02E73, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 05C02F47

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: e2ce6b9a11cd0435438574df452fcaf9322123185b74b4c7526ba6be1ab10abc
Instruction ID: 9e1976f5c6aeaf754f8ad22099104b5b12fb6a6ee59b8a7e38112d745fbf4ece
Opcode Fuzzy Hash: e2ce6b9a11cd0435438574df452fcaf9322123185b74b4c7526ba6be1ab10abc
Instruction Fuzzy Hash: F231A371004340AFEB22CB61CC45FA6FFACEF46710F14499AFA849B182D375A549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C01068, Relevance: 1.6, APIs: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05C01115

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ce30e1679dab5f43351ef7fbfd59bb215f31da8795a0f632af975d689efa7879
Instruction ID: be7175c6ec94eb1103b56a91d1fbeb0a58a6d7258b0dd82f4127270b79f69aa5
Opcode Fuzzy Hash: ce30e1679dab5f43351ef7fbfd59bb215f31da8795a0f632af975d689efa7879
Instruction Fuzzy Hash: B0318071504380AFE722CF65CC44FA6FFE8EF46610F08889EE9858B292D365E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C02BCC, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05C02C6B

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4cb9fd27deeb488d861591370ce4933d2652174814315b4eaefc8f4364aad397
Instruction ID: bcedd4ad2a2e56f9a572a76267ea049e87fbd6d6aa7fa682c521209019dc7071
Opcode Fuzzy Hash: 4cb9fd27deeb488d861591370ce4933d2652174814315b4eaefc8f4364aad397
Instruction Fuzzy Hash: A631B172504344AFEB228B65DC44F67BFACEF45320F0488AAFA85DB152D224A9098B71

Uniqueness

Uniqueness Score: -1.00%

Function 00EA8B37, Relevance: 1.6, APIs: 1, Instructions: 93libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00EA8BD8

Memory Dump Source

Source File: 0000000A.00000002.867387495.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 38c6d5bdb099d5fe6b49379af561d8d7c488df0f901c94552504b669548c2c35
Instruction ID: 637e1401ad76ca226cfdf3fa103b6fc13c790aef7d72464545aed06185b1ec52
Opcode Fuzzy Hash: 38c6d5bdb099d5fe6b49379af561d8d7c488df0f901c94552504b669548c2c35
Instruction Fuzzy Hash: 6E31BE74A05305CFD709DFA4C858AEDBBB2EB8A345F20946AD006AB351DB359C85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05C03125, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C031D9

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 9207223721030231e5a90e053fd4ff9f8b6c6a85ed1433cb0a071597e7df4a87
Instruction ID: 437dc49570ecee9a6e7b3894de41b69129eb4b1e9d1cb15cc4210bb72d759ccc
Opcode Fuzzy Hash: 9207223721030231e5a90e053fd4ff9f8b6c6a85ed1433cb0a071597e7df4a87
Instruction Fuzzy Hash: D7318171109780AFEB228F61CC44F52BFB8EF06710F08889AE9859B162D334A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0115B464, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 0115B4FE

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: bab24dd119874255f7befd5ebf4e2831e57232d3d3ad671bb1c69b8bade61b6e
Instruction ID: 44afc27f952bc6beedd594527493eac9c8a00e167985820f61138041c5cdc32d
Opcode Fuzzy Hash: bab24dd119874255f7befd5ebf4e2831e57232d3d3ad671bb1c69b8bade61b6e
Instruction Fuzzy Hash: EE31F772409380AFE7128F25DC45F56BFB8EF46324F0884DBEA859F193D265A509C771

Uniqueness

Uniqueness Score: -1.00%

Function 05C01B59, Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 05C01BDC

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 84930b7c2f60b108aaab02479eef3fd5e3d5a4377c28ce0f29d18a8b1ce2feb9
Instruction ID: 67df9de2792630407cb85e69e88927583201e19327ecfa851bc86bf6a32cdf8f
Opcode Fuzzy Hash: 84930b7c2f60b108aaab02479eef3fd5e3d5a4377c28ce0f29d18a8b1ce2feb9
Instruction Fuzzy Hash: 18319C7250E3C05FD7138B259C65AA1BFB4EF43220F0D84DBDD858F2A3D2695958CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0115A8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0115A989

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c54e5756457fab93215370c5d4f2ea754945deb887568b9e0e7b93f8f64614c0
Instruction ID: 49e3637b63d3f67895aeb9f84772393619204f98adb98342dd58ef9bc90a68ed
Opcode Fuzzy Hash: c54e5756457fab93215370c5d4f2ea754945deb887568b9e0e7b93f8f64614c0
Instruction Fuzzy Hash: 78319172408744AFE7228B24DC84F66FFBCEF06310F08859BEA859B152D264A848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C023B0, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 05C02447

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 19930fbe80ee49265fd69d3de9376cf98d3459f905fcf64f700af9e3de9c3034
Instruction ID: f254aed0e4a72c018166cb63cb450f7630baca50a9a2a817eff74a5902505e3a
Opcode Fuzzy Hash: 19930fbe80ee49265fd69d3de9376cf98d3459f905fcf64f700af9e3de9c3034
Instruction Fuzzy Hash: 11319372504344AFE721CB65DC45F67FFACEF45320F0888ABE984DB152D364A904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0115A9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 0115AA8C

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9e728cfd52084edd6c4d86ec2409e2a97da9d645fe947dfcb9100dbe4117a26e
Instruction ID: 9024429dd77ff707e4ccf4939b096fa8d3895d33c8e28bb95900c0be764b6413
Opcode Fuzzy Hash: 9e728cfd52084edd6c4d86ec2409e2a97da9d645fe947dfcb9100dbe4117a26e
Instruction Fuzzy Hash: 6131B371509784AFE722CB25DC84F52BFF8EF06310F08859AE9858B253D364E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C022B2, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C0235C

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f9ac3354c368246b50d22ba855c5796b8aa2a5783a65a612603a77e31ae31f83
Instruction ID: e55c846e34ace2c086ebf8e270109e57cf0bfc785b1898a1988503f148c6707c
Opcode Fuzzy Hash: f9ac3354c368246b50d22ba855c5796b8aa2a5783a65a612603a77e31ae31f83
Instruction Fuzzy Hash: 3D318076509780AFE7228B25DC44F92BFB8EF06314F0884DBE9859B193D264A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C02648, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05C026FA

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: bcb4d4cba5276ca47db547d463c8837e884031d0684fbc1c4b559c7bbbeb8dde
Instruction ID: f2e68c7cb51f5d38add6f6ae9ff87cf1e78ea2f422dbb17547901a1998ee9434
Opcode Fuzzy Hash: bcb4d4cba5276ca47db547d463c8837e884031d0684fbc1c4b559c7bbbeb8dde
Instruction Fuzzy Hash: 5031E2B2404780AFE722CB24DC44F96FFF8FF06320F04859AE9848B292D364A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C028FD, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05C0299D

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 08da65a00bef8b0f401209b6f5bc3a46fb3cdbf5f2ac252d3be9f50f9c0070ba
Instruction ID: 88ce1a38023d65df1732b92a4b2bd29298412484345ad4532eb58e03cb8edb79
Opcode Fuzzy Hash: 08da65a00bef8b0f401209b6f5bc3a46fb3cdbf5f2ac252d3be9f50f9c0070ba
Instruction Fuzzy Hash: A63193B1509380AFE712CF25DC49F56FFE8EF06210F08849EE9859B292D365E904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C02EA2, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 05C02F47

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 3e3c5426dafc0c8469c0ce9c6ddd313c61f553d89fe6f8a54260ab4b56b9f63f
Instruction ID: bd66c21a9d1a88d68b1a2a9b09705ca4e3258465687a46190cdf3496cd9b4743
Opcode Fuzzy Hash: 3e3c5426dafc0c8469c0ce9c6ddd313c61f553d89fe6f8a54260ab4b56b9f63f
Instruction Fuzzy Hash: 9621D375100304BFFB21DB24CC89FA6FBACEF44710F10885AFE499A181D6B4A5458BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05C01740, Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C017DC

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9dbf41b39ea983d0b65a3e5f56c39c41405f8900e5515e9ac740e57b5915fed9
Instruction ID: 498214ed9a14965fd820634ea0bb3547dc5cb311c99044fa49c8d8a1afea12e4
Opcode Fuzzy Hash: 9dbf41b39ea983d0b65a3e5f56c39c41405f8900e5515e9ac740e57b5915fed9
Instruction Fuzzy Hash: 11218172509380AFD7228F64DC44F57FFB8EF46710F08889BEA85DB292D264A548C771

Uniqueness

Uniqueness Score: -1.00%

Function 05C0163E, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05C016D2

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 10a2553d947c7eb693800fe39bf2d391d260d3252cdd5b1be515e1d46f894efa
Instruction ID: 1c9a30987cd3225ddad0949dd93725513f399878908f6acfdc36eaa951f828ba
Opcode Fuzzy Hash: 10a2553d947c7eb693800fe39bf2d391d260d3252cdd5b1be515e1d46f894efa
Instruction Fuzzy Hash: A921BF72504340AFE7228F64DC45F6AFFBCEF45720F08889BEE449B282D264A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0115A120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0115A1C2

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4dc617c9c842c8b52ed43867b82fe29d412bfbae05b0271fae0e99ca4a9f0c6f
Instruction ID: 801239a64faeb46370905fd8c2711d2e5b2708113c57062e1f5ae8ef172e2bc1
Opcode Fuzzy Hash: 4dc617c9c842c8b52ed43867b82fe29d412bfbae05b0271fae0e99ca4a9f0c6f
Instruction Fuzzy Hash: 8931B17140D3C06FD7128B358C55B62BFB4EF87620F1985DBD9C48F293D225A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0115B55D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 0115B5EE

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 21c9404ffedd42ea55bcc930dc5feeaafeef2853816045975937046a55b0ac3f
Instruction ID: 8befc4810312e45b6be09de9ef2f24d038377111542067c197b4ec6cfff52cd7
Opcode Fuzzy Hash: 21c9404ffedd42ea55bcc930dc5feeaafeef2853816045975937046a55b0ac3f
Instruction Fuzzy Hash: 8A219171509380AFE712CF25DC44F66BFA8EF46320F0884ABEA45DB252D364E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C00DE8, Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C00E88

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9cbc6978bbe82905218683cf690f0ff75350823b437c562025585a4084b13891
Instruction ID: fb00ef59930930ece84207e2196a154795dbc8388062bd64e2d1fe5eabd1ed39
Opcode Fuzzy Hash: 9cbc6978bbe82905218683cf690f0ff75350823b437c562025585a4084b13891
Instruction Fuzzy Hash: E3219672109780AFD7228B25DC44F53BFBCEF46710F08849AE9859B292D275E549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0115B654, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0115B6FA

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 0c50e0fcf704f80aaf0d888a65b77a00b948a331f52b0f80f4dc042762544336
Instruction ID: b4421ae84fc25e64331b998494b8bc6c59969c3102228b47c6ac81973e162be4
Opcode Fuzzy Hash: 0c50e0fcf704f80aaf0d888a65b77a00b948a331f52b0f80f4dc042762544336
Instruction Fuzzy Hash: E921A2715093C06FD712CB65CC55F66BFB4EF87610F0980DBD9848B193D624A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05C02BEE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05C02C6B

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 80f6121f49263579e8a92cda3778f0bc72779320889fa9991277b869cf1f92e1
Instruction ID: 160888e73fabcf6d3b39eb883e569a0be260297823e7173a33de5117bbd2dae9
Opcode Fuzzy Hash: 80f6121f49263579e8a92cda3778f0bc72779320889fa9991277b869cf1f92e1
Instruction Fuzzy Hash: DF21A172500604AFEB21DF65DC89F6BFBACEF04320F14886AEE459B251D670A5098B71

Uniqueness

Uniqueness Score: -1.00%

Function 05C0116C, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C01201

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 86e5523a61ad5a3ad971bc11dcc56e96fda7996d547f3b08903baba8d86949bd
Instruction ID: 768128ae1f532b0909827b552845094474ff2cf085503edfe2a2ebb1da4eceb2
Opcode Fuzzy Hash: 86e5523a61ad5a3ad971bc11dcc56e96fda7996d547f3b08903baba8d86949bd
Instruction Fuzzy Hash: A421F5B64097806FE7138B25DC41FA2BFA8EF47720F1884D7EE848B293D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05C02AD8, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C02B61

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 819c8d71da0650e3717976b0dc5a2cf5af73f1ee629984b5f2e5b13eb44f8ebe
Instruction ID: 4c0d57c25e1e4683a788e4ccf9869e5790ed7cf388c828488e2dd1644be01db4
Opcode Fuzzy Hash: 819c8d71da0650e3717976b0dc5a2cf5af73f1ee629984b5f2e5b13eb44f8ebe
Instruction Fuzzy Hash: F121A171105340AFEB228F24DC44F67BFB8EF46310F08849AEA459B292D265A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C0156C, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 05C01612

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 39a8c94af7c430e51dce941b9b40b75c3da29d9e15577773ba8dbf069b94aa35
Instruction ID: 36ca61d4ed9e014592307d2112949bec089ce55b9424683b535590faed995997
Opcode Fuzzy Hash: 39a8c94af7c430e51dce941b9b40b75c3da29d9e15577773ba8dbf069b94aa35
Instruction Fuzzy Hash: F721716550E3C06FC3138B358C55A11BFB4EF87A10F1D81DFD9848B6A3D225A959C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05C023D6, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 05C02447

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 05d1cd108d3b358ea8f760db1ba8b281d2a78122fdc9cacba1fe1bedbc28d980
Instruction ID: ade043312379fd9f8a57c562440024a198f310e6e9c19f8ef5b613f70c48a4f2
Opcode Fuzzy Hash: 05d1cd108d3b358ea8f760db1ba8b281d2a78122fdc9cacba1fe1bedbc28d980
Instruction Fuzzy Hash: D0219275500204AFEB20DF69DC49F6BFB9CEF44720F14886AED45DB281D660A5048B75

Uniqueness

Uniqueness Score: -1.00%

Function 05C004F0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 05C0058B

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 96179b1f0c3d4996d51a4f9b913e522c35125b905d52713f8e166eb6515a29aa
Instruction ID: 05c3ddd13e142d17091300f7e21901ed30a4d331deb31478ae6fd93697ed729f
Opcode Fuzzy Hash: 96179b1f0c3d4996d51a4f9b913e522c35125b905d52713f8e166eb6515a29aa
Instruction Fuzzy Hash: F621DA71105380AFE722CB14CC45F66FFB8EF46724F1884DAEE855F192D264A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C01096, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05C01115

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1f488e9891a3d2c5f108bee843d0b7e1be05e30569bfb4c0441c229176e4fa25
Instruction ID: ad7298b9b8406af37ccd3b0309d7473d3a910aad007098298a756f75b181a8c6
Opcode Fuzzy Hash: 1f488e9891a3d2c5f108bee843d0b7e1be05e30569bfb4c0441c229176e4fa25
Instruction Fuzzy Hash: 3D21AC71504640AFEB21DF25CC85F66FBE9FF08720F08886AEA858B281E371E504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0115B2C4, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0115B35E

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2dfb0f538f616f3b56f1bdf5cbf2b9a88e982271e4755b0c01ec6a1595753fc4
Instruction ID: 86ac5448a51e16d61428b31804b69aa32eeab984ec0372ff37fa8fe642e4aee5
Opcode Fuzzy Hash: 2dfb0f538f616f3b56f1bdf5cbf2b9a88e982271e4755b0c01ec6a1595753fc4
Instruction Fuzzy Hash: 0B21C8755093C06FD3138B25DC51F62BFB4EF87A20F0981DBE9848B653D2256919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05C03052, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C030DB

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 81c80c1ba964d6feab14b104b7a9ecaccdaae0ebfcc6746069f6a634f2b05b24
Instruction ID: d3e0300aed64db91f550a132397839b542677b34d551e3e4e4431f37a952b039
Opcode Fuzzy Hash: 81c80c1ba964d6feab14b104b7a9ecaccdaae0ebfcc6746069f6a634f2b05b24
Instruction Fuzzy Hash: E121B3714093C4AFE712CB65DC85F96BFB8EF46714F0884DBEA849F292D264A508C771

Uniqueness

Uniqueness Score: -1.00%

Function 05C00D09, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C00DA0

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d2ce3816b5fa07f8bcab833d82313aaf87c0ba8bf83d081e8286bedd08757a67
Instruction ID: 90f20e2fc2db9deaec1d4db80ef5e53f4ca027d3952d2b9341ad733157461500
Opcode Fuzzy Hash: d2ce3816b5fa07f8bcab833d82313aaf87c0ba8bf83d081e8286bedd08757a67
Instruction Fuzzy Hash: 2F21A176504740AFE7228F15DC84F67FFBCEF06310F08849AE9859B292D264E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0115A90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0115A989

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 315eded16a317931ab336b24535f9ccf48d2b9aee8878a793daac8e29378ea53
Instruction ID: 6042864ade23c179e70e3ea25b2ad9ab440560114497626531af49cddef512f0
Opcode Fuzzy Hash: 315eded16a317931ab336b24535f9ccf48d2b9aee8878a793daac8e29378ea53
Instruction Fuzzy Hash: 08219F76500604EFE7219B59DC44F6BFBACEF14720F14855AEE459B241E760E4088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05C033EC, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C03481

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 064a79e078cbf892c8a4ba4c4f3b2da518a0367ac4d58abf900e1a3e93b7988e
Instruction ID: 942acad0f393ff575670a7b286c3771ecade628c5c909501c011cef5f5731bb2
Opcode Fuzzy Hash: 064a79e078cbf892c8a4ba4c4f3b2da518a0367ac4d58abf900e1a3e93b7988e
Instruction Fuzzy Hash: 8F21F871408784AFDB228B11DC44F67FFB8EF46314F08849BEA845B153C265A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C0165E, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05C016D2

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0373b904f76f10c1aad006d67dfd2382d008697b1a4f58c4c0cda4df19a6c2a7
Instruction ID: e05478248908e4e8fc7d9de7cc85cab71c5c9d948b6408f8a634d8c5bc87e241
Opcode Fuzzy Hash: 0373b904f76f10c1aad006d67dfd2382d008697b1a4f58c4c0cda4df19a6c2a7
Instruction Fuzzy Hash: C0219F71500704AFEB20DF55DC45F6AFBACEF44720F18885AEE459B281D670A505CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05C0331E, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C033A2

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 231980a0f0025b100d2a155e6bdca513d969a9165da5d1a82b4d7d1e8269ca99
Instruction ID: 53ad78b82e33d7e6cd74c50197e51c0f5c93df87f02b632b15486c47370fc3a6
Opcode Fuzzy Hash: 231980a0f0025b100d2a155e6bdca513d969a9165da5d1a82b4d7d1e8269ca99
Instruction Fuzzy Hash: 0C219572404384AFE712CB65DC84F97FFACEF46320F0484ABEA459B252D274A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C0315E, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C031D9

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 547aa19e54f9cc0e20214f2f6d26651de21c0ef9a966a8ba6bcbee8029b334f3
Instruction ID: dde290449a2c94ddc153adb431866119656ea8c75b0976019205787c7ac9ca58
Opcode Fuzzy Hash: 547aa19e54f9cc0e20214f2f6d26651de21c0ef9a966a8ba6bcbee8029b334f3
Instruction Fuzzy Hash: 13217C71100644AFEB21CF55CC84F67FBE8EF49B10F14886AEE469B252D670E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C0292A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05C0299D

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 431530e857657ae34fff3f51a459045ba8d840740da90c22257f3629f1027c0d
Instruction ID: 9f057d24d233c250ba904b09233a7429589e307f404883b104794b3ec7e88e57
Opcode Fuzzy Hash: 431530e857657ae34fff3f51a459045ba8d840740da90c22257f3629f1027c0d
Instruction Fuzzy Hash: 9521D475504200AFEB21DF25DD49F66FBD8EF04320F14846AED858B281D770E504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0115ACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0115AD6A

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3f472b41417182a75b722f714729fbfc2a63fd2c4b9312e211f53f7aeae128d6
Instruction ID: 21d2fbff10b783b170f6375a38af30ea4010efdf49418af01275fc6ffc542b5a
Opcode Fuzzy Hash: 3f472b41417182a75b722f714729fbfc2a63fd2c4b9312e211f53f7aeae128d6
Instruction Fuzzy Hash: 4721B0725093809FE7528B25DC95B96BFE8EF06220F0980EADD85CF263D274D808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C0131E, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C0139D

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 5f5cee328d21f0b34a426cba7ffa4459a9cbe164004a3ac5d1fd2e2895e439b6
Instruction ID: 45275d5aeb980cc2390dbea125e7df0e76aeb1fc32f6b7af345d2d6a1a258d5c
Opcode Fuzzy Hash: 5f5cee328d21f0b34a426cba7ffa4459a9cbe164004a3ac5d1fd2e2895e439b6
Instruction Fuzzy Hash: E5215072405344AFDB228F55DC85F56FFB8EF46320F08849BEA459B152D265A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C034BE, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05C03542

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 22990918cf109adfd83a489d6f721c6237bdf8450b33ace0bf56ead4d64f5ad2
Instruction ID: ea8453aa81483485e7773b6e4cc42dbf5e7baf12f47f7f8b09cb52294c52476c
Opcode Fuzzy Hash: 22990918cf109adfd83a489d6f721c6237bdf8450b33ace0bf56ead4d64f5ad2
Instruction Fuzzy Hash: 282190754093C0AFDB22CF65D884A92FFF4FF0A210F0988DAE9858F163D275A548DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C0176A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C017DC

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: de4feb90684f3e303d888c67e49d4297c1a307b89a9fa9e82c1838c96ae6c422
Instruction ID: 6e57c686c1d2613a3d3705339b94bad4e2587515226b085c36c5d979b7b14524
Opcode Fuzzy Hash: de4feb90684f3e303d888c67e49d4297c1a307b89a9fa9e82c1838c96ae6c422
Instruction Fuzzy Hash: 09216A72500604AEEB21CF59DC85FA7FBECEF45720F18896AEE459B281D660E508CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0115AA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 0115AA8C

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 790b9da31cd247520aefab2274f7846a8368b6caf011aabe4955adb03960a20f
Instruction ID: e46fcbd9ac25000e95b22516ca2b02fdc3defb3dfbd296b8fe6e26101e4c9da7
Opcode Fuzzy Hash: 790b9da31cd247520aefab2274f7846a8368b6caf011aabe4955adb03960a20f
Instruction Fuzzy Hash: 9E218C71600604EFEB61CF29DD84F67BBECEF44720F08856AEE559B251E760E908CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05C01DCB, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C01E4C

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 4fc8d2d20c36db01f6676fed4da677c697b1dd5d9c78737d3f17698ec22473a3
Instruction ID: f9e4c626819dc9d4ea01d98a63a48b920e667e9ea13169a96820536fff0fbdf1
Opcode Fuzzy Hash: 4fc8d2d20c36db01f6676fed4da677c697b1dd5d9c78737d3f17698ec22473a3
Instruction Fuzzy Hash: 3421A571408384AFE7128B15DC44F56FFB8EF46324F0884DBEE849B192C265A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C02586, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05C025F1

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 4323188dffeed84359fab9f398ae185f94fd2479460b317a13276f249e3658bb
Instruction ID: 7caf288cbae3d9179375f3e13a385e71a3ad522215f776f671cd24662b93ac1b
Opcode Fuzzy Hash: 4323188dffeed84359fab9f398ae185f94fd2479460b317a13276f249e3658bb
Instruction Fuzzy Hash: BE21C075504600AFEB21DF25CC89F66FBE8EF44720F1484AAEE898B281D771E505CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0115AFD4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0115B040

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8544df9ab32b635861346f1b33b202ee12836635a8120df7e95856b6d3458a13
Instruction ID: cf12f98dad7c0743ace6d21645a370e3dffe21a102d451b945cbca74843528af
Opcode Fuzzy Hash: 8544df9ab32b635861346f1b33b202ee12836635a8120df7e95856b6d3458a13
Instruction Fuzzy Hash: 6521A1725093C09FDB038B25DC94A92BFB4AF47224F0980DAED858F263D2659908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C01FCE, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 05C0203A

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: e2e2eb74f1d12451a53d56228791d60e91e5f0d9d408a54036f4236c760cb9ba
Instruction ID: 056961c75bf08e8352e676928ac161dd6eaf4879b5df8237fb3983a87591bbd5
Opcode Fuzzy Hash: e2e2eb74f1d12451a53d56228791d60e91e5f0d9d408a54036f4236c760cb9ba
Instruction Fuzzy Hash: 2A21CF71504700AFEB21DF65DC48F66FBE8EF08324F14895AEE858B281D3B1A404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C02686, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05C026FA

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: d43989f83e0917c001ac87c8af1d4fe1cb4ef9d764d8eef942983515481c852e
Instruction ID: 09af10c7ef8084bf2f729509e49fb42d7fd1aeb5df17cd98e9ad40d0ac00c8b5
Opcode Fuzzy Hash: d43989f83e0917c001ac87c8af1d4fe1cb4ef9d764d8eef942983515481c852e
Instruction Fuzzy Hash: E021AE71504600AFE721CF69DC88FA6FBE8EF08320F14845AEA859B281D771A549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0115B58A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 0115B5EE

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 40934fd58266b41cc2da6903b75c3daa6b005431e24cad4eefcb3b115411dad3
Instruction ID: 8d0ef1477fb377235dac1d665ddc15ae03fd602ede671e5708ac65eac8e12af6
Opcode Fuzzy Hash: 40934fd58266b41cc2da6903b75c3daa6b005431e24cad4eefcb3b115411dad3
Instruction Fuzzy Hash: 3711BE71504204EFEB25CF29DC85F6ABBA8EF45320F1484ABEE45CB241D7B0E4088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05C00C40, Relevance: 1.6, APIs: 1, Instructions: 66fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 05C00CAE

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 21cab4f2812a516a94030c2b51d316f3a53383ddd1131598ea0edc823b8323cb
Instruction ID: 51f131a4d8c405b63beea6e2bf75220bf171588e7d6e7b56a0f50cd5975026f0
Opcode Fuzzy Hash: 21cab4f2812a516a94030c2b51d316f3a53383ddd1131598ea0edc823b8323cb
Instruction Fuzzy Hash: EF21A5715093809FD711CF25DC89B56BFE8EF15220F0984ABED45DB253E274D544CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0115AC3B, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0115ACA8

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7509516cc0f6ca9116760a871501440659e891f80012e01c5fe4bbdcaacb7bf8
Instruction ID: 13424e9f486cabe5cfeba695e3a17bd8fa3ee87701782fe1f36e546c10531537
Opcode Fuzzy Hash: 7509516cc0f6ca9116760a871501440659e891f80012e01c5fe4bbdcaacb7bf8
Instruction Fuzzy Hash: 2C2190754093C0AFEB138B25DC95792BFB4EF07224F0984DBED858F253D2659948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C00ED0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE(?), ref: 05C00F3C

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: DirectoryRemove
String ID:
API String ID: 597925465-0
Opcode ID: da34a572fcf9bb27a9a6674526b3164a0ddc7490c07c157fe9f7eba17a7281af
Instruction ID: eaf2424821e0b28c349f66359d94c8b583bf46e0a38c1b0540c4d062cb6fe735
Opcode Fuzzy Hash: da34a572fcf9bb27a9a6674526b3164a0ddc7490c07c157fe9f7eba17a7281af
Instruction Fuzzy Hash: 9421A1715093C09FD7128B25DC54B52BFA8EF02220F0D84EAED898F2A3D2759948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05C022EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C0235C

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 034f4e480d0ec7bb5d9e3ee1d84b166b778d1db1ada825bd266b13dc6e24d97d
Instruction ID: 24450c91c46cefa6209aa0db6ecbead9345b1a8ad4a4efe7b7a411793fa16bc7
Opcode Fuzzy Hash: 034f4e480d0ec7bb5d9e3ee1d84b166b778d1db1ada825bd266b13dc6e24d97d
Instruction Fuzzy Hash: FC11AC76504604AFEB20CF15CC88F67FBECEF04720F08986AEE469B291D660E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C00E16, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C00E88

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1ae043621d1e892bacc398e27ab668023836b8b52204c44db3aefd21b1d94ce7
Instruction ID: 822d334715343bd1f4ee47ff400fd4ad15174bf87e0bc27fb5e936437e7578fc
Opcode Fuzzy Hash: 1ae043621d1e892bacc398e27ab668023836b8b52204c44db3aefd21b1d94ce7
Instruction Fuzzy Hash: 4E117C72504604AFEB21CF15DC85FA7FBACEF04720F14886AEE85AB291D670E549CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05C00D2E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C00DA0

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f332560c4b13a1f700a9af7ea3655640a7827edffa17ddff270f89e5428687ae
Instruction ID: 9d0c062c8a5af6340e5a0052eff06118061c2a9660fc950825f952ce5992c532
Opcode Fuzzy Hash: f332560c4b13a1f700a9af7ea3655640a7827edffa17ddff270f89e5428687ae
Instruction Fuzzy Hash: 76119076500700AFEB21DF15DC85F67FBACEF05720F14886AEE46AB281D664F509CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0115AAFB, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 0115AB7E

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 0ab2767c9959830e60358453739622a4c889de6289cdd4a4f513e8d8ceee20eb
Instruction ID: 9df3f233f98de3350663216e3d199b3d6e856a78ff3c16581d632d52f3238d18
Opcode Fuzzy Hash: 0ab2767c9959830e60358453739622a4c889de6289cdd4a4f513e8d8ceee20eb
Instruction Fuzzy Hash: D41196715093807FD312CB25DC45F72BFB8EF86720F19819AED844B652D221B915CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 05C02B02, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C02B61

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: aeffc2b4402da13423160f7defcddb78a17261200cf3ee693716f76a4391f9a3
Instruction ID: 2d4d1241dd31e031348ff98d2b8e0578ad7f89b1b26db5a44792f50eddbd3ec1
Opcode Fuzzy Hash: aeffc2b4402da13423160f7defcddb78a17261200cf3ee693716f76a4391f9a3
Instruction Fuzzy Hash: 6D110471500604EFEB21DF65DC85F6BFBA8EF44320F14886BEE468B281D6B0A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C00B84, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05C00BEB

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 173ef983d146bf00323a3074565b43a44bbcea84517dacc32b838158dbcff013
Instruction ID: 4c17f6b7ce500770d2484cc199288c592c03f2dc369af962360a24398c9ae3ab
Opcode Fuzzy Hash: 173ef983d146bf00323a3074565b43a44bbcea84517dacc32b838158dbcff013
Instruction Fuzzy Hash: D411B1715083809FDB11CF25DC88B66BFE8EF46220F0984EAED45DB292E274E944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C0333E, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C033A2

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 8059078e74e6eec288a335d66ea769b8fbce8b7799e43189c7b95e797378553c
Instruction ID: 3342fa469bc8bf7c4fad89a58674234494319a3db6f0613bf0155ca3adf626b7
Opcode Fuzzy Hash: 8059078e74e6eec288a335d66ea769b8fbce8b7799e43189c7b95e797378553c
Instruction Fuzzy Hash: AB11B271400244EFEB21CF59DC84FABFBACEF45720F14986BEE459B281D674A5098B71

Uniqueness

Uniqueness Score: -1.00%

Function 0115B4A2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 0115B4FE

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 812e35a9cb215b0922bffaf5280fa1255285c6b94a73d57fee1617282b829aa7
Instruction ID: 48b8099293a3776aa8bb85909405ece508c142455234925bda79c274267d67d3
Opcode Fuzzy Hash: 812e35a9cb215b0922bffaf5280fa1255285c6b94a73d57fee1617282b829aa7
Instruction Fuzzy Hash: 9911EF71504200EFEB25CF29DC85B6AFBA8EF44320F14846BEE458B241D6B4A4088B72

Uniqueness

Uniqueness Score: -1.00%

Function 0115A836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0115A8A8

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3955edb792d3ac46c4ca69b89a06804189db9bd5e2f016af2ca4292d54af9cf2
Instruction ID: 8afc291f7d479a98d5bf48d6d2543c8db1eddf0a27d866490d073009677df8e5
Opcode Fuzzy Hash: 3955edb792d3ac46c4ca69b89a06804189db9bd5e2f016af2ca4292d54af9cf2
Instruction Fuzzy Hash: 4C216A7140D3C4AFDB138B259C94652BFB4DF07224F0980DBDD858F1A3D2695908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0115A78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0115A7F6

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6e7cae38bf489ba468bdea3fe093b94e8295ba0a99f9ece24dd52382de1187b3
Instruction ID: 18250c557681d16a4467466b13d9fa3f1945630efc97bda9b1ed9c02fb2ae5d2
Opcode Fuzzy Hash: 6e7cae38bf489ba468bdea3fe093b94e8295ba0a99f9ece24dd52382de1187b3
Instruction Fuzzy Hash: DE11A271409380AFDB228F54DC44A62FFF4EF4A220F0885DAEE858B152D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C0133E, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C0139D

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 93e7392dd5f6442d42903ca809e2930c17ab067efc4e2d24f8b78f65aa46fd9a
Instruction ID: 5efb85000e20a9c01d09b310ded2048cd59e9080f634d2ffae51f9f5e93b9e3e
Opcode Fuzzy Hash: 93e7392dd5f6442d42903ca809e2930c17ab067efc4e2d24f8b78f65aa46fd9a
Instruction Fuzzy Hash: 5011C171400604EFEB21CF55DC85F6AFFA8EF45320F18986BEE459B681D2B4A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0115B93A, Relevance: 1.6, APIs: 1, Instructions: 60comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E2C,?,?), ref: 0115B9B2

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: c9e84539eb33d311612a3f5ad4f1863449247a3398db6b90529f524bf5804154
Instruction ID: a2912dd59ce79658d0259a5374ac60b0f7866e0e8b1683fa7d4bea7d775384c5
Opcode Fuzzy Hash: c9e84539eb33d311612a3f5ad4f1863449247a3398db6b90529f524bf5804154
Instruction Fuzzy Hash: 231104715083806FD311CB25CC45F22FFB8EF86620F09818BED884B692D224B815CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05C03082, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C030DB

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 66120893d254bd357f30e13e2abd3841500897deb951799146506854618976a9
Instruction ID: 2a4567dc54a23c50f11b27d43d7807f9170fcb276a20225d4b6b2a14fff11aef
Opcode Fuzzy Hash: 66120893d254bd357f30e13e2abd3841500897deb951799146506854618976a9
Instruction Fuzzy Hash: 1F110271400244AFEB21CF55DC85FA7FBA8EF45B24F1488ABEE489B281D674A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C00522, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 05C0058B

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ab0d5182515408ba5335713d1a7527710e9ea0487c2b3b2459383a4953871024
Instruction ID: f4705d83957e3ddbe02bdaa06eaf8a365da1333c6709649482f4f2ecc2953491
Opcode Fuzzy Hash: ab0d5182515408ba5335713d1a7527710e9ea0487c2b3b2459383a4953871024
Instruction Fuzzy Hash: 91114471100700EFF720DB15CC85FB6FB98EF05720F5484AAEE446B281D2B4A508CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 05C03422, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C03481

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: fa70ca94ee77a0c9bb3d24c0c72e7bcb4cb7f7b88c755b3d7b7a479532ee5c3f
Instruction ID: c0f7437e308c6b482bf61d0687222bb9d094df7b119db47773c16b7e80b31034
Opcode Fuzzy Hash: fa70ca94ee77a0c9bb3d24c0c72e7bcb4cb7f7b88c755b3d7b7a479532ee5c3f
Instruction Fuzzy Hash: 1511EC31000600EFEB228F55CC84F6BFFA8EF04720F14885BEE855A291C274A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05C01836, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 05C01894

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: a5add2879d570d5bbb2e048d5f86b43b83ce8568a318d6b396cd12fb658c7cc7
Instruction ID: cc7112cb612be8150dbac7347db94ca1c635e60582f69e2070e1b3587e92c6c8
Opcode Fuzzy Hash: a5add2879d570d5bbb2e048d5f86b43b83ce8568a318d6b396cd12fb658c7cc7
Instruction Fuzzy Hash: A6119175509780AFD7128B25DC85B52FFF4EF06220F0D84DAEE858F262D275A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0115A078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0115A0D5

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 734bdb65eb73f143f23605b84555e8b32116f9e2dc126638b1fc5d39bf96bab6
Instruction ID: 75f8519adb4913c4e47d80ced538d5bd509367f28cde7fbce9b100603bf1593f
Opcode Fuzzy Hash: 734bdb65eb73f143f23605b84555e8b32116f9e2dc126638b1fc5d39bf96bab6
Instruction Fuzzy Hash: A4119171449780AFDB22CF15DC84B52FFB4EF46224F0884DAEE858F253D275A518CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05C01DF6, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C01E4C

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 750e1399a880ad91a1f729181b870f9cd1aaa2983ecb8d25c902dc3e1e142769
Instruction ID: bb2e94c745d0ddfc34ce8ca7f16886036a8a78f6dfd5f4e501265b4cea40fd89
Opcode Fuzzy Hash: 750e1399a880ad91a1f729181b870f9cd1aaa2983ecb8d25c902dc3e1e142769
Instruction Fuzzy Hash: E8010431400204EFEB20CF15DC89F6AFBA8EF05720F188497EE449B281D274A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C00C66, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 05C00CAE

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: c4c20c3aedccc93aae050b7553671fff5164cb8a4c9ebe0038002d97704dfde7
Instruction ID: 1b3b918dc8035aca997f5b5302f9c0dae9fbe86c56be2d800a0d0735ca59b8ac
Opcode Fuzzy Hash: c4c20c3aedccc93aae050b7553671fff5164cb8a4c9ebe0038002d97704dfde7
Instruction Fuzzy Hash: C811A1716046009FDB10CF2AD889B66FBD8EF04220F18D4AADD4ADB382E674E504CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0115AD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0115AD6A

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8b76aa05049eb0d62f7b5f29be395d0caf70c1267771ef392050110c1ac7326f
Instruction ID: bad52daa008575fc8dd6ddbcc474d7c169ecf4a52abab33c9f5102086b2735c1
Opcode Fuzzy Hash: 8b76aa05049eb0d62f7b5f29be395d0caf70c1267771ef392050110c1ac7326f
Instruction Fuzzy Hash: B3118271640200DFEB65DF29E88575AFBD8EF44221F08816ADE49CB242D7B5D404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05C00BA6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05C00BEB

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 9ab2b0b903a1cae75fcf61374f62588d448a1817e9d58667cc8f180b0c88d991
Instruction ID: 4036ead74d82cc52dd8f47de5381ea7b0dbaaeaf214fb38f07d5c1bdb3ce5f04
Opcode Fuzzy Hash: 9ab2b0b903a1cae75fcf61374f62588d448a1817e9d58667cc8f180b0c88d991
Instruction Fuzzy Hash: 3A11DB716042409FDB10DF29D888B66FBD8EF04324F48D8AADE49DF281E674E504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05C011AE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,EF95F941,00000000,00000000,00000000,00000000), ref: 05C01201

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 2019ab6fb434a7968a39e364edcfaeea17401e858851834fda64ad60900c5868
Instruction ID: ac4d9d267580b7c4257d48b6fded904f111e2a7e0283465ebefc5bae75186d91
Opcode Fuzzy Hash: 2019ab6fb434a7968a39e364edcfaeea17401e858851834fda64ad60900c5868
Instruction Fuzzy Hash: 3001D271504604AEE720CF15DC85F66FBA8EF45720F18849BEE459B281D6B4A548CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05C034F6, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05C03542

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: f5864624c43f5d86d936fcfcba6a5df4b501157a30b134a84c2bbcf56b8f2a6f
Instruction ID: 16ff424782d188b4f33e1b6c12cc0a47eb8dad24593cc6f931b014005e0f874f
Opcode Fuzzy Hash: f5864624c43f5d86d936fcfcba6a5df4b501157a30b134a84c2bbcf56b8f2a6f
Instruction Fuzzy Hash: 7B1170714046449FDB21CF55D844B62FBE4FF08721F0889AADE458B661D371E518CF71

Uniqueness

Uniqueness Score: -1.00%

Function 05C00F02, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE(?), ref: 05C00F3C

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: DirectoryRemove
String ID:
API String ID: 597925465-0
Opcode ID: a2f608b7f06b2addf5f535e0b65f5317a39cb4f2d77ff5e49dcc3f589f827a1b
Instruction ID: bdd8e5707b1fb27ce17fc00d745ea3c8d9089510deafbd7f264ca25872dd4dd7
Opcode Fuzzy Hash: a2f608b7f06b2addf5f535e0b65f5317a39cb4f2d77ff5e49dcc3f589f827a1b
Instruction Fuzzy Hash: EA01B5755046409FD710CF29D889766FBD8EF04220F08D4AADE49DB286D674D604CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0115B6AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0115B6FA

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 4bfc6524b24fb6e93b15e6517689f8a154b30e0fc0a22640991ef171dcb4c11d
Instruction ID: 97d4613d65e1fc9b3b516f3bd652eb2eda22b21f0c4d65e4c2ef0a34652d69f6
Opcode Fuzzy Hash: 4bfc6524b24fb6e93b15e6517689f8a154b30e0fc0a22640991ef171dcb4c11d
Instruction Fuzzy Hash: 36017176500600AFD710DF16DC86F26FBA8FB88B20F14816AED089B741E371B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0115A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0115A1C2

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: cee96b3e4cba1a55239eae54b6a8cf572c6dd669f81fb95c6a00644a795fcfb5
Instruction ID: a2e60c10fef01b9de08f82df8e8c01643256cf2b0893288ea2146ef8545b90c6
Opcode Fuzzy Hash: cee96b3e4cba1a55239eae54b6a8cf572c6dd669f81fb95c6a00644a795fcfb5
Instruction Fuzzy Hash: 2F017175500600AFD710DF16DC86B26FBA8FB88A20F14816AED089B741E375B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0115A7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0115A7F6

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: db08e0147f179e664abaa776b881a6b1824cb10941d119329e1ada2b5301aed9
Instruction ID: 8cf266637e36b1d307b900ccb9586eb6bce89334d0cbc2c68647d720265dde69
Opcode Fuzzy Hash: db08e0147f179e664abaa776b881a6b1824cb10941d119329e1ada2b5301aed9
Instruction Fuzzy Hash: B1016D31400600EFDB618F55E844B66FFE4EF48321F08C5AADE494B612E376A459DF62

Uniqueness

Uniqueness Score: -1.00%

Function 05C015C2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 05C01612

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: a3f365a196ac3a5cc5c83f15901e4f78f20c5b31c058154da184b0488b9c6a45
Instruction ID: 5869222a6447b986e52bad89d279fe3652c11c1ad2357dd037d778ff6f5e637c
Opcode Fuzzy Hash: a3f365a196ac3a5cc5c83f15901e4f78f20c5b31c058154da184b0488b9c6a45
Instruction Fuzzy Hash: 0401AD76600600ABD210DF16DC86F26FBA8FBC8B20F14811AED084B741E331F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05C01BAA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 05C01BDC

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8a9adce54e890d869f5c32522fa23f070baf02bdf9dcc67fcb57ab116fc082dc
Instruction ID: cc3c2bf2aade190350636b45f9fc599de2c7d41453c0dbdda0b5fbf5adc9bcfc
Opcode Fuzzy Hash: 8a9adce54e890d869f5c32522fa23f070baf02bdf9dcc67fcb57ab116fc082dc
Instruction Fuzzy Hash: E001DF715002009FDB10CF2ADC84766FF94EF45330F08C4ABDE098B282E6B4E448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0115B00E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0115B040

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0c73b51686fc386bcdaf5da1f3263f09eb649033cc5c1417dd44d28bfe93c4c4
Instruction ID: db12f75e0e4fa4c7a137d45a8c8fdbe629a1ecff5d49dc75d49c1cbaebb44e74
Opcode Fuzzy Hash: 0c73b51686fc386bcdaf5da1f3263f09eb649033cc5c1417dd44d28bfe93c4c4
Instruction Fuzzy Hash: 5601DB31508600DFDB54CF29E888756FFA4EF44220F08C0ABDE5A8B642D6B5A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0115B30E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0115B35E

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c863e7102326b79fff8924d7eebbfb15cdea0ca7766af497cfb33e3dd579c4b6
Instruction ID: 85d6722d06d00f5a0f0d2b4d104ab0562975211a8055f2710ce50ba92d24fe89
Opcode Fuzzy Hash: c863e7102326b79fff8924d7eebbfb15cdea0ca7766af497cfb33e3dd579c4b6
Instruction Fuzzy Hash: 5201A276500600ABD210DF16DC86F26FBA8FBC8B20F14811AED084B741E371F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0115AB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 0115AB7E

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 4c1616be2b1204f8ea8b0817503adfed957616f79c2bd19807d058ebc11acd26
Instruction ID: 4dd88f6b0a020d37960e99d78e7691f8e49c541aeb17f1586de506485596a0cb
Opcode Fuzzy Hash: 4c1616be2b1204f8ea8b0817503adfed957616f79c2bd19807d058ebc11acd26
Instruction Fuzzy Hash: E901AD76600600ABD210DF16DC86F26FBA8FBC8B20F14811AED084B741E331F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0115AC76, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0115ACA8

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ac986dc6546898f169df86279ea902fb402bc86906931001cd348e15770915ec
Instruction ID: b1817693f5cf143f65fe8ed7ce8a5e01e32bcd60536916ba607f9b017c03c581
Opcode Fuzzy Hash: ac986dc6546898f169df86279ea902fb402bc86906931001cd348e15770915ec
Instruction Fuzzy Hash: D801DF31500240DFDB55CF29E888766FF94EF04220F18C0ABDE0A8F242D2B4A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0115B962, Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E2C,?,?), ref: 0115B9B2

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: d2cfe887269fa86e92b0b5ba41d50bd44b6ca33daca9b0c10656f47fc2a0c105
Instruction ID: 3424f2b5914831de1665e2599b832c4e8f4bd4a0c8a6b6bdfaf46d310193b376
Opcode Fuzzy Hash: d2cfe887269fa86e92b0b5ba41d50bd44b6ca33daca9b0c10656f47fc2a0c105
Instruction Fuzzy Hash: 77016D76600600ABD610DF16DC86F26FBA8FBC8B20F14815AED085B741E375F956CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0115A09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0115A0D5

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 1431c973c914f71c3c1648a81844561795ef1cf10ff4af57b79da368f8d1510e
Instruction ID: 39c9577b907cdf661aac851a94815275aad9ee59af19d6272eb13a2db5de5679
Opcode Fuzzy Hash: 1431c973c914f71c3c1648a81844561795ef1cf10ff4af57b79da368f8d1510e
Instruction Fuzzy Hash: 18019E31440640DFDB65CF59E884B56FFA4EF44320F0885AADE498B212D375A048CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05C01862, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 05C01894

Memory Dump Source

Source File: 0000000A.00000002.871986817.0000000005C00000.00000040.00000001.sdmp, Offset: 05C00000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: e8a5020c494475967cf078a219b580359baf70c7487bbea7477e7293f0b004c3
Instruction ID: e00cea43de5a62a2e8af53fb2dce6700d38ff47c5909dd5d93f86c4fb5a688d7
Opcode Fuzzy Hash: e8a5020c494475967cf078a219b580359baf70c7487bbea7477e7293f0b004c3
Instruction Fuzzy Hash: 9E01D135900640DFDB10CF1ADC84766FFD4EF04320F08D5AADE498B292D2B5A548CE62

Uniqueness

Uniqueness Score: -1.00%

Function 0115A47A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0115A4AC

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 93f094aab3bde662318410ed401493c44ae321bd40aed870051a83e0ba38ab8d
Instruction ID: c74c0c6a19a6906b6dd79f173608e69c846b7fca3879f6c29c604a2dad904526
Opcode Fuzzy Hash: 93f094aab3bde662318410ed401493c44ae321bd40aed870051a83e0ba38ab8d
Instruction Fuzzy Hash: 3401AD30804244DFDB55CF59E888766FFE4EF44220F18C1AADE498F206D3B9A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0115A876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0115A8A8

Memory Dump Source

Source File: 0000000A.00000002.868149589.000000000115A000.00000040.00000001.sdmp, Offset: 0115A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2302bcb36a24a570981580ba7e230fba20daef5f9fdc35cfb8bfc46a88c13f97
Instruction ID: 995239e364fdc5363c861073866f1435b709fbd02fbda8c940e74755040b7f41
Opcode Fuzzy Hash: 2302bcb36a24a570981580ba7e230fba20daef5f9fdc35cfb8bfc46a88c13f97
Instruction Fuzzy Hash: 67F0AF34804A44DFDB65CF19E888762FFA4EF04321F18C1AADE494B256D3B5A449CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01454D38, Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

tq, xrefs: 01454E69

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: tq
API String ID: 0-2372698852
Opcode ID: f28d962062387b1d769f57ef9f23861008cdd66462c4c201b9e5127c44adc91b
Instruction ID: a1a6d1af810ad705f3683cc0ad10e5c9fabe17e8f1adf1ff968ef9adbc272826
Opcode Fuzzy Hash: f28d962062387b1d769f57ef9f23861008cdd66462c4c201b9e5127c44adc91b
Instruction Fuzzy Hash: D3A14D35A00204DFCB59AFB8C4546ADBBB7AF88300F24842AE506AB3A8DF35DD45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01454570, Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 014545F3

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: de637f2265a6a6a3ea9f122ec333521a4883c3f4bcd233386c4bebf69f363d03
Instruction ID: e80205b180b44442b628a7f02d09044838dd7fa6ae9398097532b69b5bb16d1b
Opcode Fuzzy Hash: de637f2265a6a6a3ea9f122ec333521a4883c3f4bcd233386c4bebf69f363d03
Instruction Fuzzy Hash: DA71A230B001509BEF6556BCC840BAE3EDADB89314F14483BE519DB7A6EE79CDC18762

Uniqueness

Uniqueness Score: -1.00%

Function 01454580, Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 014545F3

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 38bb08e5fe9d2e618f5d94a66194638ac48d76adec258a5c74103590d294ce95
Instruction ID: 9a56f7799b10d1ab33de1f4a22aedbee70d3be9df063ee83163e42642f699812
Opcode Fuzzy Hash: 38bb08e5fe9d2e618f5d94a66194638ac48d76adec258a5c74103590d294ce95
Instruction Fuzzy Hash: 68717130B000109BEF655ABCC444BAE3DDADB89304F54483BE519CB7A6EEB9CDC18762

Uniqueness

Uniqueness Score: -1.00%

Function 01456F11, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

\, xrefs: 01456F59

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 039d0b6e7dfcb1fc61d49ea3d716579073120b301b1c20523f0330abe6cc9552
Instruction ID: 5831ef245a66db3afd6eabdf6671725d9763f712e89c8a30ac853ad40b904d88
Opcode Fuzzy Hash: 039d0b6e7dfcb1fc61d49ea3d716579073120b301b1c20523f0330abe6cc9552
Instruction Fuzzy Hash: 3F71A175A00219CFCB44DFA8C854AAFBBF6FF88300F41846AE905A73A1D735D901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01455398, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 01455450

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: c6f1dc45f9d2d8f81f1b73b768a21648304006d9bc65fc68b74468a70ef8533c
Instruction ID: d186a977eceec95c858729a6dba7f6b92851f5583452c7ad3689d5e72c1db440
Opcode Fuzzy Hash: c6f1dc45f9d2d8f81f1b73b768a21648304006d9bc65fc68b74468a70ef8533c
Instruction Fuzzy Hash: 87517F35B00104DFCB58ABB8D858AAE7BF6AF88310B11443AE50ADB375EF359C428B51

Uniqueness

Uniqueness Score: -1.00%

Function 01456C6D, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 01456CA5

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID: f]Ir
API String ID: 0-3302829692
Opcode ID: acff96cd42f84b89d08617bd59b00cf17e10460c56d7d519484d7aa02a7c6cd2
Instruction ID: 84cb73ca0f319d5076adc53ae7fc62bf731485a7d6c0e7a44ab712f0586e5c92
Opcode Fuzzy Hash: acff96cd42f84b89d08617bd59b00cf17e10460c56d7d519484d7aa02a7c6cd2
Instruction Fuzzy Hash: C2317F306086419BD355DB2ED44072BBBE2EBC0310F968D2EE999CB3A2D774DC8A8751

Uniqueness

Uniqueness Score: -1.00%

Function 01457348, Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706f71d33788e92a3252d20c25bf2c383f2967f6fba5a3984d0248fda336324f
Instruction ID: f6eaf2187f8a39e4b44f16aac1d37a6da1e4f250d44dc6004b6c6365a638d852
Opcode Fuzzy Hash: 706f71d33788e92a3252d20c25bf2c383f2967f6fba5a3984d0248fda336324f
Instruction Fuzzy Hash: 3C12B034B002058FEB658B3CC484B6E7BE2EB89301F64447AE949DB3A2DA36DC41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01453BA8, Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86a2b3ec10595dba3d24f03c0d6b828c8515ddd4087a686740cc5a8d26c5832
Instruction ID: 9095f34eb1646e4b61292fea741b43440ee366c2c8f14e861f2bcb94a95d532c
Opcode Fuzzy Hash: f86a2b3ec10595dba3d24f03c0d6b828c8515ddd4087a686740cc5a8d26c5832
Instruction Fuzzy Hash: EE02B131B00245CFCB45DBB8C4546AEBBF2AF84354F24856AE805DB3A6EB35DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01457AF8, Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc544ea8960a69126435c255e9f16c5de7d428242fe890c0096cc9c34e1122bd
Instruction ID: f7e4d0a1fde91a0b8595fad6094e3f197f267cc82becc4712eb52b77bf95a9fc
Opcode Fuzzy Hash: dc544ea8960a69126435c255e9f16c5de7d428242fe890c0096cc9c34e1122bd
Instruction Fuzzy Hash: 30025874A002059FDB65CB69C484BAEBBB2EB49321F61456AE905DB3A3CB34DC84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01455808, Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9711df0861ec0e1f66de4c4d315ea17c2e1b7faf8317c01137fe4dce7ef82a52
Instruction ID: 10c3c4a2e17ddc0d7a56fa451662bfeae02378ddc0ab0e0991f66aedabbd02f6
Opcode Fuzzy Hash: 9711df0861ec0e1f66de4c4d315ea17c2e1b7faf8317c01137fe4dce7ef82a52
Instruction Fuzzy Hash: 93F17E70F002249FEB15AB789850B6EBAE7EFC4704F14406BD805EB3D5DE74AD868B94

Uniqueness

Uniqueness Score: -1.00%

Function 01457A18, Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe8612a3a3a9c7ab501c0944d1648a9035849d934b98a6a2301afb6e21803d8
Instruction ID: 779d4d9f15ab85718a077c6571264893aefc212c0a1f73c44d02daad7523305c
Opcode Fuzzy Hash: 7fe8612a3a3a9c7ab501c0944d1648a9035849d934b98a6a2301afb6e21803d8
Instruction Fuzzy Hash: 93E13A35A002058FDB65CB5CC484AAEBBB2EF49321FA5846AE915DB363CB34DD81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01456767, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6b6d21f37cd28906519b7df85a662577303d44e264b0789e12b2ba9811713f
Instruction ID: 8210c70fab6d15acffb665e3014716b7322221adcc0735e3203aae42ee0ef9a2
Opcode Fuzzy Hash: bf6b6d21f37cd28906519b7df85a662577303d44e264b0789e12b2ba9811713f
Instruction Fuzzy Hash: 16A10B31F006245BDF44ABF8885866F7BE39FC8750F15882AD905EB395EEB5DC028781

Uniqueness

Uniqueness Score: -1.00%

Function 01453350, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0050f413272da405fb9390e3a746a9ca9e1e4d064487d7f68df45a36deb63480
Instruction ID: 6cd960dc13ebe1d65b4f4dc354ff8ddff225350d5328ef7e095744aac5fc6246
Opcode Fuzzy Hash: 0050f413272da405fb9390e3a746a9ca9e1e4d064487d7f68df45a36deb63480
Instruction Fuzzy Hash: 3DB14F31B012158FDB58AB79C45476EBAE3AFC8340F2044B9D90ADB3A5EF758D82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01456778, Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7fd365c7f5092252c0d01fb5a2e514e1a6283f362d739968e146bfe4f5dbbc
Instruction ID: a0fefb6d7da9fbf98a62c5438566df7afb893d6276133c498c389e6633a5a6bc
Opcode Fuzzy Hash: 9b7fd365c7f5092252c0d01fb5a2e514e1a6283f362d739968e146bfe4f5dbbc
Instruction Fuzzy Hash: C691DA31F006245BDF44ABF9885866F7BE3AFC8740F15882AD905EB395EEB5DC028785

Uniqueness

Uniqueness Score: -1.00%

Function 01454898, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8ba5b86da11d03c0cc338c826c5c640961d6a77d403c2efb4b3ec8d2bec8d2
Instruction ID: 559fb0f38708d7a1123211e27474d15d0c85821c7d65af6b349f90b80c24af21
Opcode Fuzzy Hash: 9f8ba5b86da11d03c0cc338c826c5c640961d6a77d403c2efb4b3ec8d2bec8d2
Instruction Fuzzy Hash: 7491FF30B043418FD7969B7894597BE7BE29B85304F1884BBD909DF3A2EA35CC56CB41

Uniqueness

Uniqueness Score: -1.00%

Function 014571B9, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3353eca04702853b1fc40e9e43b4293f7fe5ac130308afa2529dfd45fafce96
Instruction ID: 3f26c81ec2b2d6479b10211a63e4011fd353a9722758494a37083561fac744a5
Opcode Fuzzy Hash: a3353eca04702853b1fc40e9e43b4293f7fe5ac130308afa2529dfd45fafce96
Instruction Fuzzy Hash: D0719D74600216CFCB55CF29C880AAEBBB2FF89315F54856AEC09CB362D731D842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01458100, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74cd92e2bd183be847be83bde058acf88798dbf130b5b49b0b0c950f4ea9bce
Instruction ID: 75337176864c4e3490dfb3955c12195b82b816e382a7aeb37fcde36eb34387f8
Opcode Fuzzy Hash: e74cd92e2bd183be847be83bde058acf88798dbf130b5b49b0b0c950f4ea9bce
Instruction Fuzzy Hash: 9C715A70A005068FEB75CB6EC884A6FBBB1FB45250F144A2AE846D7773DB31D984CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014543A8, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4893d876cb58fc7590a790ae251928785451f061ba29269fda15d7f45bb32
Instruction ID: 9a8fceaea0113883e951ead321d35f33a70c3276777c06a85ecf00e9adf7ad9d
Opcode Fuzzy Hash: 3ef4893d876cb58fc7590a790ae251928785451f061ba29269fda15d7f45bb32
Instruction Fuzzy Hash: E4518430B493819FD7469779882476A3FF69F82214F1985FBC449CF6A3EA38CC468752

Uniqueness

Uniqueness Score: -1.00%

Function 01456B17, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4b218ad89e4828709aef6900144169697c8748a7abfb53d718edc9116a0ff7
Instruction ID: ebf774814c35e64524ee45170fcef135506a215c102250520177ad86d8681783
Opcode Fuzzy Hash: 3a4b218ad89e4828709aef6900144169697c8748a7abfb53d718edc9116a0ff7
Instruction Fuzzy Hash: A841D130A083958FDB668B39C8587AB3FF2EB45310F5644ABD845EB2E2C7748C49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014570B0, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c802935f6a73b430c3ef3bbf55ebda7a308a6f1a3a2d72b13e27626719ddea4
Instruction ID: 8bcae7cb2e25869dce01459e229ac211a814b5ffd1f4d4ecbe7084e09e2d5183
Opcode Fuzzy Hash: 7c802935f6a73b430c3ef3bbf55ebda7a308a6f1a3a2d72b13e27626719ddea4
Instruction Fuzzy Hash: 92318135A01259DFCF169FB8C8049DE7BB2FF89310B004566E905DB2B2E7328955DB91

Uniqueness

Uniqueness Score: -1.00%

Function 014531E0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a795072a517b52f4087bdad948810a3cc77ab5f51f316d8958204de049688f7
Instruction ID: 5852d458e74e57073821d4ac5d9928eca465365ab88651ac71d8ad8573c961dc
Opcode Fuzzy Hash: 9a795072a517b52f4087bdad948810a3cc77ab5f51f316d8958204de049688f7
Instruction Fuzzy Hash: 6E210431F056448FCB81EBBCD8545AE7BF6AF89344B2480A7D409D7392EA34CD06C792

Uniqueness

Uniqueness Score: -1.00%

Function 01453300, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0fa8a8697efc2c6ea7e38806ad5c46de8b67b7ef118e8e49d4a382451de68c2
Instruction ID: 8d0a595a705e65fe8aa4b2e1d1691f3a73ff8d01320cd8bb5835355555c8899a
Opcode Fuzzy Hash: f0fa8a8697efc2c6ea7e38806ad5c46de8b67b7ef118e8e49d4a382451de68c2
Instruction Fuzzy Hash: 8D21FF31B043848FDB45AB7998143BE7BE29B80340F0444B7E909C7393EE348D05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01455661, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5d503b059775784a85286df084d49e7909735c0b40aca77af97e6857d56c2f
Instruction ID: faa744f39d7c4212f93e3c9adc372e2542211f9d8fcf50f4806b21489d254137
Opcode Fuzzy Hash: 6f5d503b059775784a85286df084d49e7909735c0b40aca77af97e6857d56c2f
Instruction Fuzzy Hash: EA11B634B002509FDB62663DE8543AE3A69E785320F110927EC1EDF3E3EA38CC854761

Uniqueness

Uniqueness Score: -1.00%

Function 05C12F8A, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.872010322.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8844b756908ace6758dad9f08ab3348fb341c70b24f3c7ab4a585503804a0f9a
Instruction ID: 9381406a40fc9138c438066e7070e6a3698ad537fbe6fc037f74d733d2567b16
Opcode Fuzzy Hash: 8844b756908ace6758dad9f08ab3348fb341c70b24f3c7ab4a585503804a0f9a
Instruction Fuzzy Hash: 7221E4B5608341AFD340CF19D880A5BFBE4FF89664F04896EF98897311E270E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 01140726, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868087646.0000000001140000.00000040.00000040.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dce457a591a5d1413a95fdb45869e5c4b2dc7044ef2108fb986397aa4ceaf97
Instruction ID: 0512ca175c319dba7d7b5b1ed589fc02fe395892f0f3b89949ced6829de8972e
Opcode Fuzzy Hash: 8dce457a591a5d1413a95fdb45869e5c4b2dc7044ef2108fb986397aa4ceaf97
Instruction Fuzzy Hash: B0213A3510D6C49FC707DB24C890B55BFB1AF8A718F1985DAD8849B663C33A9807DB92

Uniqueness

Uniqueness Score: -1.00%

Function 05C139FC, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.872010322.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc042d7ef494701e625859cbcf32dda8d8730075e5379b8887c74c93fce28e29
Instruction ID: 89def114892d6874d0d33a28801f8e51205c2ad12a35b87e180124fb0cdfd000
Opcode Fuzzy Hash: dc042d7ef494701e625859cbcf32dda8d8730075e5379b8887c74c93fce28e29
Instruction Fuzzy Hash: 7F11BAB5608301AFD340CF19D880A5BFBE4FB88664F14896EF998D7311D371EA148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0114075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868087646.0000000001140000.00000040.00000040.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3107f77556369d7748b391d16cb98d00c6945f08bbba9326f475c4849b6f0c13
Instruction ID: 0a6a257d110046c2804cafd899a56714ef1a8500ae3520f9d644916aff7c2dfb
Opcode Fuzzy Hash: 3107f77556369d7748b391d16cb98d00c6945f08bbba9326f475c4849b6f0c13
Instruction Fuzzy Hash: 9911E734204644DFD309CB15C980F66BB91AB8DB19F24C59CFA891B643C77BD803CE52

Uniqueness

Uniqueness Score: -1.00%

Function 01453110, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc4f97ee91c52eb7973bfe76c3c6c79b9f38d9307fcfec56926e215d6d6a261
Instruction ID: 8493d7a0bdaad143f0ec0c2a20b4e708cdb7a4082204890c220c09028ff32d2c
Opcode Fuzzy Hash: 4fc4f97ee91c52eb7973bfe76c3c6c79b9f38d9307fcfec56926e215d6d6a261
Instruction Fuzzy Hash: 7F115B31F005189F8B84EFBDD9445AEBBF6EB8C650B20406AD509E3350EB349D028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 014541A8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5990ab594e0b3f659ba41b1be5a9f45ffc1b903f5a8134661f5dec702e93f271
Instruction ID: 90061e668398b6770ad87375986f74efedbbd502c8491be24d6ef694d8848458
Opcode Fuzzy Hash: 5990ab594e0b3f659ba41b1be5a9f45ffc1b903f5a8134661f5dec702e93f271
Instruction Fuzzy Hash: 37115B31F005288F8B84EBBDD8545AEBBF6EBCC250B60812AD509E7350EF349D428B95

Uniqueness

Uniqueness Score: -1.00%

Function 01453230, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078aecb2112151d01c287eaf69916c1bbb3787c51e19454967eedc8e76180191
Instruction ID: 0fbb947283b5e9368b01f2ab681f7f6f29356f52d549bee232cde4f6b9bb9b25
Opcode Fuzzy Hash: 078aecb2112151d01c287eaf69916c1bbb3787c51e19454967eedc8e76180191
Instruction Fuzzy Hash: 0F116D35F005188F8B84EFBDD8445AEBBF6EF8C250B60803AD509E3350EB759D028B95

Uniqueness

Uniqueness Score: -1.00%

Function 01455759, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa3996c2f2b37a9d84435ab4b1abe44ce0654d312418768da166439e4beb109
Instruction ID: 631b139df6ed01ad020ecbc4312679475aacf76885e6a07c2d8a458616c13fdf
Opcode Fuzzy Hash: cfa3996c2f2b37a9d84435ab4b1abe44ce0654d312418768da166439e4beb109
Instruction Fuzzy Hash: E8116D70A00209DFCB90DFB9D884BBEBBE5EB84210F14407BD909DB662E77599018B91

Uniqueness

Uniqueness Score: -1.00%

Function 01455768, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0b746f4491fb14a4cbca252e1d3832ae77a76417f43bb6e8441b592d18e8cf
Instruction ID: 4a1c60286097b1cd0e8b4664e5752c8584924b2bc7262ecae6379e83c9e04f1f
Opcode Fuzzy Hash: fb0b746f4491fb14a4cbca252e1d3832ae77a76417f43bb6e8441b592d18e8cf
Instruction Fuzzy Hash: C8014CB0A002059FDB94EFBAD844BBFBBE9EB44214F20443BD919DB651EB71A9408791

Uniqueness

Uniqueness Score: -1.00%

Function 014544E8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04385e0183b246f94e3069d80dc040419a80aa482494ca31a4aca13454407164
Instruction ID: c25ae8fc215ed204b934794f2df4214215919e055633ab232f830c2fea5e3e72
Opcode Fuzzy Hash: 04385e0183b246f94e3069d80dc040419a80aa482494ca31a4aca13454407164
Instruction Fuzzy Hash: 8B011232F002145BCB54EBFD89146AF67DB9BC4228B258C79D419CB351FE35DC428795

Uniqueness

Uniqueness Score: -1.00%

Function 011405D0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868087646.0000000001140000.00000040.00000040.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4e5c435d8bb3502031655c5b9cc439c5bc24cb4285b5e3d18467ae8f79f8b9
Instruction ID: 414886b9cf10f5e529d48a5d01897a09ccce80d8cde2d7284175957a9822a96d
Opcode Fuzzy Hash: 8e4e5c435d8bb3502031655c5b9cc439c5bc24cb4285b5e3d18467ae8f79f8b9
Instruction Fuzzy Hash: B301A7765097806FD7128B16DC41862FFB8EE86220709C09FED498B612D125B809CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 01456BC8, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e436859f4299eee39e023e278240c73772d37b6e3acc54ee37b1bf6e53430c
Instruction ID: c091c10a7387a561d039872dd9b85b254507bcb53787cf83d44691993c75cf0a
Opcode Fuzzy Hash: 58e436859f4299eee39e023e278240c73772d37b6e3acc54ee37b1bf6e53430c
Instruction Fuzzy Hash: 27015770E00219DBCB659F69C95CB9F7FF8EB08220F55046AD906F7391CA749C84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01455388, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c9c515bcee76585c377b75185f6e2192733c7dd575bcda546337cfc2bac6b1
Instruction ID: e8eb728d9457ef9fba1723e9c02f174ab96021886c6b33a14ce29a8dbba72718
Opcode Fuzzy Hash: 51c9c515bcee76585c377b75185f6e2192733c7dd575bcda546337cfc2bac6b1
Instruction Fuzzy Hash: F901A730B143449FC794DBB9E498AAE7BF5EB85210F00007AE91ADB372EB355805CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01454B66, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534ed25adf36964edee10b8b6eb9ada784dad6f544ce4a6f6ece2fbb58cfd6ae
Instruction ID: 8bd8ecaf127b167aea8433e08a42ea369696da083447baee05a6671ea195bfc5
Opcode Fuzzy Hash: 534ed25adf36964edee10b8b6eb9ada784dad6f544ce4a6f6ece2fbb58cfd6ae
Instruction Fuzzy Hash: F4F0F632E00510CBCB54BBBCF44426CB7F1AB84214F150D6ED9599B355EF314E64C382

Uniqueness

Uniqueness Score: -1.00%

Function 01140818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868087646.0000000001140000.00000040.00000040.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 92fd7d761f525d2715611e27df725622cfb0cdd2d22cd17cb2c8a620aea42dfc
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 18F01D35104644DFC306CF44D940B55FBA2EB89718F24C6ADE9890B752C337E813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 011405F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868087646.0000000001140000.00000040.00000040.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c768c3909104fbdaf10d24e73974ff50b6ef217ab44b84e161b907e173fae5f
Instruction ID: 97e0daa456f17ca9239f11fad96cee6438c030f016b6479f873386d06b14c622
Opcode Fuzzy Hash: 0c768c3909104fbdaf10d24e73974ff50b6ef217ab44b84e161b907e173fae5f
Instruction Fuzzy Hash: CDE09276604A009BD650CF0BEC81452F7D8EB88630B18C07FDD0D8B700E135B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C12FFF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.872010322.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ed0f6c98260462b38a417e92b20f5520674e663dec837d4cda69c7641f4e82
Instruction ID: 6e204c7fe1c3321756fb7675b6a9411f0edf0983d19c7408a9a193da312afd5c
Opcode Fuzzy Hash: 17ed0f6c98260462b38a417e92b20f5520674e663dec837d4cda69c7641f4e82
Instruction Fuzzy Hash: C0E0D87260170067D2108F069C85B53FB98EB84A30F14C557EE081F342E171B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 05C13A67, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.872010322.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87689b778b9df600e923eb93a2d45e6392fb5e02ad06183d631f9d951d2c323
Instruction ID: 4dab7315a1f593bf8b54c1e8fa0344f2e2b6de68009c5e806b907c85b498ea94
Opcode Fuzzy Hash: e87689b778b9df600e923eb93a2d45e6392fb5e02ad06183d631f9d951d2c323
Instruction Fuzzy Hash: 2AE0D8B254070067D2108F069C85B53FB98EB94A30F14C56BEE081B341E171B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 05C13313, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.872010322.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ef34f72cb6c384ee3e2e9103e3937a0e34f957ca1713ba3105b0eea7df4db1
Instruction ID: a78b11b5d806c1a68e4cb28be365773709700502c7ed21c4c7a44ebd4855afca
Opcode Fuzzy Hash: b5ef34f72cb6c384ee3e2e9103e3937a0e34f957ca1713ba3105b0eea7df4db1
Instruction Fuzzy Hash: 48E0D87290060067D210DF069C85B53FB98EB84A30F14C557EE091B301E172B514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 0145316F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b774abd621331b76f50bdbbb17488b1dbd74a4cf6ae0117207d1b72f4dba5c3d
Instruction ID: ec383b3a124af0bc2863e4cd9e347b4861fe73d3d3227782ad9bf1a809e58673
Opcode Fuzzy Hash: b774abd621331b76f50bdbbb17488b1dbd74a4cf6ae0117207d1b72f4dba5c3d
Instruction Fuzzy Hash: E0E0E535F044288FCF44EBB8E9984DDB3F6AF8822476048B6D519E7250EE359E129B61

Uniqueness

Uniqueness Score: -1.00%

Function 01454207, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef65bdbce4ca2bec5231eac7feb1210709a93171a393fad0f31cc58f3e331a7e
Instruction ID: 307240d0b376f387b3a4b270ac6fd9c7d567024c3eeb48d9a631c4e24b82c252
Opcode Fuzzy Hash: ef65bdbce4ca2bec5231eac7feb1210709a93171a393fad0f31cc58f3e331a7e
Instruction Fuzzy Hash: 68E06536F004288F8B40EBF8E8984DDB3F2EF882207208476D519E7250EE359E028B21

Uniqueness

Uniqueness Score: -1.00%

Function 0145328F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e9f51360bc6463edc749eb714078255727075c21267ac93c4df2e9557d9737
Instruction ID: cf6eca508bd6880deb7ee0bb2e42969eb652aef4b95b9f0ab37bdd90d0cba722
Opcode Fuzzy Hash: 84e9f51360bc6463edc749eb714078255727075c21267ac93c4df2e9557d9737
Instruction Fuzzy Hash: 63E06D35F004248F8B00EBF8E4444DDB3F1AF882247204476D509E3250DF359D018B21

Uniqueness

Uniqueness Score: -1.00%

Function 01455620, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764c714cb82f6a77a02788f8bf4bf36a75ae5fb25c3d3941056e08c8aba7a2b5
Instruction ID: e9e00dd0aef609339ae83e173cd5aaa55aa4ec261d0bd0630b0ae98c9d7299bb
Opcode Fuzzy Hash: 764c714cb82f6a77a02788f8bf4bf36a75ae5fb25c3d3941056e08c8aba7a2b5
Instruction Fuzzy Hash: D5E0C72050E7C89FC303F3389C204883FA9AE83700BCA45EBD2A08A0E6CB5C094D8763

Uniqueness

Uniqueness Score: -1.00%

Function 011523F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868116776.0000000001152000.00000040.00000001.sdmp, Offset: 01152000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f676e4b6e29e106ccd176f49fcf723d97cf5b1cda8c0ea860d49acbc71628d5c
Instruction ID: 0686062eb5ec2e0a96be0f2bfca8398001439a53c852000fcee816182e76854e
Opcode Fuzzy Hash: f676e4b6e29e106ccd176f49fcf723d97cf5b1cda8c0ea860d49acbc71628d5c
Instruction Fuzzy Hash: FAD05E7A315A81CFE32A8A1CC1A8B953FA4AB51B04F5644FDEC008B663C368D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 011523BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868116776.0000000001152000.00000040.00000001.sdmp, Offset: 01152000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430381891b90931f41628614b5d3d0bbd5e0db16a0d15c34bf3ee0e6b5654c2b
Instruction ID: 73ba30030e77b85fc3ea07221dd7bd5040f169912708a6590b564f92c98051ec
Opcode Fuzzy Hash: 430381891b90931f41628614b5d3d0bbd5e0db16a0d15c34bf3ee0e6b5654c2b
Instruction Fuzzy Hash: D8D05E35204281CFD759DB0CC594F593BD4AB45B00F0644E8AD108B662C3B4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 014580E2, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.868403304.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14411cdf5814ae4a5c9d14a02cb0b7d729578590821543d2a8a421146c838db
Instruction ID: 649374a875028050ca1f03cc489aaabf6cb6dd624ce6a24aa17006210035ee6b
Opcode Fuzzy Hash: c14411cdf5814ae4a5c9d14a02cb0b7d729578590821543d2a8a421146c838db
Instruction Fuzzy Hash: 3FD012B011ABD28FDBA717335D1011E3E64AD425217068697CA25C61F3DE35C046C757

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: hmltog.exe PID: 4328 Parent PID: 3440 hmltog.exeCOMMON

Executed Functions

Function 02CFAAD6, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,5E093C95,00000000,00000000,00000000,00000000), ref: 02CFAB69

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b4ef0cedff2a1283c29572e87523f4a46c98021b3bbd535b827ea3f23acc8e2b
Instruction ID: 37632c59d677c5f96cd08905e4a56f367c2b15484bbee52e57d90b7b5d1023be
Opcode Fuzzy Hash: b4ef0cedff2a1283c29572e87523f4a46c98021b3bbd535b827ea3f23acc8e2b
Instruction Fuzzy Hash: FD216071409380AFE7128F65DC55F96BFB8EF46310F0884DBEA849F153D265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA960, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 02CFA9F6

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: d87c5ed40dda0bc51859b94e30c10f2f799d09dadef0fa797b8edab513804cf8
Instruction ID: 263b76543c07030e06bffb7ee63365590baf2cba8f94f7d50debc6bae0c9b3c8
Opcode Fuzzy Hash: d87c5ed40dda0bc51859b94e30c10f2f799d09dadef0fa797b8edab513804cf8
Instruction Fuzzy Hash: 5E2195754097806FD3138B259C51B62BFB4EF87B10F0981DBE8848B653D224A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA533, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 02CFA5A7

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 34a135be29ee144b72b6d7fb542f28d3c0c9a68e0f584db8a42c8c11f404c880
Instruction ID: c1e6038d1fff3c5a29a71a137264962ba3db4ce8f589334a2ffe9be8d603296e
Opcode Fuzzy Hash: 34a135be29ee144b72b6d7fb542f28d3c0c9a68e0f584db8a42c8c11f404c880
Instruction Fuzzy Hash: 3B218EB24093849FD752CF25DC45B52BFA8EF46214F0980DAED888F263E274A509DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 02CFA269

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: d9bb45ec1e8048b291bea55601d2ca7fa401bccf735dcba12f0587827e638a7c
Instruction ID: eb13f96c2e7e6ec314a29da049b06b109658f4043290549fe645c34b08181bbf
Opcode Fuzzy Hash: d9bb45ec1e8048b291bea55601d2ca7fa401bccf735dcba12f0587827e638a7c
Instruction Fuzzy Hash: 5C216D7540D7C49FD7138B258C95A52BFB4EF47220F0E80DBD9888F1A3D369A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CFAB0A, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,5E093C95,00000000,00000000,00000000,00000000), ref: 02CFAB69

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 91cd2edb4dfc0451398fb967d99a8853095d687fc6ac4898fa6f931b5e8de15f
Instruction ID: 0c871529db8d70f4add6c9bc0937e18e576fc619ae16495c25d730f701c57d6d
Opcode Fuzzy Hash: 91cd2edb4dfc0451398fb967d99a8853095d687fc6ac4898fa6f931b5e8de15f
Instruction Fuzzy Hash: 4211BC72400600AFEB618F55DC84FAAFBA8EF45720F1484ABEE499B251D674A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA5F8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 02CFA65D

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: bf2c09b003eb2f597600a72095c70f7524c6b0b172a7a34a22da96e199d5f1ba
Instruction ID: 610e0e89fb5faeca2baf055441f4224e667e99208a9c5f2e7e6e81ee24d732aa
Opcode Fuzzy Hash: bf2c09b003eb2f597600a72095c70f7524c6b0b172a7a34a22da96e199d5f1ba
Instruction Fuzzy Hash: BC11B2B2504780AFDB628F15DC45F62FFF8EF46614F08809EED898B252D275E908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA3E3, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 02CFA448

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: eea996ddf7827ef8c8a251c80f51f6f7c6afde7c4b1463245cb568a83e932070
Instruction ID: 73cfd76283f7a97d5d2ffeb906c3d564969e84f1cb66bb8b3999c9bfb851d9bb
Opcode Fuzzy Hash: eea996ddf7827ef8c8a251c80f51f6f7c6afde7c4b1463245cb568a83e932070
Instruction Fuzzy Hash: DD11BEB14093C05FD7128B219C44751BFB4DF43210F0980CADD858F263D2696909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA61A, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetFileVersionInfoW.KERNELBASE(?,?,?,?), ref: 02CFA65D

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: FileInfoVersion
String ID:
API String ID: 2427832333-0
Opcode ID: 843b8ab0ceca02f2bdc920fc1054f69f21dbf78ace1957e9335313a6e65abadd
Instruction ID: c2010dbfde2218905a165aca204073fd4285997705c81cce2a5acb9e935ffffb
Opcode Fuzzy Hash: 843b8ab0ceca02f2bdc920fc1054f69f21dbf78ace1957e9335313a6e65abadd
Instruction Fuzzy Hash: 5E019E71500600DFDBA08F2AD885B56FFE4EF08720F08C0AADE4A8B752D275E408DF62

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA56A, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 02CFA5A7

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: FileInfoSizeVersion
String ID:
API String ID: 1661704012-0
Opcode ID: 50a69305e5fb197038524e695c8d96f9340516b8da8e6445d9ac7d21b35f538e
Instruction ID: bc1fb97742340afb3aa3eecc1fc61296c5e6dfb284fd09b449925129cfbcb79d
Opcode Fuzzy Hash: 50a69305e5fb197038524e695c8d96f9340516b8da8e6445d9ac7d21b35f538e
Instruction Fuzzy Hash: 140171715046449FDB90CF25D885B56FFE4EF44720F18C4AADE498F306E675E504CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA9A6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VerLanguageNameW.KERNELBASE(?,00000E2C,?,?), ref: 02CFA9F6

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: LanguageName
String ID:
API String ID: 2060303382-0
Opcode ID: ee641a36465596fa2598a93fd44606a59648b883c230c565b45b3f1abc562557
Instruction ID: 66da1318a382b6f1ace0d4d19c22f9383d5de61686ab1fb56a194a7edf9d004f
Opcode Fuzzy Hash: ee641a36465596fa2598a93fd44606a59648b883c230c565b45b3f1abc562557
Instruction Fuzzy Hash: 62016276500600ABD210DF16DC86F26FBA8FB88B20F14816AED085B741E375F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA416, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 02CFA448

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e896dddea33dd5eded55424b631ab64650d163a09bf235ec51094e63367c13c1
Instruction ID: c2c77d67d9c0bfbd85c8df531d942398ddd7042aa519865e115b4d12f7d13d9a
Opcode Fuzzy Hash: e896dddea33dd5eded55424b631ab64650d163a09bf235ec51094e63367c13c1
Instruction Fuzzy Hash: 55F0AF74400644DFDBA0CF16D889762FFA4EF44720F18D0AADE494B312D2B9A548CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CFA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 02CFA269

Memory Dump Source

Source File: 00000012.00000002.484814426.0000000002CFA000.00000040.00000001.sdmp, Offset: 02CFA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 6fc02284bf3c23a9c4234f498136ed598e06b2bd11a9b1c529511a8f14534368
Instruction ID: 44da18be9e415772eb1ec2a77db0ff165176e759b18d0436b4f433f1499416f8
Opcode Fuzzy Hash: 6fc02284bf3c23a9c4234f498136ed598e06b2bd11a9b1c529511a8f14534368
Instruction Fuzzy Hash: CAF0A4309046449FD7908F15D884751FF90EF44720F18C0AADE0D4F312D2B9A544CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02E71B01, Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02E71B58

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 587eb2a89b7bb9319898ab730888006a5b5776c7b4ba7c30eda72bec9ef8fad8
Instruction ID: a264c0c9bf312ce1e282fe727f812ee50675bf970d5d2f43a2db1bc5e125afc4
Opcode Fuzzy Hash: 587eb2a89b7bb9319898ab730888006a5b5776c7b4ba7c30eda72bec9ef8fad8
Instruction Fuzzy Hash: 4771F130B403008FC7288BB9D494BAA7BA1EF85314F15D5AAE55ACF291CB75EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E7014F, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02E701A7

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 4461be96dafb168620f75a822bae3d9c1634b5e52e9ee7260034bb12b3a95d38
Instruction ID: 1710351f95a441abe63382213e8a08bb4da3953a4fa1077395d30db6e2e01794
Opcode Fuzzy Hash: 4461be96dafb168620f75a822bae3d9c1634b5e52e9ee7260034bb12b3a95d38
Instruction Fuzzy Hash: BA215372E00108AFDB45DFA6EC949EEBBB6EF8C310F14816AE506E3264DA305D11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E70069, Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

-]#p^, xrefs: 02E700F1, 02E700F6

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID: -]#p^
API String ID: 0-3597276720
Opcode ID: af3622c936bf5b07db06c22bfd303d6a0df415fb6fc68374c04b405228a2fa97
Instruction ID: c3f3322582b3f9497da62c9d026e654e593f85aba7c90f64e73859f80f78a388
Opcode Fuzzy Hash: af3622c936bf5b07db06c22bfd303d6a0df415fb6fc68374c04b405228a2fa97
Instruction Fuzzy Hash: 5821AF70A002459FCB44EB38D894BAA3FA2EF85304F558869D4468F3A5EF749C46CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02E71540, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dae058377ca7879ea8e39f0f113f8339496843c010df4182365a111eb5f63a3
Instruction ID: 7805793033d5690bfd779735e76a15c997b6aeae3a7fb2358cb0f7c594d8f0bc
Opcode Fuzzy Hash: 0dae058377ca7879ea8e39f0f113f8339496843c010df4182365a111eb5f63a3
Instruction Fuzzy Hash: 5D518E34B402418FDB049B78D4587AD7BA7EF89311F1584AAD90ACB3A8DF749D12CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E70521, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdab922f7200c020dae6850826924b6e32eb7b4ed03349ef03a656018b108d3
Instruction ID: c14799e9abdc0d731f0c4bf4ede7128bd74a55ea3cb63757f08bf3cff309d614
Opcode Fuzzy Hash: bfdab922f7200c020dae6850826924b6e32eb7b4ed03349ef03a656018b108d3
Instruction Fuzzy Hash: 0B1129703002108FC7A9BB7DD16467E3AD7AFC6304B2444BAE50ACF7E5DE299C419B86

Uniqueness

Uniqueness Score: -1.00%

Function 02E70529, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9d0589af2e54fab574de93f8a8b2ebf9c1cdd93e04fc3b85215d6881fc7708
Instruction ID: 6e406872a37854fa978da0911aa642c954d9b3ac8fb1e2773735b957dae8a67d
Opcode Fuzzy Hash: 1e9d0589af2e54fab574de93f8a8b2ebf9c1cdd93e04fc3b85215d6881fc7708
Instruction Fuzzy Hash: 0E113A703002108FC7A9AB3DD16467E3AD7AFC5314B240579D50BCF7E5DE299C429B86

Uniqueness

Uniqueness Score: -1.00%

Function 02E70530, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863741bc57be466462d07be21bacce6eb7f24c5f41cdfabb3de3a144312b310a
Instruction ID: 8f9fdece1e6779131d0e299a121384bd1cd56a591bbb243066589bfd8fa8ae18
Opcode Fuzzy Hash: 863741bc57be466462d07be21bacce6eb7f24c5f41cdfabb3de3a144312b310a
Instruction Fuzzy Hash: 2D1104703002108BC7A9AB7DD06862E3AD7AFC5309B24407AE50ACF7A5DE299C419B86

Uniqueness

Uniqueness Score: -1.00%

Function 02E71462, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2fba7581eceab8fd593105788bf14c42763f9e311b161ee177b728462790d7
Instruction ID: 11d42287137f8978de7b680979567c60cac2dfcc31c6d1ca8707157ac743f740
Opcode Fuzzy Hash: bd2fba7581eceab8fd593105788bf14c42763f9e311b161ee177b728462790d7
Instruction Fuzzy Hash: CB118E307402408FDB199A69F89876E77ABEBC4614F14452ED806CB3D4DF758C02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E71570, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ccec5b8467e8708644bd7eeef186ba200bab76de90df977839cd7c2ff1d70c
Instruction ID: 3e50d8140cc321cf41def03194d3a3fc1f18ef7783ca69b1b31b6b4e11996737
Opcode Fuzzy Hash: d7ccec5b8467e8708644bd7eeef186ba200bab76de90df977839cd7c2ff1d70c
Instruction Fuzzy Hash: 4C01F535B403008BC724AA39E8487AA73EAEFC4351F148475ED0BCB284EB349C10C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02E71D88, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d532b1f5b3184bf9280395cbcdc1cf1f23ca82b6535f6181374753589e147b
Instruction ID: 2b2ffa172cfd09f4fd1ee2eb250acaeb27f22cfa8b0e8bf8a308fdb623f53661
Opcode Fuzzy Hash: 27d532b1f5b3184bf9280395cbcdc1cf1f23ca82b6535f6181374753589e147b
Instruction Fuzzy Hash: FD017B31B453425BD7053375A828B6F7FABAFC3211B1984A7E549CB3E5CE208C059BB2

Uniqueness

Uniqueness Score: -1.00%

Function 02E71770, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d66ff4d3dd14a75c1cc2fad2ca05810e371f3883a2c6cbef121944eddb7335
Instruction ID: c4d996a823323ac5effde201c30fac9167f1d814eb569848611c352719228edb
Opcode Fuzzy Hash: 18d66ff4d3dd14a75c1cc2fad2ca05810e371f3883a2c6cbef121944eddb7335
Instruction Fuzzy Hash: FA01F931B001508FC744977CE498AAD3FE6EFCA315B1441A6D50ECB365DD358C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DB05CF, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485098189.0000000002DB0000.00000040.00000040.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3970b3e96fd33fa99b27a68775b4ebdbe4f0da62019af24258be8c3f5f8fa16d
Instruction ID: 2c057d4a21b42045ca7aab2624455a05ffbbd455d75f4d73819a92b2a8a4aea3
Opcode Fuzzy Hash: 3970b3e96fd33fa99b27a68775b4ebdbe4f0da62019af24258be8c3f5f8fa16d
Instruction Fuzzy Hash: 5D01D6B65097806FD7128F16AC44862FFA8DE86630709C4AFED498B652D129A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02E71D77, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4919740ad326f5d1c5c2ec1c671a40c838950f06d06d308ad2101711fb3517df
Instruction ID: 75708e9d605bddc0a2aeba76c71d235b782c7f416dc1cb833d5676fda4676e6d
Opcode Fuzzy Hash: 4919740ad326f5d1c5c2ec1c671a40c838950f06d06d308ad2101711fb3517df
Instruction Fuzzy Hash: E9017B20A493811FC30623745464B1F3FA65FC3200F5984E6D985CB3E2DD208C05CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 02E70630, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14031e5f319d3df6e1f099c5d25a25e06c33b99a027e0d048563dac60a414f6f
Instruction ID: 53e9a211193ea57005f8d1d9844a573d2be4b8ddb9f5e8b5c56453bca60db9f0
Opcode Fuzzy Hash: 14031e5f319d3df6e1f099c5d25a25e06c33b99a027e0d048563dac60a414f6f
Instruction Fuzzy Hash: F601F431B041908FC785977DB4A86AC3FA3AFCA22175940E9D946C7369DE604C038B87

Uniqueness

Uniqueness Score: -1.00%

Function 02E71D81, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d642b8a7779e3d7789ab36b9b821421cc1de00d52f99d3dd7fd1a84afd1db22d
Instruction ID: c465c6019ae14f7f6780f08e7cfef0789bc59ad3d4aa97948e51bcc7afeabe42
Opcode Fuzzy Hash: d642b8a7779e3d7789ab36b9b821421cc1de00d52f99d3dd7fd1a84afd1db22d
Instruction Fuzzy Hash: 6AF02D20A453825BD70523719428F5F3FA65FC3100B1584A6D955CB3F6DD248C46DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E717F2, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599fe41fbec742bfd0d1266993e7257f7d5eb09e5926525c682e9100f62bbee7
Instruction ID: 41264118f2ffacae78dc284b536ca7578c45bdf6473f7fddae54cfbeff8c328d
Opcode Fuzzy Hash: 599fe41fbec742bfd0d1266993e7257f7d5eb09e5926525c682e9100f62bbee7
Instruction Fuzzy Hash: ECF0A431B001516BC754E73D905447D37E7AFC56603150665D506DB3D4EE6ACC02CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02E717F9, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85ef8164141356f0ba3ce7cf3f2e7a8532d899d04b7616a093de115b48c2511
Instruction ID: c55a542c2f1ee51565d2f4c2eea74353601ec863cae7eae537af126b5337c774
Opcode Fuzzy Hash: e85ef8164141356f0ba3ce7cf3f2e7a8532d899d04b7616a093de115b48c2511
Instruction Fuzzy Hash: 3DF0F031700255ABCB44E73EE02897E37DBABC9A607150568D90ACB3C4EE29DC02CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 02E718E9, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011c24bd2b7cc54a0572a661882f66e72ccb434816b149abb8635dcf9532bd7d
Instruction ID: d660ceb0c87c452da83aee6f88cc675821e44e30868aa9da9472efb270647cc3
Opcode Fuzzy Hash: 011c24bd2b7cc54a0572a661882f66e72ccb434816b149abb8635dcf9532bd7d
Instruction Fuzzy Hash: 49F0A7317001449BC714DF2DF88899E7F9AEBC9211791447AE90AC7355DE759C11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E70640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b90fe394fb413c66b6e32bfbfe1bb37098766c2c1addd81a2be1a9cc706d69
Instruction ID: 30dc580e10eac77da560ebdd20eb85e5bf28ed94d8f22c6f98f97b10a411da7c
Opcode Fuzzy Hash: 74b90fe394fb413c66b6e32bfbfe1bb37098766c2c1addd81a2be1a9cc706d69
Instruction Fuzzy Hash: 95E06D35B001109B8788AB7AA45C66E3BD7EFCC6213994079EA0BC3368DE204C029B97

Uniqueness

Uniqueness Score: -1.00%

Function 02DB05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485098189.0000000002DB0000.00000040.00000040.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96edc1682e47421ded7d8d3e73f8e248ef89ccbfb48753da6f6d963f5c1f06fe
Instruction ID: 044e375ea194e1b5b3d0a7fbb665335b87e52d54ed22fd77fb11fb3d8b121b1f
Opcode Fuzzy Hash: 96edc1682e47421ded7d8d3e73f8e248ef89ccbfb48753da6f6d963f5c1f06fe
Instruction Fuzzy Hash: 5EE06DB6600A008B9650CF0AEC45452F798EB88630B18C07FDC0D8B700E139B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E718F8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c761d3decb4c178bd93dfe621a274fddcd8152df001c1ff781191fdb3553c096
Instruction ID: 2c2bc5219dc3d791b76586b047121a307329501b2d4224a6b1e6e8fe4657d460
Opcode Fuzzy Hash: c761d3decb4c178bd93dfe621a274fddcd8152df001c1ff781191fdb3553c096
Instruction Fuzzy Hash: BFE09232700104DBC714EF2EF88888E7B9AFBC8221350883AE90AC7318DF719C118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E706C8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fb68c6ecab7ec68a8f08ebb06688363bf5e2718e7ab4a9611eb0732e6535c6
Instruction ID: da27f12431168bd7f455b88ce1d2045432934b935c33f3e7a1c62508e98e4802
Opcode Fuzzy Hash: 74fb68c6ecab7ec68a8f08ebb06688363bf5e2718e7ab4a9611eb0732e6535c6
Instruction Fuzzy Hash: 12E026B2244340ABD3008720FC00BA97BACEB86610F304559B855C60D9EB7048145661

Uniqueness

Uniqueness Score: -1.00%

Function 02E70698, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49f2142dd6de7232bb13bdb19fb0052d7c1e56de1f6caab83dc4aa8854cac7c
Instruction ID: 31f5a1eae50a97dc23700b926a03d02c4574ee7b135371dc3d9e3b42a55c32ab
Opcode Fuzzy Hash: c49f2142dd6de7232bb13bdb19fb0052d7c1e56de1f6caab83dc4aa8854cac7c
Instruction Fuzzy Hash: 5CE086313482808FC3426B79F86859C7F51EB8623172508FBD586CB69ACF610C52D752

Uniqueness

Uniqueness Score: -1.00%

Function 02E719A0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9165ff0139b2be95140a086389b7fb9aa4881b16db1c2ebb460d6cc1480dfcfe
Instruction ID: 0d75b586a67e65af39e24d946b82afca26cc2909bc3d398ac9ae15833adbbed1
Opcode Fuzzy Hash: 9165ff0139b2be95140a086389b7fb9aa4881b16db1c2ebb460d6cc1480dfcfe
Instruction Fuzzy Hash: DEE0EC313002109BC65866AEA414A5A779EDBCA325B14407BA509CB391CDB5AC4597A5

Uniqueness

Uniqueness Score: -1.00%

Function 02E70601, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fb72d99b99542ff64f1455330094c5c20f0f32b51619b0d722b55e97422a08
Instruction ID: f0db47f69a3a6aa79a75a1c378515845a9d9f095fad5473c7d732c5c89f3b384
Opcode Fuzzy Hash: e8fb72d99b99542ff64f1455330094c5c20f0f32b51619b0d722b55e97422a08
Instruction Fuzzy Hash: 42E07D339401A0CAD700D71DF18C3DDBB14D780279B812EA2D1540E0D9E7A00CCA4FC0

Uniqueness

Uniqueness Score: -1.00%

Function 02E70251, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb83a3e5aca19958a35c45bb5c32dcead2af03e746b6800bddaba4c77c059592
Instruction ID: f95082baa10ed21ae1c8cf51f13a59111076e5b8f4b3af004c7400eb88348678
Opcode Fuzzy Hash: bb83a3e5aca19958a35c45bb5c32dcead2af03e746b6800bddaba4c77c059592
Instruction Fuzzy Hash: A0D01276B44010CFDF0097BDF8041ECBBA1EFC4225B20507BE60ADB651E9318D19C701

Uniqueness

Uniqueness Score: -1.00%

Function 02CF23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.484793307.0000000002CF2000.00000040.00000001.sdmp, Offset: 02CF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064a4442a86dc4727707ca0c21f9d4ae7625182dc64bed1f3eec646fc777a1ea
Instruction ID: f35eb88ca0e4d7bf8bf400f6e6e6dc7efccfb3d36c6b65814ef9de5fa302ce3b
Opcode Fuzzy Hash: 064a4442a86dc4727707ca0c21f9d4ae7625182dc64bed1f3eec646fc777a1ea
Instruction Fuzzy Hash: EAD05E79215A818FD3678A1CC1A8B953F94AB91B08F4744FEEC008B663C3A8DA81E211

Uniqueness

Uniqueness Score: -1.00%

Function 02E718B8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3899ea543ff6ccd1dae151d2fd6ef4246f70b825285e53af2b663ea62a9c33
Instruction ID: 8574ea5880a36870bd783f7faa76444290b37701e1d3230bab5e5ea64f0e1876
Opcode Fuzzy Hash: 2c3899ea543ff6ccd1dae151d2fd6ef4246f70b825285e53af2b663ea62a9c33
Instruction Fuzzy Hash: E8D012F4808241AFC7019F24D989569BBA4EF90510F448B5C9499422D5E5759415C763

Uniqueness

Uniqueness Score: -1.00%

Function 02CF23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.484793307.0000000002CF2000.00000040.00000001.sdmp, Offset: 02CF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a469df7dca88e28a0d27701d69acbd8b49d85c01a96cf68175d0cdf3cba51f12
Instruction ID: 734641721bb8d5b8678ea8b1efba8f49c7928794ab51cbce359590a100ce75ec
Opcode Fuzzy Hash: a469df7dca88e28a0d27701d69acbd8b49d85c01a96cf68175d0cdf3cba51f12
Instruction Fuzzy Hash: ACD05E742006818BC755DB0CC594F5937D8AB81B04F0644E8AD008B662C3A4D985C600

Uniqueness

Uniqueness Score: -1.00%

Function 02E70130, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e43008096789393537b836b7d7522935126466e80ec5cf90553fbffa4d2bdb2
Instruction ID: a2ded8fcd5a9517956af3f485226978f64c463c2cb94e2d8f3baa9ca1d1476ce
Opcode Fuzzy Hash: 8e43008096789393537b836b7d7522935126466e80ec5cf90553fbffa4d2bdb2
Instruction Fuzzy Hash: 71C02B307C060807DF005AF8F8C4327338C87C021CF000871B40DC7240FD29DC914250

Uniqueness

Uniqueness Score: -1.00%

Function 02E718C8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.485176491.0000000002E70000.00000040.00000001.sdmp, Offset: 02E70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db5e107b3ca9c327f06ca87304976a386c522085469eb84010a029ef5428b8d
Instruction ID: 6062c36c4330bea7bf7d8f6eecb5ef1254a7550403505eb8a9a37d8e534c6292
Opcode Fuzzy Hash: 3db5e107b3ca9c327f06ca87304976a386c522085469eb84010a029ef5428b8d
Instruction Fuzzy Hash: 41C012B0814201EFC740EF28ED4996A7BF0FAC0605F84CD2CE889C2114F230591CCB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: hmltog.exe PID: 3728 Parent PID: 3440 hmltog.exeCOMMON

Executed Functions

Function 05211B10, Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 05211B58

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 9d14d09c927d115170b1e49d31771194eac2407c9c76686cabbf8618cac4f2ae
Instruction ID: 0764704fcba327bfeeb886c7f0aa4fdc70b6c665b5595eec3d7e309e5d9663b8
Opcode Fuzzy Hash: 9d14d09c927d115170b1e49d31771194eac2407c9c76686cabbf8618cac4f2ae
Instruction Fuzzy Hash: 8971BE317112119FD328CF64D554B2B7BE2FFA4311F01C46AEA1A8B690DB75EC94CB89

Uniqueness

Uniqueness Score: -1.00%

Function 05210698, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

</kr, xrefs: 05210924

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID: </kr
API String ID: 0-2427075492
Opcode ID: e603f8f61d13086238b8aca4c1e378635a81bbaf2b0b1f28dee83246f51a3a6a
Instruction ID: 49173c0fbd1e5ad345a3136b0bc8c7fd669ff50e0932990b5094f5ae3a5ca0ae
Opcode Fuzzy Hash: e603f8f61d13086238b8aca4c1e378635a81bbaf2b0b1f28dee83246f51a3a6a
Instruction Fuzzy Hash: 7051E031B14241DFDB14DB68C898B6F7BE2EF98700F208469E956DB280EB349C81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0521014F, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 052101A7

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 7898a533665f7c2ae264c6b16402fe5c11399541a961eb35750d226302f33b0d
Instruction ID: 419ccdc506938ab38c35df63bbb88618be1bb9bb4a2a4e27b71a471f40ce6b5b
Opcode Fuzzy Hash: 7898a533665f7c2ae264c6b16402fe5c11399541a961eb35750d226302f33b0d
Instruction Fuzzy Hash: 01214176E10208EFDB19DFA6E8849DEBBFAFF88350F04413AE515F3214DA3059418B90

Uniqueness

Uniqueness Score: -1.00%

Function 05210160, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 052101A7

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 06629eac0ed510e935444a29860a0199c9e2e6ce5ed7054842a2a46b0c5d2051
Instruction ID: eda737802f0235cfea27c42797d591f9a988565ed802b931babc7705d332fbf9
Opcode Fuzzy Hash: 06629eac0ed510e935444a29860a0199c9e2e6ce5ed7054842a2a46b0c5d2051
Instruction Fuzzy Hash: 19211276E11208EFDB19DFA6E8449DEBBFAFF88350F148136E515F3214DA3059418B90

Uniqueness

Uniqueness Score: -1.00%

Function 05211540, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585e2efed87d125d56cf2f7b655c7e1757396271e270dd0d07c2d6767f74c4c2
Instruction ID: bd9b63213a0ecd8d91cfbe7b351b332353cee5498271192bfa6fe5ff399c056a
Opcode Fuzzy Hash: 585e2efed87d125d56cf2f7b655c7e1757396271e270dd0d07c2d6767f74c4c2
Instruction Fuzzy Hash: D7518A34720202CFDB189B38D44876E7BE7AF88341F15817A992AD7398EF749C85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05210007, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615fc8029ca75562ca633f1e3c662cfb3be766a36cadcd7a4d3487b1d28f8928
Instruction ID: 884edcfc41ced718cee51ce179f7f3b6bb795235ff5ac925e8ea145d092443e7
Opcode Fuzzy Hash: 615fc8029ca75562ca633f1e3c662cfb3be766a36cadcd7a4d3487b1d28f8928
Instruction Fuzzy Hash: 6031B171A183818FD3059B34D8957663FF1FF96304F1988AAD481CF2A2EB789C45C752

Uniqueness

Uniqueness Score: -1.00%

Function 05211B70, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67818fcc0650cba49b42b743fe8a2069c78faecda3b28bd54dafdd1819c6423
Instruction ID: 03f6487b1c6f81a79a394f9a3c59263cbe456c0d69eb14f84b4dd110fa900230
Opcode Fuzzy Hash: a67818fcc0650cba49b42b743fe8a2069c78faecda3b28bd54dafdd1819c6423
Instruction Fuzzy Hash: D621CC35A11316DFD324CE60DA14B3777E2FFA0311F00C16ADA1A9B690DB79AC94CB89

Uniqueness

Uniqueness Score: -1.00%

Function 05211453, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be00e2484cae8c46d0b8745df4f4bd998f4924f8a47311f47f2a0072a4cdf65
Instruction ID: c892dac406887084089b5cbf32c8d2e848720b60c8da89ad89782df075b3d45e
Opcode Fuzzy Hash: 0be00e2484cae8c46d0b8745df4f4bd998f4924f8a47311f47f2a0072a4cdf65
Instruction Fuzzy Hash: 5721CD303153419FD71A5A68A82472E7BEBFF85644F04407ED90ACB386DB78CC46C765

Uniqueness

Uniqueness Score: -1.00%

Function 05210521, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e403c0ee0903d714ade30bd23ec2a278572a1e5df382c424180bdfda155405
Instruction ID: c4c680383d0c792ac6d4d3c01bff41e3f53c22d79a7cc4829e0f1b1ea891028b
Opcode Fuzzy Hash: d6e403c0ee0903d714ade30bd23ec2a278572a1e5df382c424180bdfda155405
Instruction Fuzzy Hash: 851129303002508BC7596B7DE16863E3AE7EFC6305F240479E44BCB7A6DE299C829785

Uniqueness

Uniqueness Score: -1.00%

Function 05210530, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4b86459e7ba10e54b6cf8a79b28f2ab94024c9d058b25f0779066f754cd617
Instruction ID: 5b7881311e8b33b8e46b5532deffc410cccb97abb68e3235ca88e3c1c04af34a
Opcode Fuzzy Hash: 4f4b86459e7ba10e54b6cf8a79b28f2ab94024c9d058b25f0779066f754cd617
Instruction Fuzzy Hash: 0D1119303002108BC759AB7DD068A3E3AE7EFD5705B24007AE40BCF7A5DE29DC818786

Uniqueness

Uniqueness Score: -1.00%

Function 05211468, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d368c34e6493fc358439dd29e3015229a927bb29afa2abd263d7fa6f6f8efad3
Instruction ID: aa51f9752e3ea2b92777bd2c4da16f12e508197fd88954557ab85c78ba20861a
Opcode Fuzzy Hash: d368c34e6493fc358439dd29e3015229a927bb29afa2abd263d7fa6f6f8efad3
Instruction Fuzzy Hash: 54118B30310341DBDB299A68E85872E7AEBEBC4645F14403ED916C7384DE74CC42CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05211570, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7516f6dbb99da6b505165aee50b17821cdb38264d862a2b25c8f803b0f87f0a
Instruction ID: 0af97bfbd3048b602f21792717f851cf1f542e0acfb4010f08f4891639b308ee
Opcode Fuzzy Hash: c7516f6dbb99da6b505165aee50b17821cdb38264d862a2b25c8f803b0f87f0a
Instruction Fuzzy Hash: C701D235B202019BC724AB25E8497AB77EAAFD4350F144079DE16C7644EB749C50C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 05211D88, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b177c9a8ac873e647be86590bf85e15d40cebff44d52398bd7844a4a1e4c46
Instruction ID: 180239526000039a1ee4b7792cc2e07499d47d9bd7088f10c0274dd9c3df8572
Opcode Fuzzy Hash: 11b177c9a8ac873e647be86590bf85e15d40cebff44d52398bd7844a4a1e4c46
Instruction Fuzzy Hash: D10147317053429FD3192775A42476F7BE7EFD1210F1480A6E565C7341CE348C51C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 02B605CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.504992542.0000000002B60000.00000040.00000040.sdmp, Offset: 02B60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a29695bd1a57eae9fd4aace5e0e0e83bc0ea1fcb23829ccbb164f25b47950d9
Instruction ID: 3d22c2f7bf5a4ea658c2a54bbf5bfd38ebd504cfcdcb7e11c498ead3f9e1f613
Opcode Fuzzy Hash: 7a29695bd1a57eae9fd4aace5e0e0e83bc0ea1fcb23829ccbb164f25b47950d9
Instruction Fuzzy Hash: 6D0186B65097805FD7128F16EC40862FFF8EE86620749C1DFED898B612D275A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05210630, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6868afff7ceb23ca26fcda02f53d15141f138f4c0b9dcd647e745412d31461
Instruction ID: 64cd5724b772815932d4532b9714986909c76f43d2118df6790dddf9990659b2
Opcode Fuzzy Hash: bd6868afff7ceb23ca26fcda02f53d15141f138f4c0b9dcd647e745412d31461
Instruction Fuzzy Hash: 1F01DC32314240CBC34DAB7AE41866D3BE3EFC9A607294079EA16C7398DF604C828B56

Uniqueness

Uniqueness Score: -1.00%

Function 05211D77, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c2b2681b0f90d0676977525d685db1244bdc7d4285f29cd602b8014b125fe8
Instruction ID: c16d026708fe34396e4dae6c64ce76d8cb0de970774951c2a8500717f5a425ba
Opcode Fuzzy Hash: c0c2b2681b0f90d0676977525d685db1244bdc7d4285f29cd602b8014b125fe8
Instruction Fuzzy Hash: 21014E30609382DFD31A1774982475B7FF7AFD3100F1840AAD8A5C7382CE358841C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 05211770, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b80c448edd760c008dc4cd5f77db3dc01d37ee09b6d0914ac1a3e89fa78d7c5
Instruction ID: 38abb4b1084c6acd0857cafd4eac1182131fda1b07777da78ce39f5d21122264
Opcode Fuzzy Hash: 6b80c448edd760c008dc4cd5f77db3dc01d37ee09b6d0914ac1a3e89fa78d7c5
Instruction Fuzzy Hash: FFF0F6317001108FC748AB7CD418A6E3BEAEF89711B1441B9E90ACB365EE35CC85C791

Uniqueness

Uniqueness Score: -1.00%

Function 052117F2, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913e94efb4b3e21d8521d0376e763f9ad997e95b9c4a97248c39b4ef62e193ed
Instruction ID: 0bbc48f37fefb771873b68f808e6325de84e010cd28c1adefbeffafdcdab7fb0
Opcode Fuzzy Hash: 913e94efb4b3e21d8521d0376e763f9ad997e95b9c4a97248c39b4ef62e193ed
Instruction Fuzzy Hash: FFF0AF317001595BC708A779D42056E37E7EFC99107140874D90697380EE3ADD42C7DA

Uniqueness

Uniqueness Score: -1.00%

Function 05211800, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621a2f24bb041b654c90d4ba71ea05898a0e2b783c296a650c4291d78b9a36f9
Instruction ID: 83c540c44a8db5ff35dde1383f00317aca64175933e5a2b057f46a3c9ec6657d
Opcode Fuzzy Hash: 621a2f24bb041b654c90d4ba71ea05898a0e2b783c296a650c4291d78b9a36f9
Instruction Fuzzy Hash: 29F0903070011A5BC608AB39D01086E37DBAFC99503150575D906DB3C0EE3ADD41D7DA

Uniqueness

Uniqueness Score: -1.00%

Function 05211780, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2da7cb10adcef93465a59a880a38edf1d5e22de227d0b5015524c0f5524415
Instruction ID: 1d464f16b9e2f90d1655a5cf4b7174dac17af59250077d1c483a93f658d4a860
Opcode Fuzzy Hash: ab2da7cb10adcef93465a59a880a38edf1d5e22de227d0b5015524c0f5524415
Instruction Fuzzy Hash: CBF05E307001208FC748ABBCD418A6E3AEAEFC8715B1441B9E50ACB3A5DE75DC84C791

Uniqueness

Uniqueness Score: -1.00%

Function 052118EA, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5a641796c7e1f1d4219a43a11b0f145c87e2a24d819f655ffe1748a044885e
Instruction ID: 182eb93f3c22b8767408891e578996241d53cf9aefa1894d3477bd2ca112205f
Opcode Fuzzy Hash: 6b5a641796c7e1f1d4219a43a11b0f145c87e2a24d819f655ffe1748a044885e
Instruction Fuzzy Hash: AFF03032700244DFC758DF28F8849AE7FAAEBC9362751953AE41A87205DE758C45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05210640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b9bba43b61002c5c79f0500aa446238f66d7831df760f39efce2f3ab0a912a
Instruction ID: cfed535172ac222805768cc1f0a20fca498c10c0201a69f280ad30b9daea90a6
Opcode Fuzzy Hash: 59b9bba43b61002c5c79f0500aa446238f66d7831df760f39efce2f3ab0a912a
Instruction Fuzzy Hash: B0E09235700610CB875CAB3EA41C52D3BE7EFC8A613194079EA2BC3348DF304C828BA6

Uniqueness

Uniqueness Score: -1.00%

Function 02B605F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.504992542.0000000002B60000.00000040.00000040.sdmp, Offset: 02B60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025305b1cf9fcdf9aad46a43186a0319372ee6a818f2bb2057ed5788ef2975f2
Instruction ID: 642f8c3c7b8e465612640c7dcb0f614d7a1cf38204e9030a6b833122d8394091
Opcode Fuzzy Hash: 025305b1cf9fcdf9aad46a43186a0319372ee6a818f2bb2057ed5788ef2975f2
Instruction Fuzzy Hash: 4CE09276A046008BD650CF0BFC41462F7D8EB88630B58C17FDC0D8B700E675B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 0521198F, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4136e52dec3347491a83af124a8e21855ece1c0fa77f9e319d16884998efd2cc
Instruction ID: 7975b032c8daa9093208ecf02465bca41a9372b73cca6d8e0e47c5831dd3df05
Opcode Fuzzy Hash: 4136e52dec3347491a83af124a8e21855ece1c0fa77f9e319d16884998efd2cc
Instruction Fuzzy Hash: 4CE092323181108BC70956A8A82479B7BAACFCA316F1600ABE009DB790CEB5884587A1

Uniqueness

Uniqueness Score: -1.00%

Function 052118F8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd67c769a3bce0169402306798c9fddd0da8e0cb8b484e2f3603966fded545d
Instruction ID: eee5e31f36c6651f12a8b0e93d8a3ae38f00e6a9e2eed6bd1c6121d41f118006
Opcode Fuzzy Hash: 0cd67c769a3bce0169402306798c9fddd0da8e0cb8b484e2f3603966fded545d
Instruction Fuzzy Hash: 9FE01236301244DBC758EF29F88889E7F9BEBC9261351943AE91AC7309DE759C4587A0

Uniqueness

Uniqueness Score: -1.00%

Function 052119A0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bb43779c67477b5d2470b39cb5f7521d1148bba98d586dd1ccf302ddf987b6
Instruction ID: 4f719c3ac2d240179a607faca5e6aa9f543370c5ae375bdb3795cab22b85139e
Opcode Fuzzy Hash: f2bb43779c67477b5d2470b39cb5f7521d1148bba98d586dd1ccf302ddf987b6
Instruction Fuzzy Hash: DEE0C2313002108BC30866ADF010A5F77DECBCA324B10407BF509CB390CEB5AC4147E5

Uniqueness

Uniqueness Score: -1.00%

Function 05210251, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edaa5830bfd431c7611b3637d5a658214ab055500a0a3c78b87316cab17a9ea9
Instruction ID: 68da61e7a0fa809fc9e695c83d5a5579301da9c4dcdb130dd1c47cf28a7c1a1d
Opcode Fuzzy Hash: edaa5830bfd431c7611b3637d5a658214ab055500a0a3c78b87316cab17a9ea9
Instruction Fuzzy Hash: 4AD0C93AB10010CFDB0496ADE8081ECBBA2AFC4225B20107AD60ADB651E92189598601

Uniqueness

Uniqueness Score: -1.00%

Function 05210130, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0a7dcc71b9d263d26071ee27c112fd153143f7d3dbf31915c3dce765a4f2ae
Instruction ID: 18c3471ec2e7f20103b12a67d0e6bdb4407bf5c525fb456972bf7fe0a8479916
Opcode Fuzzy Hash: 8f0a7dcc71b9d263d26071ee27c112fd153143f7d3dbf31915c3dce765a4f2ae
Instruction Fuzzy Hash: 76C08C3036460907DB101AF8A888327328CAB80204F000431A81EC7140E929D8804240

Uniqueness

Uniqueness Score: -1.00%

Function 052118C8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.505297991.0000000005210000.00000040.00000001.sdmp, Offset: 05210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a10f2b247f50c966c1e8320b98c3b9dcf425ba8bac442085c671154c2b3ac3
Instruction ID: 1a2eccc081b7b0bab4273ce290d8d54241f1dae7866158e99a59f178b8c1c4ba
Opcode Fuzzy Hash: c7a10f2b247f50c966c1e8320b98c3b9dcf425ba8bac442085c671154c2b3ac3
Instruction Fuzzy Hash: 8AC012B0414301EFC744EF28ED4586A7BF0FA80605F84C93CE489C2114F230555CCB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 09142021_PDF.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Threatname: Agenttesla

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

Networking:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre